Psyb0t Evolves, Targets Unprotected Linux Mipsel Routers

by Ostatic Staff - Mar. 25, 2009

Early this year, Terry Baume encountered something highly unusual -- a Netcomm NB5 DSL modem router infected by a botnet. The embedded device, powered by a MIPS processor running in little-endian mode (mipsel), was running a bit of malicious code known as PSYB0T 2.5L.

The botnet was originally thought to be a test, an experiment to see how this technology worked. It was shut down quickly by the botnet operator once its existence became public knowledge.

It now appears to have returned, and evolved into a new beast, PSYB0T 2.9L, and it affects more than Netcomm NB5 devices. Approximately 30 Linksys devices, 10 Netgear models, and 15 other models and brands of DSL modems and routers are at risk, including those running custom firmware, such as OpenWRT and DD-WRT.

That's the bad news. The good news is removing it, and ensuring it doesn't return, is fairly simple. In fact, DroneBL, the organization that scans for botnets and vulnerable machines, says that 90% of the routers involved are afflicted only because of user error.

The names and model numbers of the routers and modems affected have not been released (as no one is quite sure of every last vulnerable device, yet), and DroneBL states that detecting the exploit is tricky, requiring users to monitor traffic coming in and out of the router. The first line of defense is to ascertain if your router is potentially vulnerable. A mipsel device, with telnet, SSH, or web-based control panels available to the WAN, using the router's default username and password combination (or with weak, dictionary-based usernames and password combinations) are at risk (as are devices with firmware running exploitable daemons). Custom firmware is at risk, but only if it meets all of the listed criteria.

Monitoring port traffic might be beyond the reach of the average home-networker, but in general, DroneBL says that ports 22, 23, and 80 (again, on the router, not your local machine) are blocked in infected devices. The fix is fairly straightforward. It is recommended that infected routers undergo a hard reset. The factory default log in should be changed to something more secure, and the router firmware should be updated. This will eradicate the rootkit, and secure the router against re-infection.

DroneBL puts the outbreak into perspective. It's hard to tell exactly how many devices are affected, or how many are at risk, but protecting your router can be as simple as a strong password. While the targeting of embedded devices and the information that can be collected through router exploits is frightening, guarding against this exploit, and the others that will (unfortunately but inevitably) follow, is largely common sense.