Thanks for the merits!
I expect the entry points to be other than SSH also.
cgminer's API is an entry point.
The upload/configuration restore mechanism is an entry point (bitmain has tried to patch this as of late with varying levels of success).
bitmain's latest additions to cgminer adds new functionality that isn't on the standard API port and probably needs some work....I'm still reverse engineering it but so far haven't seen any authentication/authorization.
Another entry point is... buying used miners. The last variant of this I found came through a reseller in China towards the end of a product cycle.
The B7 were used, from China. So that might be it.
The U6 were brand new. And given the default ssh password is non-trivial (I could not crack it), they might have been infected in other ways as you descrive.