A worm has been used to build a botnet consisting of DSL routers running Linux, which may be still evolving, according to security training organisation the Sans Institute.
After becoming infected, the network of routers was used to launch a denial-of-service attack earlier in March against DroneBL, an organisation that maintains a DNS blacklist. Sans Institute handler GN White reported the issue in a blog post on Tuesday, noting that there was a chance the bot was "still evolving".
After analysing the worm, DroneBL researchers wrote in a blog post that, while a range of devices may be exploitable, devices are only vulnerable if they can run Mipsel, part of the Debian Linux distribution. To be vulnerable, devices must also have telnet-, SSH- or web-based WAN interfaces, and either weak username and password combinations or exploitable firmware, the researchers wrote.
The worm uses a brute-force dictionary attack to determine usernames and passwords. Once it has gained access to the device, it loads a Mipsel binary called psyb0t, which then scans a random IP range for vulnerable routers and modems. It also scans for vulnerable MySQL servers to infect.
DroneBL reported in its blog post that it had been the subject of a denial-of-service attack from a botnet consisting of at least 100,000 devices. The botnet appears to have been discontinued, according to IRC logs by 'DRS', who DroneBL said was the bot-controller.
The worm was first noted as psyb0t 2.5L in a paper by security researcher Terry Baume in January. The psyb0t iteration used to attack DroneBL was psyb0t 2.9L.