On CBS.com: Enter For Chance to Tour Set of MEDUM
BNET Business Network:
BNET
TechRepublic
ZDNet

March 25th, 2009

'Psyb0t' worm infects Linksys, Netgear home routers, modems

Posted by Andrew Nusca @ 5:10 am

Categories: Security

Tags: Router, Worm, Modem, DroneBL, Command & Control, Routers & Switches, Network Technology, Networking, Andrew Nusca

More information has surfaced about the botnet “psyb0t,” the first known to be capable of directly infecting home routers and cable/DSL modems.

It was first observed infecting a Netcomm NB5 modem/router in Australia.

Members of the website DroneBL, a real-time IP tracker that scans for and botnets and vulnerable machines, came to the conclusion that the “psyb0t” (or “Network Bluepill”) botnet was a test run to prove the technology. After the botnet’s discovery and public outing, the botnet operator swiftly shut it down, APC reports.

[Read more: Stealthy router-based botnet worm squirming]

However, the most recently discovered generation (dubbed ‘version 18′ in the code) targets a wide range of devices, and contains the shellcode for over 30 different Linksys models, 10 Netgear models, and 15 other models of cable and DSL modems, APC reports. It did not specify which models.

APC:

A list of 6000 usernames and 13,000 passwords were also included, to be used for brute force entry to Telnet and SSH logins which are open to the LAN and sometimes even the public WAN side of the routers. Generally, routers do not lock a user out after a number of incorrect password attempts, making brute force attacks possible.

According to DroneBL, any router that uses a MIPS processor and runs the Linux Mipsel operating system (a simple operating system for MIPS Processors) is vulnerable if they have the router administration interface, or sshd/telnetd in a DMZ, with weak username/passwords. DroneBL noted this includes devices flashed with the open-source firmwares openwrt and dd-wrt, and the group also said that other routers may be vulnerable, as it had observed the bot running on routers based on the Vxworks operating system.

Clearly, exploiting a home network — which are growing in popularity — has its benefits: they rarely power down, and a router attack enables hackers to exploit a network with greater levels of stealth, since there’s no affect on individual PCs on the network, APC writes.

In fact, the staff of DroneBL wrote that the exploit is very difficult to detect, and the only way to discover it is to monitor traffic going in and out of the router itself –beyond the reach of desktop computer software.

In the past, exploits on professional-grade Cisco routers were easier to detect, as Cisco provides dedicated ports for connecting to the router, monitoring internal performance and configuring them. However, the vast majority of home routers sacrifice these features for the sake of cost savings.

DroneBL says that the botnet is capable of scanning for vulnerable PHPMyAdmin and MySQL installations, and can also disable access to the control interfaces of a router, (meaning a factory reset is necessary to clear the worm).

DroneBL was successful in shutting down the Command & Control channel that the botnet utilized, and the DNS that was hosted with afraid.org was also nullrouted. The Command & Control channel is now defunct, but at the height of its penetration, the botnet was suspected to control 100,000 hosts.

Worse, the author of the botnet claimed to have infected 80,000 routers at one point while chatting anonymously on an IRC channel.

WHAT DEVICES ARE AFFECTED

According to Drone BL:

We don’t know. There are so many devices out there that we could not possibly know.

Your best bet would be to take action to upgrade the device firmware and secure any passwords if there is concern that the device may be vulnerable. Such actions will help to avoid exploitation by the worm.

WHAT TO DO

According to DroneBL:

Ports 22, 23 and 80 are blocked as part of the infection process (but NOT as part of the rootkit itself, running the rootkit itself will not alter your iptables configuration).

If these ports are blocked, you should perform a hard reset on your device, change the administrative passwords, and update to the latest firmware. These steps will remove the rootkit and ensure that your device is not reinfected.

Andrew NuscaAndrew J. Nusca is an associate editor for ZDNet and SmartPlanet. See his full profile and disclosure of his industry affiliations.

Email Andrew NuscaFollow on Twitter

  • Talkback
  • Most Recent of 45 Talkback(s)
RE: 'Psyb0t' worm infects Linksys, Netgear home routers, modems
with Read the rest)
Posted by: gwreg4fge Posted on: 11/03/09 You are currently: a Guest | | Terms of Use
Could we have a list as to what routers are affected?  Lerianis | 03/25/09
Did you read this article?  ejhonda | 03/25/09
Did you read this article?  pparks_2000 | 03/25/09
There ya go Lerianis  ejhonda | 03/25/09
There is no exuse for rudeness.  Kyser Soze | 03/26/09
Wow  tikigawd | 03/26/09
Here is the list  Loverock Davidson | 03/25/09
Where can I buy a Windows Router?  mikefarinha | 03/25/09
I am honest  Loverock Davidson | 03/25/09
We see what you mean  IT_User | 03/25/09
You see wrong  Loverock Davidson | 03/25/09
So say something that makes sense  IT_User | 03/25/09
I take back what I said.  mikefarinha | 03/25/09
That won't happen  Loverock Davidson | 03/25/09
Why  no_zd_user_name | 03/25/09
@ Dietrich  MGP2 | 03/25/09
It's a very simple fix  Speednet | 03/26/09
And don't allow it to be administered from outside the LAN  seanferd | 03/26/09
Oh come on Lovey!!!!  randysmith@... | 03/26/09
And if you read the original article, you would know...  randysmith@... | 03/26/09
RE: 'Psyb0t' worm infects Linksys, Netgear home routers, modems  Loverock Davidson | 03/25/09
See my comments (to you) directly above  no_zd_user_name | 03/25/09
not windows vs linux, poor human choices the problem  erik.soderquist | 03/26/09
Stupid human tricks...  gavin142 | 03/28/09
How about these two routers?  mlindl | 03/25/09
If  no_zd_user_name | 03/25/09
probably...  gavin142 | 03/28/09
RE: 'Psyb0t' worm infects Linksys, Netgear home routers, modems  kroser@... | 03/25/09
Answers  Loverock Davidson | 03/25/09
Rebuttal  mikefarinha | 03/25/09
WatchGuard home routers are OK.  warren@... | 04/09/09
What a hoot ...  George Mitchell | 03/25/09
In other words you've never used a home router.  mikefarinha | 03/25/09
You only allow access from the local network ...  George Mitchell | 03/25/09
Keep the Remote Management turned off on your Router! Duh!!!  GiveMeGizmos | 03/25/09
Remote management sometimes needed  tony@... | 03/26/09
It ought to be..  gavin142 | 03/28/09
So basically....  JT82 | 03/25/09
Unless you have a virus on your computer ...  George Mitchell | 03/25/09
Im sure glad D link isnt on the list...  enduser_z | 03/25/09
When a router is safe?  Marie55 | 03/27/09
to answer your question Marie55...  gavin142 | 03/28/09
RE: 'Psyb0t' worm infects Linksys, Netgear home routers, modems  gwreg4fge | 10/06/09
RE: 'Psyb0t' worm infects Linksys, Netgear home routers, modems  kagyhelen | 10/26/09
RE: 'Psyb0t' worm infects Linksys, Netgear home routers, modems  gwreg4fge | 11/03/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More