Worm targets Linux routers

March 26, 2009 // 12:45 p.m.

Tags: #crack #cracker #dronebl #irc #malware #modem #network #networking #openwrt #psyb0t #router #virus #worm

Users of Linux-based routers are being warned of a new worm in the wild which attempts to take control and add their device to a growing botnet.

As reported over on vnunet.com yesterday, the 'psyb0t' worm was first spotted by security research group DroneBL recently – but may have been spreading since the start of the year.

Designed to brute-force the password of routers running Linux compiled for the RISC-based MIPS chip – including ones running custom OpenWRT and DD-WRT firmwares – the worm takes control of poorly secured devices and joins a botnet which the DroneBL group estimates may have grown to as large as 100,000 compromised devices so far.

Because the worm relies on insecure passwords – or devices which have not been reconfigured from their default settings – the group claims that “ninety per cent of the routers and modems participating in this botnet are [doing so] due to user error.” While it's always good advice to choose a very secure password for Internet-facing devices, it's unlikely that anyone reading a security blog needs telling.

The payload of the worm is interesting: as well as allowing full remote control of the router via an IRC channel, the malware uses packet inspection techniques in an attempt to sniff traffic for usernames and passwords to web sites and e-mail accounts. The worm also attempts to resist disinfection by locking out telnet, SSH, and web access to the device's management functionality – preventing the device from being flashed with a known-clean firmware.

The group notes that “this is the first known botnet based on exploiting consumer network devices, such as home routers and cable/dsl modems” and warns that “many devices appear to be vulnerable.

Although the current implementation of the psyb0t botnet appears to have been voluntarily shutdown – with the alleged culprit stating that he or she “never DDOSed/Phished anybody or peeked on anybody's private data for that matter” and claiming the botnet reached a total of 80,000 devices before being dismantled – this technique is unlikely to go away, and is particularly insidious in that no anti-virus protection on the computers inside the LAN will prevent the router being infected.

Do you think that routers could be the next big target for a major malware infestation, or will crackers continue to concentrate on PCs for their kicks? Share your thoughts over in the forums.
Discuss this in the forums

QUICK COMMENT

SUBSCRIBE TO OUR NEWSLETTER

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU