'Claymore Miner' ETH Mining Software Vulnerable To Botnet Hijacking

In a blog post, security research firm Netlab 360 revealed that it discovered a new variant of the Satori botnet. Beyond trying to spread itself, the new variant, which Netlab has named Satori.Coin.Robber, also hunts for machines running a popular closed-source crypto-mining client called Claymore Miner. The botnet exploits a newly discovered vulnerability in the mining software to change the target mining pool and payout wallet. The result is that the exploited mining machine will have been quietly switched to mine for someone else.

Netlab did not expose the details of how the exploit works, presumably so the developers of Claymore Miner can patch it. Netlab explained only that the infected botnet machines deliver the exploit through port 3333, which is used by Claymore Miner for its remote monitoring service. According to Netlab, the mining pool is currently active and has already paid out around 2 ETH.

The Satori botnet had a brief life during the 2017 holiday season before it was shut down. That botnet spread itself on ports 37215 and 52869 by exploiting vulnerabilities in Huawei modems and Realtek router chips. The Satori.Coin.Robber spreads itself in the same way, but because the exploits were patched, it’s spreading slower than its predecessor because there are fewer vulnerable devices. To be clear, the Satori.Coin.Robber botnet doesn’t spread to the machines that run the Claymore Mining software; it attacks them from the devices that make up the botnet. The botnet spreads so that it can grow its base of attack.

If you’re using Claymore Mining software, consider changing to a different mining client at least until it’s patched. At the very least, be sure to check that your miner’s pool and wallet haven’t been secretly changed. We haven’t found anything indicating whether or not the exploit has been fixed, so be on the lookout for a new version.

  • ammaross
    Dont open port 3333 to the internet and no worries. Nothing to see here.
    Reply
  • MikeTheMic
    Etherminer notifies you if a miner is offline for a half hour. It wouldn't take long to realize your infected.
    Reply
  • ammaross
    20608887 said:
    Etherminer notifies you if a miner is offline for a half hour. It wouldn't take long to realize your infected.

    Yep. And a lot of pools can notify you if you're offline for even 10min. Pretty much a non-issue unless you don't know how to manage a computer and break several best-practices.
    Reply
  • unsivilaudio
    Um Claymore isn't "closed source". You can compile it from the same github you download it from. *facepalm*
    Reply
  • ammaross
    20612992 said:
    Um Claymore isn't "closed source". You can compile it from the same github you download it from. *facepalm*

    Last I checked, they did a delayed release. Claymore is on 10.5 right now, but the github only has source for 10.0. But you're right, they do eventually open the source.
    Reply