A Chinese-language hacking blog in the deep web has described a technique that could theoretically reroute mining rewards to the hacker’s account.
The post was found on a Chinese-language hacking blog, linked by a popular deep web wiki/site lister. It appears to describe a technique in which the hacker would use already installed viruses and trojans to reroute packing data to a different pool, using man in the middle attacks. The post claims that there would be little to no evidence that something had gone wrong.
While we have not confirmed that this potential malware is out in the wild, or has even been developed beyond just the concept stage, it isn’t hard to imagine how concerning the effects could be. Since the hacker would have complete control of the packet data, it could be difficult to detect the negative effects of this malware. Potentially, the hacker could continue to pass on some rewards to the miners while keeping some for him or herself. It may be difficult to notice any drop in production since mining success depends largely on luck. Overtime, a miner could become suspicious after consistently low mining success for the rig’s stated hashing power, but by then the nefarious party would have already gotten away with some bitcoin.
Potentially, it could bleed a massive mining operation dry, eating into the already razor thin profit margins gained by mining.
The attack requires a pre-installed trojan and the ability to modify IP tables. If a criminal has that kind of access, he or she would be able to perform much more damaging acts than simply rerouting mining profits, but this new method seems novel in its potential to fly below the radar.
We have consulted a few experts, including Bitcoin security consultant and early mining operator Blake Anderson as well as Spencer Liven of Sterlingcoin about the plausibility of such an attack and we were informed that the attack certainly seems possible with Anderson stating that “The security vulnerability [the post] references [are] Trojans and man in the middle attack[s]. If you assume both of those vulnerabilities, virtually anything becomes possible.”
The below is a google translate version of the post, unedited other than the removal of an unimportant introduction. An untranslated version of the complete post, including the introduction, can be found below the translation, we welcome any improved translations by readers.
This blog ready to introduce BTC mining machine network packet hijacking, once taken to the mining machine packet, the packet will be able to tamper with the contents of the ore mining machine that points to another pool: all this does not need to modify the mining machine configuration file so the owner of the mining machine mining machine page is not unusual, the only mine operators found Ikegami force reduction.
First, you need to give all network packets mining machine M have been attacked machine A (assume that IP is 2.2.2.2). 1) If the M and A have public network IP, we need to attack the M implanted Trojans; this blog is temporarily not discuss this topic. 2) If the M and A in the same local area network, and A is not a gateway, you need M launch ARP middleman attacks, all of the M packet forwarding via A. 3) If the M and A in the same local area network, and A is a gateway, that network administrators to attack, then this is the most convenient situation, can hijack packets.
The basic idea of hijacking is: First open a mining_proxy on A, ensure mining_proxy properly connected to the mine pool, then the M’s mining request is forwarded to all A’s minig_proxy. Suppose that M’s IP is 2.2.2.100, IP A is 2.2.2.2, the IP gateway G is 2.2.2.1 (ARP middleman attacks after the completion of the gateway IP is not important). Specific steps are as follows:
1) Start mining_proxy on A
mining_proxy -o pool -p port -sh 2.2.2.2 -sp 3333 -oh 2.2.2.2 -gp 3334 -cu user -cp pass
Specific parameters can refer mining_proxy, where stratum agreement listen 3333 port.
2) iptables packet hijacking
Reference iptables process flowchart here. Under normal circumstances, mining packet is taking the rightmost path, that PREROUTING chain -> FORWARD chain -> POSTROUTING chain. Packet hijacking after taking the middle and the left path, which PREROUTING chain -> INPUT chain -> local process handling (ie mining_proxy) -> OUTPUT chain -> POSTROUTING chain.
Firstly PREROUTING chain, modify the destination address for inbound packets:
iptables -t nat -A PREROUTING -m tcp -dport 3333 -j DNAT -to-destination 2.2.2.2:3333
iptables -t nat -A PREROUTING -m tcp -dport 3334 -j DNAT -to-destination 2.2.2.2:3333
Here DNAT 3333 and 3334 the two ports, because most of the mine pool uses these two ports
Then open the firewall on port 3333 A:
iptables -A INPUT -m tcp -dport 3333 -j ACCEPT
Finally POSTROUTING chain, to return data for camouflage:
iptables -t nat -A POSTROUTING -j MASQUERADE
Can not guarantee that mine pool address mining machine M points unchanged (mine chance to change mine pool, pool with a mine have multiple IP), it returns the data can not be used SNAT, only use the MASQUERADE
At this point, the entire process has been completed hijacking. Now you should see the mining_proxy share the information submitted by the mining machine, while mine pointed mining_proxy pool will start to count the force.
