There is a new Worm, an IRC-based Bot called Psyb0t, which is targeting embedded Linux devices. The devices, commonly DSL modems or OpenWrt / DD-WRT, must be mipsel based and have SSH, Telnet, or Web-based interfaces available to the WAN, to qualify as vulnerable.
Botnet targeted 80-100,000 DSL modems and routers. (IMG: Netcomm)
Psyb0t itself is not new. In late 2008, researcher Terry Baume discovered the botnet and wrote about it and its methods earlier this year. You can read his research here.
Baume’s research focused on the Netcomm MB5 ASDL modem, but later discovered that modem brands in Italy, Brazil, Ecuador, Russia, Ukraine, Turkey, Peru, Malaysia, Columbia, India, and Egypt were suspect as well. Adding to this is the OpenWRT and DD-WRT projects, which would open the infection point up to devices in the U.S. and U.K.
The botnet came into the public eye this week because of a report posted by DroneBL, a real-time monitor of abusable IPs. DroneBL noticed the botnet as it investigated Denial-of-Service attacks on its systems. Digging deeper, it discovered the same botnet that Baume had written about, but now it was much larger -- the group speculated that the botnet was around 100,000 systems strong.
Digging into the code of the Worm used to build the botnet, DroneBL discovered that it targeted routers and DSL modems, had shell code for many mipsel devices, various vectors of attack including brute force methods, harvested usernames and passwords using deep packet inspection, and sought out phpMyAdmin and MySQL servers open to exploitation.
The good news is -- at least for now -- the botnet is dead.
On Sunday, when the DroneBL researchers connected to the IRC room where the botnet was controlled, they were greeted with the following topic.
“Topic for #mipsel is: .silent on .killall .exit ._exit_ .Research is over: for those interested I reached 80K. That was fun :), time to get back to the real life... (To the DroneBL guys: I never DDOSed/Phished anybody or peeked on anybody's private data for that matter).”
Aside from the mentioned requirements leading to infection, that is SSH, Telnet, or Web-based interfaces available to the WAN, there are two other requirements. The first is that the firmware on the DSL modem or router have vulnerable Daemons, the other is weak administration usernames and passwords.
The botnet used brute force to crack most of the routers and modems, weak passwords never stood a chance and, because of this, tens of thousands of devices were added to the botnet. While the botnet is dead for now, you can protect yourself from future incarnations by taking the suggested steps.
“Ports 22, 23 and 80 are blocked as part of the infection process,” DroneBL said in its mitigation steps. “If these ports are blocked, you should perform a hard reset on your device, change the administrative passwords, and update to the latest firmware. These steps will remove the rootkit and ensure that your device is not re-infected.”
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story