Stealthy router-based botnet worm squirming
Researchers at DroneBL have spotted signs of a stealthy router-based botnet worm targeting routers and DSL modems.
The worm, called "psyb0t," has been circulating since at least January this year, infecting vulnerable embedded Linux devices such as the Netcomm NB5 ADSL modem (above) and launching denial-of-service attacks on some Web sites.
Some characteristics:
- It's the first botnet worm to specifically target routers and DSL modems
- Contains shellcode for many mipsel devices
- It's not targeting PCs or servers
- Uses multiple strategies for exploitation, including brute-force username and password combinations
- Harvests user names and passwords through deep packet inspection
- can scan for exploitable phpMyAdmin and MySQL servers
According to this DroneBL blog post, the worm can infect any Linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices).
The group estimates there are 100,000 hosts infected with this malware.
The author of this worm has some sophisticated programming knowledge, given the nature of this executable.
Action must be taken immediately to stop this worm before it grows much larger.
We came across this botnet as part of an investigation into the DDoS attacks against DroneBL's infrastructure two weeks ago, and feel that this botnet was the one which flooded DroneBL.
There are suspicions this might be a proof-of-concept research project.