Linux Trojan cryptominer

The Trojan called Linux.BtcMine.174 first copies itself to a folder for which it has write permissions and then downloads additional modules. Once in the system, it gets the root privileges and takes control of the Linux OS. In addition, the Trojan adds itself as an autorun feature, downloads a rootkit and executes it: for example, it can read passwords entered by the user. Be careful if you have an old linux kernel.

1 Like

Thanks for the heads up. But how does one check for this malware and how would one accidentally obtain it?

Just don’t try to install “Half Life 3” for linux :slightly_smiling_face:


See this -

1 Like

Thanks, interesting read although above my level. So if I understand correctly, to get infected, a PC user needs to install a third party application as root. In addition, npm needed to be installed. Did I understand correctly?

Not in the “understanding” business myself. Read the article comments to get a broader understanding. Good luck jaybo.

I did a little research out of curiousity. This is what I understand of it:

It seemed this Trojan was targeting a very specific company called bitpay which produces some Bitcoin software called copay. Users and developers of that program who have Bitcoin wallets would have been affected by this.

It was distributing via NPM which is a package manager for JavaScript/web developers. Most end users wouldn’t have had this installed at all. I found the discussion where it was first discovered:

This particular article mentions it exploited two vulnerabilities:

Otherwise, the press love their clickbaits. :roll_eyes: If you had the latest kernel in use, the script couldn’t have escalated. If you didn’t have copay, there’s nothing to worry about. If anyone has NPM installed, you’d be OK as long as you didn’t have the malicious versions of the event-stream and flatmap-stream modules.

This virus vendor published SHA1 sums.

So you could generate SHA1 checksums of all the files on your system to sha1sums.txt

sudo find / -type f -print0  | xargs -0 sha1sum > sha1sums.txt

(Since some files are privileged, sudo is needed to scan all files on the system)

Then when it’s done, look up any of the mentioned SHA1 hashes in your list.


Sounds dumb to ask, but could this affect Chromebooks?

Because if so, this is devastating for Google, especially when the virus becomes distributed in the darknet (which may happen) and evolve by third parties into something which would smear Linux’s reputation as a more secure alternative.

For this particular attack, extremely unlikely since the copay software is based on Electron (to build desktop/mobile apps) and not a website. In theory, any web-enabled device (including Chromebooks) could be infected. The code started off in JavaScript which could use exploits to break out of a browser into the user’s system.

NodeJS is a bit different since it uses JavaScript like a general programming language, making use of APIs to talk to the system.

If anyone has lots of time of their hands, 1000s responded to the previously linked “I don’t know what to say” thread debating over open source and liability. Ultimately, it was just very sneaky and a case of mistrusting a stranger.

Actually it was in “inside job”. The scumbag thief stepped up to be a maintainer of a node-js package when the original author announced he would no longer maintain it, and slipped in this malware.

Its more an attack on trust and sharing than Linux code.

Which only goes to prove, if you’re going to step down as a maintainer, don’t and instead say you’ll step down from contributing original work. But always, always when you say you are winding down contributions observe when new maintainers contribute into a project to make sure the new code isn’t malicious.

Not all people are kind and generous, especially when opportunity presents itself like that.