Viruses and Spyware are just one of those things that is accepted in today’s computing world.  We frequently encounter friends with infected computers or even work for a living cleaning other peoples machines.  One thing is for sure, there is a never ending abundance of infected computers around the world.  There is one place that most of us do NOT expect to encounter malware, our routers and broadband modems.

Dronebl uncovered a botnet worm this last week called “psyb0t” that is spreading across the Internet that infects DSL modems and routers.  This is outright scary when you think about it.  Even your custom DD-WRT firmware is susceptible to this.

Most routers and modems use a very trim version of Linux and as such can be manipulated just like a desktop version of it.  The OS has fewer ways to be exploited due to it’s minimal nature but is a prime candidate for exploitation.  It is always connected to the Internet and can operate out of the owners view.  Any problems will be attributed to the computer connected to it and not the infected device.

PsybOt:

  • is the first botnet worm to target routers and DSL modems
  • contains shellcode for many mipsel devices
  • is not targeting PCs or servers
  • uses multiple strategies for exploitation, including bruteforce username and password combinations
  • harvests usernames and passwords through deep packet inspection
  • can scan for exploitable phpMyAdmin and MySQL servers

The thing that makes this so dangerous is that 99% of the home users out there would never suspect anything is wrong and just allow the device to continue to operate in it’s infected status.  Uninformed technicians will just believe the device has malfunctioned and just reboot it.  The chances of this type of malware flying under the radar is very good and is likely to be the “infection of the future”.

The size of the botnet is almost impossible to determine at this time but is suspected to be around 100,000.   As new as this infection is I personally expect this type of malware to spread rapidly in popularity amongst malware writers.  It virtually eliminates the need to worry about the device becoming disinfected.

How do I know if my device is infected?

During the infection process it blocks the telnet, sshd and web ports.  So in theory you would just need to try to access the device and if you can’t, it might be infected.  Resetting the device should result in the network being functional but the device inaccessible.

In my personal opinion if you can’t access the device but it appears functional I would hard reset it and then if you can access the device, re-flash it with updated firmware from the manufactures website.   Make sure that when you are setting up these devices you set a password/username that is unlikely to be bruteforced or easily guessed.

UPDATE:: @shanecorning pointed out on twitter that if you are patching this on a Linux machine make sure you are using a standard user account.

Check It Out> Dronebl