Psyb0t botnet worm infects most Linux routers and modems like Cisco, Linksys, Zyxel, D-Link and Netgear also in a Server Hosting Center

The botnet worm “psyb0t is the first known worm to be capable of directly infecting routers and cable/DSL modems. The first known incident about the PSYBOT worm, was by infecting a Australian Netcomm NB5 modem and router. However everyone should check this again since this version ‘verison 18’ does a lot more than the first versions.

The affected brands so far is: CISCO, LINKSYS, ZYXEL, D-LINK and NETGEAR. There might be many others and many OEM providers with unknown brands.

Sources mentions that up to 200.000 systems already are infected. A new group of users is the many customers in a Server Hosting Center which currently uses the routers for switching. The man behind the Botnet was saying that is has infected around 80.000 users.

The main target is devices such as routers and modems. These are not under the protection of the server, note book or pc’s built in firewall and anti virus systems. The worm contains the coding for over 30 different Linksys models, 10 Netgear models, and 15 other models of cable and DSL modems, APC reports. It did not specify which models.

The worm does brute force with a list of more than 6000 usernames and 13,000 passwords. This is used to hack Telnet and SSH logins which are open to the LAN and WAN side of the routers. Very often the users is not changing the default password and user and generally most routers do not have a lockout system after a number of incorrect password actions, and this make it very simple to attack routers and modems worldwide with big numbers of bruteforce attacks.

DroneBL reported that a router and/or modem which are build as a MIPS processor and run the Linux Mipsel OS, which us a simple Linux operating system for the MIPS Processors, is vulnerable. This happens if they have a router administration interface, a sshd/telnetd access in a DMZ with a weak username/passwords.

Also the devices which use a flashed open-source firmwares like openwrt and dd-wrt or Vxworks is vulnerable. Many other routers may be vulnerable especially if the password is among the 13.000 paswords in the brute force list.

Which Vendors, ISP Providers and Hosting Centers is infected?

No one exactly knows which products, vendors and ISP’s who are infected at the moment.

It is very difficult to detect an infection since the the only way to discover it, is to look at the traffic going through the router. This requires a port traffic analyzer, so how can you actually know that your router or modem is clean or infected?

Once infected the Botnet is able to disable the admin interface. So one indication could be a lost admin interface. If it is lost then yopu can gain the access by a factory reset – usually it is a buttom on the router.  Also the Botnet i able to scan for other weaknesses such as the PHPMyAdmin and MySQL installations. Maybe the Botnet is entirely updateable and/or can be on the market now i different versions, and that is why it is difficult to say WHICH vendors who are vulnerable.

That is why we suggest that you control your router or modem and look for the vendors homepage for at control, scan or fix.

How do you clean your equipment?

IF your router has disabled the Admin Interface, you shoulf take care right away. At this point a Factory Reset simply is not enough. It is better than nothing, but it dos not gives you any fix, as your router can be hacked once again, a few minutes after.

Another way is to actually update your BIOS wit a new install or a reinstall from the Vendors homepage, aslo if the date of the upgrade is identical.

At this point you should change your password to contain at least 9 letters with symbols, numbers and BIG and small letters-

According to many sources the ports 22, 23 and 80 are blocked as a part of the infection process (but NOT as part of the rootkit itself and running the rootkit itself will not alter your iptables configuration).If you find that these ports are blocked, you should perform a hardware reset on your device and then change the administrative passwords, and also update to the latest firmware.

The purpose of a botnet is to perform attacks like DDOS, to scan and infect other vulnerable software on your computers, servers and hardware appliances.

Sources of information:

http://www.dronebl.org/blog/8

http://apcmag.com/Content.aspx?id=3687