Stealthy router-based botnet worm squirming
Summary: Researchers at DroneBL have spotted signs of a stealthy router-based botnet worm targeting routers and DSL modems.The worm, called "psyb0t," has been circulating since at least January this year, infecting vulnerable embedded Linux devices such as the Netcomm NB5 ADSL modem (above) and launching denial-of-service attacks on some Web sites.
Researchers at DroneBL have spotted signs of a stealthy router-based botnet worm targeting routers and DSL modems.
The worm, called "psyb0t," has been circulating since at least January this year, infecting vulnerable embedded Linux devices such as the Netcomm NB5 ADSL modem (above) and launching denial-of-service attacks on some Web sites.
Some characteristics:
- It's the first botnet worm to specifically target routers and DSL modems
- Contains shellcode for many mipsel devices
- It's not targeting PCs or servers
- Uses multiple strategies for exploitation, including brute-force username and password combinations
- Harvests user names and passwords through deep packet inspection
- can scan for exploitable phpMyAdmin and MySQL servers
According to this DroneBL blog post, the worm can infect any Linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices).
The group estimates there are 100,000 hosts infected with this malware.
The author of this worm has some sophisticated programming knowledge, given the nature of this executable.
Action must be taken immediately to stop this worm before it grows much larger.
We came across this botnet as part of an investigation into the DDoS attacks against DroneBL's infrastructure two weeks ago, and feel that this botnet was the one which flooded DroneBL.
There are suspicions this might be a proof-of-concept research project.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
And there are SOOO many routers with default "admin" password out there!
I suggested this years ago.
About a year ago, I used the CD to install Hotspot@home from T-Mobile. It had no path, even looking for it, to set up security during the install. It did ask for a new password to the router, that was it. I pointed this out in an email that I am sure went to /dev/null.
People take a wireless router, plug it in, "hey, I am online" and call it good.
TripleII
They have to use a default password
Personally, I do that on about a once yearly basis: I change the router name and password on my router (along with the wireless connection password) at least once a year.
It is a default.
At least more know of security, but it was rare to find a secured network or non default password 3-5 years ago.
TripleII
How many have WAN access by default?
TripleII
All DSL Routers!(nt)
LOL, yes, brain fart on my part. (nt)
RE: Stealthy router-based botnet worm squirming
I was specifically told many times that this sort of thing just wasn't possible on linux. That there were no worms for linux. Here we have proof of just how insecure linux really is, and how it spreads the degradation of the internet for all users. Oh and notice how it uses TELNET! I've warned over and over again this is a huge security hazard and the linux fanboys didn't believe me. Now the truth finally comes out that linux DOES leave telnet open! This is exactly why I don't buy anything with linux on it.
I'm sure the fanboys are going to try to spin this or even worse try to redirect the the dangers of running linux away and go completely off topic with other operating systems. Go for it linux fanboys! We love to watch you squirm while you tell your lies.
Lovey....3.0 on the comments???
Ignorance exposed!
He has a problem of comprehension
And yet you didn't address any of his points.
Its not ignorance
Jeez...
It's not religion, it's not "us vs. them"--they're all tools to solve a problem. Microsoft is, however slowly, and with false starts, getting the idea of security; whether they can actually lock down something with as many legacy requirements and such bloated code as Windows, without a major break with the past, remains to be seen. Eventually, they _have_ to resolve it. Meanwhile, people who don't understand security concepts are working with Linux in a huge range of applications, including embedded--which requires a different paradigm than Linux desktop. Some companies, developers, and/or system designers don't get it--and any system can be misconfigured.
Grow up. Drop the juvenile trolling, and if you can't contribute something useful, please shut up.
Like I said before, its not ignorance
Me:
[i]'m sure the fanboys are going to try to spin this or even worse try to redirect the the dangers of running linux away and go completely off topic with other operating systems.[/i]
You: but but but Microsoft!! Windows! but but but!!
LOL!! Not only are you deflecting, but no where did you prove I had any ignorance but I infact told the truth and I can proudly say "I told you so!" :)
Hey Dorkrock Davidson
Yeah... Didn't think so... Moron...
You have no clue what you are talking about... You saw the word linux and worm and thought it was your golden moment to be an uber troll...
Your ignorance knows no bounds MS fanboy... Put your crash helmet back on and go back to your bedroom in mommies basement where you belong and are loved.
but...
Geez, get a clue. And Loverock doesn't wear a helmet anymore, now that they've finally fitted the straight jacket and completed lining mom's basement with rubber.
For the record it's ssh or the web interface, a remote shell client or a web server that are being exploited. And it's got to be resulting from a brute force attack, ergo the problem is idiots setting the devices up poorly, including bad passwords.
It's a no brainer to set virtually uncrackable passwords, I can do it <i>without</i> a helmet. With a good password an attacker will eventually move on after an amount of time.
Then anyone can run malware once root access to a Linux CLI is obtained. I can run malware off this here Linux desktop if I had the unction. Here's the kicker, the OS itself isn't compromised, it's doing it's job perfectly, albeit an evil purpose in the given example.
When windows gets hacked it denies the user access to his/her own equipment to one degree or other. This does not happen with any active Linux exploit to my knowledge. The kernel is still healthy, it's just been tasked to inappropriate purposes. (which, Lovey, it does perfectly)
And if you ever really wanted to learn a fact or two, LD, ponder this from the article:
<b>DMZ</b>
..really. Grok the umwelt, dood.
BTW the facts above aimed at LD.
@ i8... I got a couple cats you're welcome to... =)
"weak username/passwords" Your hubris knows no bounds
"Never argue with a fool, onlookers may not be able to tell the difference"
Fanbois, anti fanbois, all full of cr@p. OS is no consequence. If one owns the greatest most secure vault in the world. What does it matter if the ignorant user leaves it wide open or keeps the factory combination 1-2-3? Not that linux is the greatest. As I'm no fanboi, of any OS. No OS can prevent stupidity, obviously your's didn't.
I do like the potential for a serial number pw idea discussed in earlier posts.
Not again.....
Someday, he just might get something right. Keep rolling along, Rockhead, keep rolling along.....
I imagine these type of worms may be long lived...