Worm targets Linux routers

Author: Gareth Halfacree
Published: 26th March 2009
Comments (12) Stumble
Worm targets Linux routers

Routers based on the Linux operating system - including units running DD-WRT and OpenWRT firmware - are vulnerable to a new worm.

Users of Linux-based routers are being warned of a new worm in the wild which attempts to take control and add their device to a growing botnet.

As reported over on vnunet.com yesterday, the 'psyb0t' worm was first spotted by security research group DroneBL recently – but may have been spreading since the start of the year.

Designed to brute-force the password of routers running Linux compiled for the RISC-based MIPS chip – including ones running custom OpenWRT and DD-WRT firmwares – the worm takes control of poorly secured devices and joins a botnet which the DroneBL group estimates may have grown to as large as 100,000 compromised devices so far.

Because the worm relies on insecure passwords – or devices which have not been reconfigured from their default settings – the group claims that “ninety per cent of the routers and modems participating in this botnet are [doing so] due to user error.” While it's always good advice to choose a very secure password for Internet-facing devices, it's unlikely that anyone reading a security blog needs telling.

The payload of the worm is interesting: as well as allowing full remote control of the router via an IRC channel, the malware uses packet inspection techniques in an attempt to sniff traffic for usernames and passwords to web sites and e-mail accounts. The worm also attempts to resist disinfection by locking out telnet, SSH, and web access to the device's management functionality – preventing the device from being flashed with a known-clean firmware.

The group notes that “this is the first known botnet based on exploiting consumer network devices, such as home routers and cable/dsl modems” and warns that “many devices appear to be vulnerable.

Although the current implementation of the psyb0t botnet appears to have been voluntarily shutdown – with the alleged culprit stating that he or she “never DDOSed/Phished anybody or peeked on anybody's private data for that matter” and claiming the botnet reached a total of 80,000 devices before being dismantled – this technique is unlikely to go away, and is particularly insidious in that no anti-virus protection on the computers inside the LAN will prevent the router being infected.

Do you think that routers could be the next big target for a major malware infestation, or will crackers continue to concentrate on PCs for their kicks? Share your thoughts over in the forums.
Quote K.I.T.T. 26th March 2009, 12:51
Props to them!

I wondered how long it'd be before this sort of thing turned up. It just shows how many people do nothing to secure their routers.
Quote p3n 26th March 2009, 13:06
Quote:
Originally Posted by K.I.T.T.
Props to them!

I wondered how long it'd be before this sort of thing turned up. It just shows how many people do nothing to secure their routers.

People who leave their router access on 'password' probably deserve all they get but its bad design for something to be brute force crackable (failed logins/min)
Quote BioSniper 26th March 2009, 14:03
Does this however only infect routers which have net accessible Telnet/HTTP interfaces?
Quote TomH 26th March 2009, 14:20
One more reason to always use HTTPS for your router logins. Although it won't help if the worm has infected my machine, I certainly won't have to worry about the other machines on the LAN.
Quote:
Originally Posted by BioSniper
Does this however only infect routers which have net accessible Telnet/HTTP interfaces?
As far as I remember from reading about it's method (once it's found a way in) the worm has to execute shell commands, therefore it would most-likely require a telnet/SSH interface, as well as a POSIX-compliant environment.

But hey, I've seen Belkin routers that this would probably work on.. And that's without having DD-WRT/Tomato installed.
Quote chrisb2e9 26th March 2009, 15:00
I just bought a router and plan on putting tomato on it. I haven't even looked at it yet, What is the definition of a secure password? Just a combo of letters and numbers or something else?
Quote Project_Nightmare 26th March 2009, 15:06
Aww, now I can't simply log in using the default settings :(
Quote thehippoz 26th March 2009, 15:18
I believe it.. 80,000 devices just makes me lol we live next to a school and when I do a check on wireless- I've come up with unsecured or using wep with open shares.. I dunno if it's a joke being played on someone or if majority of kids are really that bad with security

who runs a router default? probably everyone XD imagine a botnet like that- pure genius too bad he let the cat out of the bag
Quote Jose_X 26th March 2009, 18:45
My house is vulnerable if I open the door and put out a welcome sign to any and all to come and take what they wish.

This is a misleading story. The open source firmware don't come with the door open. http://www.linuxtoday.com/it_management/2009032501835SCEMHW

At least one vendor was found that did at some point in time ship such "open door" products. http://www.linuxtoday.com/news_story.php3?ltsn=2009-03-25-018-35-SC-EM-HW-0003

Remember, even if you buy a strong fort that is locked, you can always open the door to make yourself vulnerable.

The good news is that this means that only a small fraction of users will be affected instead of almost everyone using that product.

I'm getting the feeling this was a research ploy from someone that feels threatened by the value proposition of FOSS.
Quote myhottrashcan 27th March 2009, 06:35
This makes me glad I took the time to load up an old computer with PFsense. Free BSD on x86 hardware... none of that MIPS stuff here!
Quote Shielder 27th March 2009, 11:20
Nearly all routers are delivered with the administrator username as admin and the password as admin. It is the first thing I changed when I got my old router, now I have a Sky router, I need to change that 'password' to be something other than a very well known three letter word...

Talk about leaving yourself open...

Oh yes, if the Sky router gets infected with this and starts DDOSing other systems, Sky will cut you off and won't reconnect you until you have reformatted your computer hard drive... (as one of my work colleagues found out recently)

I wonder what they'll do if it is the router that is doing the dirty on the net?

Andy
Quote Saivert 31st March 2009, 00:36
Always use STRONG passwords. I set up a private FTP server on my computer running 24/7 and it didn't take long before douchebags tried to guess the passwords logging on as "Administrator". I don't even have an account named "Administrator". The FTP server also blocks brute-force attacks. I also run a Linksys router with DD-WRT, but I have a strong password for it and I only use SSH, I disabled the Telnet interface.
Quote wuyanxu 31st March 2009, 11:20
user error, the root of all evils

really, whoever doesn't change their router admin password is supposed to be infected. don't blame the smart guy who wrote the worm
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.