More information has surfaced about the botnet “psyb0t,” the first known to be capable of directly infecting home routers and cable/DSL modems.
It was first observed infecting a Netcomm NB5 modem/router in Australia.
Members of the website DroneBL, a real-time IP tracker that scans for and botnets and vulnerable machines, came to the conclusion that the “psyb0t” (or “Network Bluepill”) botnet was a test run to prove the technology. After the botnet’s discovery and public outing, the botnet operator swiftly shut it down, APC reports.
However, the most recently discovered generation (dubbed ‘version 18′ in the code) targets a wide range of devices, and contains the s**code for over 30 different Linksys models, 10 Netgear models, and 15 other models of cable and DSL modems, APC reports. It did not specify which models.
Researchers are warning of a new worm that targets DSL routers running a distribution of Linux.
The psyb0t worm appears to have been in circulation since the start of the year, and targets routers running Mipsel, a form of the Debian Linux distribution designed for MIPS processors.
The worm is believed to be the first of its kind, and the researchers at DroneBL estimate that it may have infiltrated as many as 100,000 routers.
Psyb0t uses a brute force dictionary attack against the router to obtain username and passwords. This shows that the exploitation is not an attack on the flaw in the operating system itself, but against poor user security.
"Ninety per cent of the routers and modems participating in this botnet are participating due to user error (the user themselves or otherwise). Unfortunately, it seems that some of the people covering this botnet do not understand this point, and it is making us look like a bunch of idiots," said a posting on the DroneBL blog.
"Any device that meets the above criteria is vulnerable, including those built on custom firmware such as OpenWRT and DD-WRT. If the above criteria are not met, then the device is NOT vulnerable."
Once installed, psyb0t allows remote control of the router, and infected hardware has already been used to take part in botnet attacks. It also uses deep packet inspection to try and harvest usernames and passwords for other sites.
* Your device is a mipsel (MIPS running in little-endian mode, this is what the worm is compiled for) device.
* Your device also has telnet, SSH or web-based interfaces available to the WAN, and
* Your username and password combinations are weak, OR the daemons that your firmware uses are exploitable.
As such, 90% of the routers and modems participating in this botnet are participating due to user-error (the user themselves or otherwise). Unfortunately, it seems that some of the people covering this botnet do not understand this point, and it is making us look like a bunch of idiots.
Any device that meets the above criteria is vulnerable, including those built on custom firmware such as OpenWRT and DD-WRT. If the above criteria is not met, then the device is NOT vulnerable.