Linux Malware Evolves to Mine Cryptocurrencies

Cyrptocurrency mining malware has previously targeted Windows PCs. Now Linux owners are getting a taste of malware misery too.

AccessTimeIconMar 24, 2014 at 2:22 p.m. UTC
Updated Sep 11, 2021 at 10:34 a.m. UTC

While cryptocurrency mining malware has generally been targeted at PCs running the Windows OS, owners of Linux-based machines are now experiencing a taste of malware misery too.

Computer security company Symantec has identified a new version of an old worm that has been going after Linux-based routers and set-top boxes for some time.

The Darlloz worm, as it is called, has evolved to attack Linux desktops and to press them into service as unwilling cryptocurrency miners, IDG News Service reports.

Darlloz is a rather unusual piece of malware, as it was originally developed to wreak havoc on embedded device architectures – computer systems within mechanical devices, such as printers.

In its latest incarnation, however, the coin-mining worm seeks out Intel-based computers running Linux, installs the 'cpuminer' program and sets the PC to mining for either dogecoins or mincoins.

Attractive altcoins

Since bitcoin can no longer be effectively mined by personal computers, the developers of the Darlloz worm sensibly opted for scrypt mining instead. Scrypt is the 'proof of work' algorithm used by many altcoins, such as litecoin and dogecoin, whereas bitcoin uses SHA-256.

Symantec researcher Kaoru Hayashi said scrypt-based altcoins can still be successfully mined on standard PCs, hence malicious developers now find them a more attractive proposition than bitcoin.

Fortunately, the worm appears to be propagating slowly and it is not doing much damage. Hayashi cited one attacker who used Darlloz to mine 42,438 dogecoins and 282 mincoins, with a combined value of less than $200.

However, Hayashi cautioned that the situation could get worse:

"These amounts are relatively low for the average cybercrime activity, so we expect the attacker to continue to evolve their threat for increased monetization."

Internet of Things

Staying true to its roots, Darlloz is still targeting plenty of devices that cannot be used for mining. Symantec identified over 30,000 devices infected with the worm last month, with half of the infections being in the US, China, India, South Korea and Taiwan.

More than a third of all infections had nothing to do with PCs, Symantec said, as they involved Internet of Things (IoT) gear, including printers, routers, set-top boxes and IP cameras.

These devices tend to be vulnerable to attack as they are not patched as regularly as PCs. Hayashi said that updating firmware and changing default passwords can go a long way towards protecting such devices. Blocking connections to port 23 and port 80 helps too.

Other dangers

Although this is a curious case of mining malware for Linux, it should be pointed out that the vast majority of cryptocurrency related malware is designed to target Microsoft Windows.

Dell SecureWorks recently published a report on cryptocurrency stealing malware (CCSM), which found that 147 strains of CCSM in the wild. Less than 1% of all cryptocurrency malware, however, is designed to attack Mac OS X or Linux.

Another danger for owners of cryptocurrency is ransomware that demands on bitcoin for payment. The latter also comes in a hybrid form, which blackmails the user into paying a bitcoin ransom, while at the same time mining for bitcoins.

The heyday of bitcoin-mining malware has long gone, but coin-stealing malware and bitcoin ransomware is on the rise.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.