But mommy, I just wanted to play with my Pi…
Stupid is bash, stupid does
The ‘malware’ is really nothing more than a fishing expedition gone greedy. When you buy a new Raspberry Pi, it usually comes with Raspbian Linux on it. The default user is called ‘pi’, and guess what Einstein, the default password is ‘raspberry’. Can you guess what’s coming next?
By the sounds of it, the pimply faced bedroom based teenager that probably wrote this thing is laughing the way to the bank. The bank of Monero that is. Like BitCoin before it, it’s another CryptoCurrency which you can use to buy nefarious items on the DarkWeb, or perhaps ride the new electronic stock exchanges. Whatever the goal, the author of this ditty wrote the script in Bash. Yes, bash.
How do I make it stop?
Here’s what you need to know:
- Change your default password. But seriously, you did that when you first got your Pi, right? Right?
- Disable port 22 forwarding to your Pi on your router unless you have a really good reason to open SSH to your Pi over the Internet.
- If you do open SSH, make sure to use something like fail2ban to stop repeated script kiddies from trying to log in.
- If you has already succumbed to the nasty already, The script changes ‘pi’ user to ‘\$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1’. Very memorable, enjoy logging in with that!
- Next, it installs zmap and scans big chunks of the Internet for other unsuspecting victims who are also using the default password. Using sshpass, it then infects them with the malware too, and so it goes on.
- If you find yourself with a compromised Raspberry, then take your thumb out and wipe that dirty thing down (not with tissues, reinstalling Raspbian cleanly on your SD card will do just fine).
According to the official Raspberry Pi Magazine, it warned that there could still be millions of Raspberry Pi boards that haven’t been updated. Some 12.5 million Pi’s have been sold over the past five years. Recently, Raspberry Pi systems have sold with SSH disabled, however this doesn’t help the vast majority of the devices out there already.
Ready, steady, change that password 🙂