Stealthy router-based botnet worm squirming

March 24, 2009 – 4:42 AM

Researchers at DroneBL have spotted signs of a stealthy router-based botnet worm targeting routers and DSL modems.

The worm, called “psyb0t,” has been circulating since at least January this year, infecting vulnerable embedded Linux devices such as the Netcomm NB5 ADSL modem (above) and launching denial-of-service attacks on some Web sites.

Some characteristics:

  • It’s the first botnet worm to specifically target routers and DSL modems
  • Contains shellcode for many mipsel devices
  • It’s not targeting PCs or servers
  • Uses multiple strategies for exploitation, including brute-force username and password combinations
  • Harvests user names and passwords through deep packet inspection
  • can scan for exploitable phpMyAdmin and MySQL servers

According to this DroneBL blog post, the worm can infect any Linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices).


You must be logged in to post a comment.