Stealthy router-based botnet worm squirmingMarch 24, 2009 – 4:42 AM
Researchers at DroneBL have spotted signs of a stealthy router-based botnet worm targeting routers and DSL modems.
The worm, called “psyb0t,” has been circulating since at least January this year, infecting vulnerable embedded Linux devices such as the Netcomm NB5 ADSL modem (above) and launching denial-of-service attacks on some Web sites.
- It’s the first botnet worm to specifically target routers and DSL modems
- Contains shellcode for many mipsel devices
- It’s not targeting PCs or servers
- Uses multiple strategies for exploitation, including brute-force username and password combinations
- Harvests user names and passwords through deep packet inspection
- can scan for exploitable phpMyAdmin and MySQL servers
According to this DroneBL blog post, the worm can infect any Linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices).