In January 2008, I wrote two articles (Jan. 3, 2008 & Jan. 15, 2008) about an computer virus infection vector that almost no one else had looked at. Except William Pitcock over at Dereferenced Technologies. And the Indiana University Students who wrote about Wifi Epidemiology.
This week, eWeek’s Larry Seltzer brings us the story of the first implementation of these ideas, in his story The First Linux Botnet, which is titled to spread maximum fear. Specifically, it appears that the psyb0t worm attacks not only a long list of linux embedded devices, but also attacks routers running VxWorks based firmware, as well.
As Pitcock and I both suggested, the network gateway hardware is a much softer target for infection, especially when the hardware manufacturers ship the hardware with default passwords, administrative access via the WAN port, and other bone-headed security practices.
The psyb0t worm has the following characteristics:
- is the first botnet worm to target routers and DSL modems
- contains shellcode for many mipsel devices
- is not targeting PCs or servers (except as noted below)
- uses multiple strategies for exploitation, including bruteforce username and password combinations
- harvests usernames and passwords through deep packet inspection
- can scan for exploitable phpMyAdmin and MySQL servers
The dangers of an infected network gateway range from “untracable” phishing attacks (how will you EVER know if you’re really talking to your bank, ever again?) to SPAM forwarding (while the user’s PC checks clean for viruses and malware, every time you scan it!), to such malicious things as an open proxy running on your router, allowing someone to use your ISP given IP address to download anything they can find on the Internet, and it appear (to your ISP) that YOU were the person downloading, oh, say Child Pornography.
The affected class of devices includes DSL modems, and routers, including netgear, linksys, and others. Running custom firmware on the router does not provide safety from this exploit, as the default passwords for the custom firmware are known. If you think you may be affected, please follow through with cleaning your equipment.
There are reports that recently, the psyb0t worm has been shut down by it’s creator, and further that the creator of the worm indicated that he’d infected at least 80 thousand endpoint devices.
If you fear that your network equipment may have been infected, the recommended process for cleaning it is to turn it off, wait a few seconds, turn it back on, and then if possible, download and install the latest version of the firmware for your device. Infected devices can be detected, because they will no longer respond if you attempt to manage them, via their web interface.
I strongly recommend that you read our previous coverage on this issue, and that you stay tuned. We’re looking for more information on this and other security threats.