Psyb0t Evolves, Targets Unprotected Linux Mipsel Routers

by Kristin Shoemaker - Mar. 25, 2009Comments (1)

Early this year, Terry Baume encountered something highly unusual -- a Netcomm NB5 DSL modem router infected by a botnet. The embedded device, powered by a MIPS processor running in little-endian mode (mipsel), was running a bit of malicious code known as PSYB0T 2.5L.

The botnet was originally thought to be a test, an experiment to see how this technology worked. It was shut down quickly by the botnet operator once its existence became public knowledge.

It now appears to have returned, and evolved into a new beast, PSYB0T 2.9L, and it affects more than Netcomm NB5 devices. Approximately 30 Linksys devices, 10 Netgear models, and 15 other models and brands of DSL modems and routers are at risk, including those running custom firmware, such as OpenWRT and DD-WRT.

That's the bad news. The good news is removing it, and ensuring it doesn't return, is fairly simple. In fact, DroneBL, the organization that scans for botnets and vulnerable machines, says that 90% of the routers involved are afflicted only because of user error.

The names and model numbers of the routers and modems affected have not been released (as no one is quite sure of every last vulnerable device, yet), and DroneBL states that detecting the exploit is tricky, requiring users to monitor traffic coming in and out of the router. The first line of defense is to ascertain if your router is potentially vulnerable. A mipsel device, with telnet, SSH, or web-based control panels available to the WAN, using the router's default username and password combination (or with weak, dictionary-based usernames and password combinations) are at risk (as are devices with firmware running exploitable daemons). Custom firmware is at risk, but only if it meets all of the listed criteria.

Monitoring port traffic might be beyond the reach of the average home-networker, but in general, DroneBL says that ports 22, 23, and 80 (again, on the router, not your local machine) are blocked in infected devices. The fix is fairly straightforward. It is recommended that infected routers undergo a hard reset. The factory default log in should be changed to something more secure, and the router firmware should be updated. This will eradicate the rootkit, and secure the router against re-infection.

DroneBL puts the outbreak into perspective. It's hard to tell exactly how many devices are affected, or how many are at risk, but protecting your router can be as simple as a strong password. While the targeting of embedded devices and the information that can be collected through router exploits is frightening, guarding against this exploit, and the others that will (unfortunately but inevitably) follow, is largely common sense.


Browse Blog

Randy Clark uses OStatic to support Open Source, ask and answer questions and stay informed. What about you?



1 Comments
 

Terry Baume hah!

I found this out over a year ago! My Netcomm nb9w router was continuously hacked by what seemed to be Chinese and Taiwanese hackers, but i also suspected American hackers as the originators, in particular some denizens of MCT newsgroups. I complained to Netcomm, to my ISP (OPTUS) and even went as far as to go the the Ombudsman. All to no avail. I even tried to complain to the federal police, local police, and ASIO...

All to no avail.

I was given an NB5 to try and it seemed to work OK, until it became apparent that it too was compromised. Netcomm again was less than useless. It was also apparent that the NB5 was compromised right from the start but was very difficult to monitor the traffic on the router side.

Hence my major beef is with my ISP - OPTUS, which is a Singapore based, Chinese owned company with tentacles in OZ. They could have monitored my traffic but did not seem to care.

Both Netcomm and OPTUS should be sued blind.

ps: I went to school with the defense minister, and I hear as I type that his local office has been hacked to connect him to a Chinese-Australian Businesswoman with ties to Beijing.

And all this soon after a visit from Kevin Rudd to the US


strange no


pps: dweb.webhop.net show as 127.0.0.1 on a pathping.

and I think my routers have been used to PROTOTYPE the psyb0t hacks


does anyone want to help me find out who these maggots are?


0 Votes
Share Your Comments

If you are a member, to have your comment attributed to you. If you are not yet a member, Join OStatic and help the Open Source community by sharing your thoughts, answering user questions and providing reviews and alternatives for projects.