There is much talk about the state of computer systems, with all the various viruses, trojans, and other malware in circulation. In some cases, it seems almost like a game, as on a couple of sites, virus anniversaries are observed, and others speak of the impending doom to be wrought by a new, and harder to remove, variant of Conficker.
ZDNet had a story yesterday about the newest attacks, coming from a worm that attacks the home network, by infecting the router.
More information has surfaced about the botnet “psyb0t,” the first known to be capable of directly infecting home routers and cable/DSL modems.
It was first observed infecting a Netcomm NB5 modem/router in Australia.
Members of the website DroneBL, a real-time IP tracker that scans for and botnets and vulnerable machines, came to the conclusion that the “psyb0t” (or “Network Bluepill”) botnet was a test run to prove the technology. After the botnet’s discovery and public outing, the botnet operator swiftly shut it down, APC reports.
A list of 6000 usernames and 13,000 passwords were also included, to be used for brute force entry to Telnet and SSH logins which are open to the LAN and sometimes even the public WAN side of the routers. Generally, routers do not lock a user out after a number of incorrect password attempts, making brute force attacks possible.
According to DroneBL, any router that uses a MIPS processor and runs the Linux Mipsel operating system (a simple operating system for MIPS Processors) is vulnerable if they have the router administration interface, or sshd/telnetd in a DMZ, with weak username/passwords. DroneBL noted this includes devices flashed with the open-source firmwares openwrt and dd-wrt, and the group also said that other routers may be vulnerable, as it had observed the bot running on routers based on the Vxworks operating system.
Clearly, exploiting a home network — which are growing in popularity — has its benefits: they rarely power down, and a router attack enables hackers to exploit a network with greater levels of stealth, since there’s no affect on individual PCs on the network, APC writes.
In fact, the staff of DroneBL wrote that the exploit is very difficult to detect, and the only way to discover it is to monitor traffic going in and out of the router itself –beyond the reach of desktop computer software.
In the past, exploits on professional-grade Cisco routers were easier to detect, as Cisco provides dedicated ports for connecting to the router, monitoring internal performance and configuring them. However, the vast majority of home routers sacrifice these features for the sake of cost savings.
DroneBL says that the botnet is capable of scanning for vulnerable PHPMyAdmin and MySQL installations, and can also disable access to the control interfaces of a router, (meaning a factory reset is necessary to clear the worm).
DroneBL was successful in shutting down the Command & Control channel that the botnet utilized, and the DNS that was hosted with afraid.org was also nullrouted. The Command & Control channel is now defunct, but at the height of its penetration, the botnet was suspected to control 100,000 hosts.
Worse, the author of the botnet claimed to have infected 80,000 routers at one point while chatting anonymously on an IRC channel.
The article continues on to tell what devices have been observed to be affected, and the steps needed to fight back.
It’s getting harder and harder to shrug off the attacks, and makes the possibility of long terms in jail for the perpetrators justifiable. The trouble is, most of the malware authors operate with impunity, and are seldom caught. Frequently, in those small number of cases, they are given a much reduced punishment, in return for cooperation at some future time.
Who knows if these people ever become truly ‘reformed’ or if, when giving help, they put their full effort into the job.