Ghost virus ravages mining farms, miners lose 2,000 yuan per hour

For months, a silent ghost has been wreaking havoc among China's Bitcoin mines.

A mysterious hacker implanted a virus into the mining machine to extort ransom from the miners. But the ransom was just a cover, and the hacker's real purpose was to rob the mining machine of its computing power.

A mining farm with 4,000 mining machines can bring hackers a profit of 2,400 yuan in just one hour.

The source of the virus was pointed to a mining firmware released by an anonymous person. The miners who downloaded the firmware were unaware of this and even spread the virus again.

The virus invasion incident exposed the safety risks of many mines. This virus has spawned multiple variants. The crisis in the mines is still ongoing.

01 Poisoning

The mining machine ransomware virus is not new to miners. This time, the mining farm of miner cC was hit.

On the evening of January 5, the Bitmain mining machine management interface of the cC mining farm suddenly turned into a green picture. In the middle of the picture was an ant, with a mining pickaxe on each side.

hAnt virus/ Photo taken by the interviewee

The virus is called hAnt. Obviously, its target is Bitmain's Antminer.

Click on this green picture to see the hacker's message. The hacker told the miners in both Chinese and English that there are only two ways to avoid being attacked: one is to spread the virus to at least 1,000 machines in other mining farms in the form of firmware patches; the other is to pay the hacker 10 bitcoins.

Hacker message/Picture taken by the interviewee

The hacker threatened that if this was not done, he would turn off the Antminer's fan and overheating protection, "burning your miner or even your house."

But in reality, I am afraid that no miner will really give coins to hackers - this kind of virus problem is not difficult to solve.

"The first solution is to flash the SD card of the mining machine, that is, the firmware." cC told a blockchain reporter that this is equivalent to replacing a new operating software for the mining machine. This is the most direct way to solve the problem.

But it takes a lot of time to flash the machines one by one. It took him four days to flash all the SD cards of his Antminer. During the period when the mine was paralyzed, he lost tens of thousands of yuan.

According to cC’s analysis, the reason why the mining machine was infected was probably because the customer’s mining machine had been used in other mining farms and had been flashed with a firmware containing a virus.

If flashing the SD card doesn't work, he has other options: replace the byte library of the mining machine, or even the control board. "If that doesn't work, just sell the mining machine."

As early as 2013, hackers used viruses to hijack other people's computers for secret mining. However, attacks on large-scale mining machines only began to appear recently.

"From August to October 2018, problems began to erupt in a concentrated manner," Yu Yang, COO of Mine Ocean Association, told a blockchain reporter.

Miner Wang Zhao said that he had seen a very powerful mining machine virus that could secretly change the mining addresses of 4,000 mining machines in a mining farm to the mining addresses of hackers in the middle of the night.

In one hour, this mining farm can earn hackers 2,400 yuan. In one day, that's 57,600 yuan.

Due to the huge profit margins, "virus mining" targeting mining farms may exist for a long time.

02 The root of evil

"We have been tracking this virus for some time." When talking about the virus in the cC mining farm, Jiang Zhuoer, founder of Litecoin Mining Pool, told a blockchain reporter.

According to the data Jiang Zhuoer has, currently, Ant Bitcoin mining machines S9, T9, and even Litecoin mining machine L3+ have records of infection with this virus.

"In the mining industry, the Avalon mining machine needs to be controlled by a 'Raspberry Pi'. The latter is essentially a microcomputer with a Linux system." Jiang Zhuoer said, "The Antminer has a built-in control board, which is equivalent to an integrated Linux system, which provides an opportunity for viruses to take advantage of it."

Therefore, Antminers, like home and commercial computers, are susceptible to virus attacks.

Where do these viruses come from?

Jiang Zhuoer and Yu Yang both believe that the source of the virus is most likely from a mining machine overclocking firmware released by an anonymous person.

The term "overclocking" first appeared in the mouths of hardcore computer players.

"There is an important indicator of the chip, called the main frequency. For chips of the same process, the higher the main frequency, the better the performance." Gamer Wang Shuo said that under normal circumstances, manufacturers will set an upper limit for the main frequency of the chip. Players use technical means to break this limit, which is called "overclocking."

However, most manufacturers are against users overclocking their chips. "It's like an athlete taking stimulants. Although the performance improves, the side effects are also terrible," said Wang Shuo.

Specifically for mining machines, overclocking can increase the computing power of mining machines. Taking Antminer S9 as an example, flashing overclocked firmware can increase the computing power of S9 from 13.5T to 18T, a computing power increase of 33.33%. Therefore, it is very common for miners to flash overclocked firmware.