新年嘛,要有点新变化。我想了想,觉得这个博客也不需要完全局限在一个主题之下,所以今年的博文的内容涉及面会更丰富一些,比如今天这篇博文就是关于黑客技术的。我这个博客准备长期开下去,因此也不排除在未来我接触到毒品和武器之后分享这方面内容的可能性。无论怎样,这个博客里分享的内容都是我个人的经历,或者至少是我觉得合理的方法,所以具有一定可行性。但这样的劣势是内容涉及的范围有限,你可能找不到你想要的信息,比如ATM取款等 physical carding 的信息。对于寻找这类信息的朋友,我只能实话实说:我这个博客可能对你的帮助不大,至少在我接触这些内容之前我无法提供任何信息。
闲话说完了。这篇博文准备介绍BTC矿机的网络数据包劫持技术,一旦劫持到矿机数据包后,就能篡改数据包内容,将矿机指向另一个矿池:这一切都不需要修改矿机配置文件,因此矿机的主人在矿机页面上不会发现异常,只能矿池上发现算力减少。
首先,需要让矿机M的所有网络数据包都经过发动攻击的机器A(假设IP是2.2.2.2)。1)如果M和A都有公网IP,那么需要先对M发起攻击,植入木马;这篇博文暂时不讨论这个话题。2)如果M和A在同一个局域网内,且A不是网关,那么需要M发起ARP中间人攻击,将M的数据包全部经由A转发。3)如果M和A在同一个局域网内,且A是网关,也就是说网络管理员发起攻击,那么这是最方便的情形,可以直接劫持数据包。
劫持的基本思路是:首先在A上开一个mining_proxy,确保mining_proxy可以正常连上矿池,然后将M的挖矿请求全部转发给A的minig_proxy。假设M的IP是2.2.2.100,A的IP是2.2.2.2,网关G的IP是2.2.2.1(完成ARP中间人攻击之后网关IP其实不重要)。具体步骤如下:
1)在A上启动mining_proxy
mining_proxy -o pool -p port -sh 2.2.2.2 -sp 3333 -oh 2.2.2.2 -gp 3334 -cu user -cp pass
具体参数可以参考mining_proxy,在这里stratum协议监听3333端口。
2)用iptables劫持数据包
参考这里的iptables处理流程图。正常情况下,挖矿数据包走的是最右侧的路径,即PREROUTING链->FORWARD链->POSTROUTING链。劫持之后的数据包走的是中间和左侧路径,即PREROUTING链->INPUT链->本地进程处理(即mining_proxy)->OUTPUT链->POSTROUTING链。
首先利用PREROUTING链,修改入站数据包的目标地址:
iptables -t nat -A PREROUTING -m tcp –dport 3333 -j DNAT –to-destination 2.2.2.2:3333
iptables -t nat -A PREROUTING -m tcp –dport 3334 -j DNAT –to-destination 2.2.2.2:3333
这里DNAT了3333和3334两个端口,因为大部分矿池都使用这两个端口
然后在A上打开3333端口的防火墙:
iptables -A INPUT -m tcp –dport 3333 -j ACCEPT
最后利用POSTROUTING链,对返回数据作伪装:
iptables -t nat -A POSTROUTING -j MASQUERADE
由于不能保证矿机M指向的矿池地址不变(矿机会换矿池,同一个矿池也有多个IP),所以返回数据不能用SNAT,只能使用MASQUERADE
至此,整个劫持过程已经完成。现在在mining_proxy上应该能看到矿机提交share的信息,同时mining_proxy所指向的矿池也会开始计算算力。
This sort of attack doesn’t represent any kind of vulnerability of the Bitcoin network. It does, however, illustrate that attacks are evolving with ever-more complex tactics. We will keep an eye out for more novel attacks on mining and bitcoin in general. In the meantime, mining operators are suggested to always use the most stringent security measures. Any other media outlets or security research firms are welcome to contact me for more info at [email protected]