ETHERLive delivers real-time price and volume data across 16+ exchanges to users in a clear and easy-to-understand package. Users can get up-to-the-second updates for each exchange/currency pair, as well as aggregated market averages for each exchange, currency, and the market as a whole. It also provides a global converted average of all the currency pairs monitored by ETHNews, converted to USD.


24hr ---

The Basics

Learn the basics of Ethereum and various cryptocurrency technologies

Learn More

What is Ethereum?

Understand the underlying principles of the Ethereum Platform

Learn More

The Blockchain

Discover the revolutionizing technology known as the blockchain

Learn More

Press Release

Submit a press release for consideration on ETHNews

Submit Press

Story / Dapp

Submit a story or DAPP to be considered for publication on ETHNews.

Submit Story


Submit "Ethereum Explainer" content for consideration to be featured on ETHNews

Submit Topic
ETHNews Logo
Ether Price Analysis
Contact Us

Researchers Claim 400,000+ MikroTik Routers Infected With Mining Malware




MikroTik mining malware was first discovered in Brazil in August, but the virus continues to spread all over the world.

Malware that specifically targets MikroTik routers could now be affecting more than 415,000 routers across the globe, according to a December 2 tweet from VriesHD.

The malware, which typically uses Coinhive software to secretly mine Monero, was first discovered in Brazil in August.

According to Bad Packets LLC, a security research firm, over 170,000 routers in Brazil were infected with the mining malware. Security researcher Simon Kenin of cybersecurity firm Trustwave described the attack by saying:

"The attacker wisely thought that instead of infecting small sites with few visitors or finding sophisticated ways to run malware on end-user computers, they would go straight to the source: carrier-grade router devices."

According to Bad Packets, the epidemic is spreading – by August 25, those infected included approximately 3,000 MikroTik routers in the US containing IP addresses assigned to internet service provider Cogent. A month later, over 600 routers belonging to the Douglas County Public Utility District in north-central Washington state were infected with the malware. According to Bad Packets, "39% of the IPs they manage route to a compromised device."

While research shows that Coinhive is used in most of these instances, during the largest "campaign" CoinImp software was used to infect 115,000 routers. And in September, Bad Packets pointed out more malware targeting MikroTik routers, this one injecting MinerAlt software, which is also used to mine Monero, to steal 30 percent of users' mining revenue. To avoid detection, "Infected routers in this campaign are configured to throttle the CPU usage of the victims' devices… the amount of CPU power used for mining cryptocurrency is roughly 80%."

Although those responsible for the malware cleverly evolve their methods to circumvent discovery, there is at least one patch victims, internet services providers, and MikroTik router owners can use to protect themselves. And it was actually released way back in April. MikroTik's patch, which intended to "fix a zero-day vulnerability exploited in the wild," was released after users of a Czech tech forum spotted malware mining attacks targeting a remote management service called Winbox, which is included with all MikroTik routers. The service allows users to configure devices.

However, even after multiple warnings to upgrade routers – from MikroTik and security researchers, a large number of devices could still be infected. According to a September tweet from Bad Packets, several hundred thousand hosts were still compromised. 

Describing the challenge of upgrading one's router, a researcher from VriesHD told Hard Fork:

"Users should indeed update their routers, yet the biggest bunch of them are distributed by ISPs to their customers, who often have no idea what to do or how to update the router. Often these distributed routers are limited in their rights as well, not allowing users to update the routers themselves. The patch for this specific problem has been out for months and I've seen ISPs with thousands of infections disappear from the list. Unfortunately, it appears tons of ISPs simply won't take action to mitigate the attacks."

Nathan Graham

Nathan Graham lives in Sparks, Nevada, with his wife, Beth, and dog, Kyia. Nathan has a passion for new technology, grant writing, and short stories. He spends his time rafting the American River, playing video games, and writing.

ETHNews is committed to its Editorial Policy

Like what you read? Follow us on Twitter @ETHNews_ to receive the latest MikroTik, Monero or other Ethereum technology news.