But at the same time, the power consumption of the mining machine will also increase significantly, the burden on the mining machine power supply and cooling system will increase, and the life of the mining machine chip will be shortened. "So most mining machine manufacturers do not encourage overclocking." cC said, "The overclocking firmware on the Internet is all developed by 'civilian experts'."

This gives hackers an opportunity to take advantage of: firmware is a program written into the hardware, which is lower-level than the operating system. If the firmware is "virus-infected", hackers can do whatever they want to the mining machine.

This virus is highly contagious. "It may have started with one or more mining machines that were flashed with virus-infected overclocking firmware. When they were hosted in different mining farms, the virus quickly infiltrated each mining farm," said Yu Yang. "As long as one mining machine with the virus entered the mining farm, the machines in the entire mining farm would be infected within a few minutes."

Yu Yang said that the publishers of these viruses are generally abroad, mostly in Eastern Europe.

Careless miners can also leave loopholes for viruses to invade. "Miners and routers have default passwords when they leave the factory. If miners do not change the default passwords, these mining machines are like running naked in front of viruses," said Jiang Zhuoer.

Not using third-party firmware from unknown sources and regularly changing the login passwords of routers and mining machines may be the best way for miners to prevent virus intrusion.

"It's not just about changing the password. Many mining farms now use a large number of second-hand mining machines. Some mine owners are eager to make a profit, so they put the mining machines directly on the shelves without checking for viruses or reflashing them. This may lead to the spread of mining machine viruses." Feng Chong, operations manager of the CoinIn mining pool, told a blockchain reporter.

Feng Chong believes that if a mining machine is found to be infected with a virus, the source of infection must be identified first, and then the mining machine must be separated as quickly as possible using the network segment or power supply, and then divided into groups for virus disinfection or flashing.

03 Offensive and defensive battle

"This time, most of the mining machines did not break out immediately after being infected, but continued to spread the virus secretly. Hackers controlled the outbreak time of the virus to a certain extent according to certain strategies." In Jiang Zhuoer's opinion, the mastermind behind this incident is very cunning.

He said that from a technical analysis point of view, the developer of the virus should not be Chinese, but the main distribution channel of this overclocking firmware is Baidu Netdisk in China.

"This means there are two possibilities: one is that hackers did it deliberately and specifically targeted China where mining farms are concentrated; the other is that Chinese miners inadvertently helped spread the virus before discovering that the overclocking firmware was infected," said Jiang Zhuoer.

What Jiang Zhuoer finds most amazing is that the virus is constantly evolving and has now evolved into multiple versions:

"The new version of the virus can even monitor the process of miners changing their passwords and record the new passwords."

This means that if the miners fail to completely clean the virus, the virus can still come back even if the default password of the mining machine is changed.

The offensive and defensive battle between miners and hackers is still going on, but the hackers hiding in the dark are obviously more proactive.

What makes miners angry the most is that hackers choose the time to attack, such as secretly switching accounts in the middle of the night. Some hackers only target some mining machines and steal computing power for only a few hours a day, making it difficult for people to detect.

After the emergence of "virus mining", new business opportunities also emerged - many sellers of mining farm management software began to use "anti-virus" as a promotional slogan.

Miner Wang Zhao is also developing mining farm management software. He claims to have developed the industry's only management software for ASIC mining machines, which can automatically detect the operating status of mining machines and manage mining machines in batches.

"Once a mining machine has abnormal computing power, the miners will be notified immediately." Wang Zhao said, "There are already 70,000 to 80,000 mining machines using our software."

However, mining machine management software cannot guarantee the absolute safety of mining machines and may even become a new attack point for hackers.

A senior person in the mining circle revealed to a blockchain reporter that in 2017, a large mining group was hit by a "targeted attack" by hackers. The hackers' entry point at the time was the mining machine management software independently developed by the group.

"This may be the largest hacker attack in the history of the mining circle, and the total computing power of Bitcoin has dropped by 3% as a result," he said.

Hackers lurking in the dark have made Bitcoin players worried. Some even worry that the Bitcoin network will collapse completely due to a sudden attack by hackers.

"It is very unlikely that this will happen. Right now, Bitcoin's computing power is still very dispersed, and there are a large number of mining farms. It is already very difficult for hackers to figure out the network location of the mining farms," ​​said Jiang Zhuoer.

Despite the tricks of hackers, the decentralized structure of Bitcoin has enabled the entire network to establish an unshakable stability.

The virus may not destroy Bitcoin, but for miners, the infection of a large number of mining machines is still a headache.

The real loophole of a system is always people. Only by preventing small loopholes from happening can miners protect the safety of mining machines.

*Some of the interviewees in this article are pseudonyms.