Stealth Router-Based Botnet WOrm "psyb0t" (long title shortened)

DroneBL ^ | Mar 23, 2009 | (none given)

[dayglored]

DroneBL DNS Blacklist service:

We have come across a botnet worm spreading around called "psyb0t". It is notable because, according to my knowledge, it:

• is the first botnet worm to target routers and DSL modems
• contains shellcode for many mipsel devices
• is not targeting PCs or servers
• uses multiple strategies for exploitation, including bruteforce username and password combinations
• harvests usernames and passwords through deep packet inspection
• can scan for exploitable phpMyAdmin and MySQL servers

[dayglored]

Home/office consumer Linux-based routers getting pwned.

I know this article is from a tech blog, not a regular news site, but it's of sufficient current security import as to rate as news, IMO.

Also noted here: Botnet Worm Targets DSL Modems and Routers

[dayglored]

Tech pings?

[dayglored]

Estimated size of the botnet is currently around 100,000, but that's a wild guess, since it's hard to tell when a router has been pwned...

The IRC control channel suggests that the DDoS botnet has been (temporarily) turned off, but the effects are still there, so who do you believe?

[Redbob]

Apparently the “worm” got to the blog and ate all the punctuation...

[dayglored]

> Apparently the “worm” got to the blog and ate all the punctuation...

The poor thing must have been starving...

[grey_whiskers]

That sucks.

[dayglored]

> That sucks.

Yep.

Router security is a sort of gray area. I never enable remote outside (WAN) administrative access -- I always put a login device on the inside and talk to the router from the NAT'ed LAN. Not everybody can (or wants to) do that.

And I've long wondered about the advisability of enabling username/password remote access to the outside ports of routers. Seems to me it should be restricted to public-key.

This could be really nasty.

Aren't all LinkSys routers Linux-based? Oy.

[Bobalu]

No, the original WRT54G is linux and open source. But the newer mostly run VxWorks. If you want a linux model look for the WRT54GL model. Cost maybe 10$ more....but it’s hackable in endlessly fun ways.

[Nipplemancer]

most people never secure their routers in the first place, that’s the biggest problem.

[Bobalu]

[Myrddin]

There is a nice mesh network package for the Linux based WRT54GL. The Freifunk firmware is based on OLSR. I use a variant of OLSR from the www.olsr.org website to network my rail cars. The router version presents a conventional AP to end users, but links via OLSR mesh to other OLSR routers.

It appears Freifunk is moving toward doing the mesh using IPv6 and tunneling IPv4. Support for end user IPv6 on the AP part of the interface will come later.

Linksys was trying to save money on hardware with the move to VxWorks. That version requires less hardware RAM/ROM, thus isn't suitable to execute the Linux firmware.

[dayglored]

> most people never secure their routers in the first place, that’s the biggest problem.

Yep. There are a few malwares that infect a computer inside the router's LAN, and look outward at the router, and try all the usual default and common passwords, so they can reprogram the router and open it up. Pretty sneaky.

First thing I do with any consumer router I set up is change the admin password to something stronger (10-12 chars, mix of upper/lower/digits/punct). But it's still only a password; public-key would make me happier.

[FrogBurger]

According to the worm analysis, the malware blocks telnet and ssh access to the router. So if your router suddenly becomes inaccessible, you might be infected.

Solution: make sure your configure your router so that its ssh and web interfaces are accessible only from your local home network, not remotely over the Internet. And put in a strong password (not a dictionary word).

[dayglored]

Yep, you are correct. Good advice!

[cryptical]

I’m running Tomato on my older WRT54G, and it’s working fine.

Great, just checked and there’s a newer rev out, I guess I’ll have to upgrade before bedtime :)

[ShadowAce]

[zeugma]

First thing I do with any consumer router I set up is change the admin password to something stronger (10-12 chars, mix of upper/lower/digits/punct). But it's still only a password; public-key would make me happier.

That will help a lot for this particular worm, as it just tries a few common and default passwords. Also, don't allow admin access from the WAN. I've been looking at bringing one of my old DD-WRT routers back into service, and looking into this router hacking thing has prompted me to really look at the security of it closer. I'm figuring any password I have on it will be a big, long randomly generated string of characters. Keys are a definite possibility as well, as I know it supports SSL

[KoRn]

"Router security is a sort of gray area. I never enable remote outside (WAN) administrative access"

Very good advice. On a larger LAN I would even restrict admin access to certain trusted hosts/subnets, whichever is desirable. Using ssh for admin access is also a must. Telnet, or anything else that uses weak or nonexistent encryption is the devil! =)

[papasmurf]

Have you tried Gibson's Ultra High Security Password Generator yet?

Available are...
64 random hexadecimal characters (0-9 and A-F):
63 random printable ASCII characters
And
63 random alpha-numeric characters (a-z, A-Z, 0-9)

[zeugma]

Actually, for generating passwords for wireless devices, I use md5sum.

 ~ :) cat testtext.txt
this is a bit of text for
a bit of password generation.
~ :) md5sum testtext.txt
6cfba2785bbc75a5c1a059a6f09b5e4a  testtext.txt
~ :) vi testtext.txt

You can change a single character and get a new pass.

~ :) cat testtext.txt
This is a bit of text for
a bit of password generation.
~ :) md5sum testtext.txt
37762606042b5bfe6ead9b4930a04b13  testtext.txt

One of the cool things about this method, is you an easily regenerate the desired key.

For personal passwords, I use keepass, which generates excellent strong passwords, and keeps track of them for you.