New worm can infect home modem/routers

Samantha Rose Hunt
25 March 2009, 2:00 PM


Send to a friend Print

A new botnet, “psyb0t” is the first known to be capable of directly infecting home routers and cable/DSL modems.


It is suspected that the botnet originated in Australia, as the first activity from the botnet was detected here. Australian IT consultant Terry Baume first observed it infecting a Netcomm NB5 modem/router. You can read his full analysis here.

The botnet binary was further analysed by members of the website DroneBL (a real-time IP tracker that scans for and botnets and vulnerable machines) which came to the conclusion that the “psyb0t” or "Network Bluepill" botnet was mostly a test run to prove the technology. After the botnet's discovery and public outing, the botnet operator swiftly shut it down.

The first generation targeted very few models of router, though the current, most recently discovered generation (dubbed 'version 18' in the code) targets a wide range of devices.

The malware contains the shellcode for over 30 different Linksys models, 10 Netgear models, and a variety of other cable and DSL modems (15 different shellcodes).

A list of 6000 usernames and 13,000 passwords were also included, to be used for brute force entry to Telnet and SSH logins which are open to the LAN and sometimes even the public WAN side of the routers. Generally, routers do not lock a user out after a number of incorrect password attempts, making brute force attacks possible.

According to DroneBL, any router that uses a MIPS processor and runs the Linux Mipsel operating system (a simple operating system for MIPS Processors) is vulnerable if they have the router administration interface, or sshd/telnetd in a DMZ, with weak username/passwords. DroneBL noted this includes devices flashed with the open-source firmwares openwrt and dd-wrt, and the group also said that other routers may be vulnerable, as it had observed the bot running on routers based on the Vxworks operating system.

Of course, exploiting home network devices is more useful than infecting PCs because they are mostly running 24 hours a day, unlike PCs. The attack of a router additionally enables hackers and exploiters to exploit a network with greater levels of stealth, as there's no change to PCs on a network, except perhaps reduced network performance.

The staff of DroneBL noted that the exploit is very difficult to detect, as the only way to discover it is to monitor traffic going in and out of the router itself, and that's beyond the reach of software running on a computer. In the past, exploits on professional-grade Cisco routers were easier to detect, as Cisco provides dedicated ports for connecting to the router, monitoring internal performance and configuring them. However, the vast majority of home routers sacrifice these features for the sake of cost savings.

According to DroneBL, the botnet is capable of scanning for vulnerable PHPMyAdmin and MySQL installations. It can also disable access to the control interfaces of a router, meaning a factory reset will be necessary to clear the worm.

DroneBL attempted to shut down the Command & Control channel that the botnet utilized, and was successful. The DNS which was hosted with afraid.org was also nullrouted. The Command & Control is now defunct, but at the height of its penetration, the botnet was suspected to control 100,000 hosts. The author of the botnet, chatting anonymously on an IRC channel, claimed to have infected 80,000 routers at one point.

APC is making enquiries with router manufacturers for their assessment on which of their models is vulnerable and what users should do to protect themselves.

Please Digg and Slashdot this story (use buttons at top of article) to get the message out about this vulnerability.

With additional reporting by Dan Warne.

Post your comment



Comments

 RSS feed Email alert

Tin (User):

Heard about this yesterday... Not sure if my antique Alcatel modem is vulnerable, but it's in bridge mode and has a Linux (i386) box doing the routing.

If you haven't yet, CHANGE YOUR DEFAULT PASSWORD!

25 March 2009, 3:06 PM (4 years ago)report abuse Send to a friend reply

Raindog (New user):

From reading through pages of information it looks very unlikely you are at risk if you've followed good security practices.

Leaving SSH and telnet access open to the web or secured by default passwords beggars belief.

25 March 2009, 3:28 PM (4 years ago)report abuse Send to a friend reply

Dan Warne (Regular user):

I don't know about that Raindog. I wouldn't even know how to disable SSH or telnet on my home modem, and I am an advanced home user...! Think of the millions of mums and dads who got their pre-provisioned modem from their ISP and just followed the instructions about plugging in the yellow cord in the yellow hole, and the blue cord into their computer.

25 March 2009, 3:37 PM (4 years ago)report abuse Send to a friend reply

Raindog (New user):

I hear what your saying Dan, and I'd add For any ISP to supply customer modems or routers with SSH or telnet open to the WAN beggars belief.

Of the very many ADSL routers I've setup, replaced, configured, secured etc, I cant say I've found one that had the ports set open by default. What I can confirm is that the great majority are still set with the factory default system passwords.

Early wireless routers were an entirely different proposition, with most open by default. Thankfully now most of these are now secure by default.

As this gets air I am sure any sensible ISP will be revising their security policies for customer supply equipment.

Quoting Dan Warne:
I wouldn't even know how to disable SSH or telnet on my home modem

Luckily in your case you know people who do. I'd be getting that router manual out (or downloading a fresh one) and adding a secure password ASAP.


While it is no way exhaustive this quote from Baume's work puts things in some perspective.

Am I at risk?

Not all versions of the NB5 (or other brand/model) are susceptible to this attack. If the modem presents a telnet interface to its WAN interface, and the default password has not been changed, then it is susceptible.

25 March 2009, 3:50 PM (4 years ago)report abuse Send to a friend reply

AndyCee (New user):

I'm forced to disagree.

When I first read the story, I checked and saw that my modem/router has the telnet port wide open, and the default username was very obvious.

I also had a look through the manual, and there's *nothing* on console configuration. Fortunately, logging is configurable. It's inexcusable for any modem, first line of defence in a home network, to leave telnet open.

25 March 2009, 8:28 PM (4 years ago)report abuse Send to a friend reply

Dan Warne (Regular user):

Reminds me of how Virgin Mobile shipped its initial home modems with the WiFi on and unsecured.

I think this botnet proof of concept is one of the most serious threats we've seen for a long time, simply because of the widespreadedness of the problem (poorly default-configured home routers) and the fact that home routers lack any sort of auto-update mechanism like an operating system has to receive patches.

Undoubtedly now that the concept has been proven, it will be exploited ad nauseum by malware writers, and mobilising all the mums and dads at home to do something about it will be very, very difficult for ISPs and modem vendors.

Look how hard it was to educate people just to secure their WiFi -- and that is a relatively easy thing to do, because it has always been easily configurable via the modem front-end.

25 March 2009, 8:45 PM (4 years ago)report abuse Send to a friend reply

Raindog (New user):

Quoting Dan Warne:
Reminds me of how Virgin Mobile shipped its initial home modems with the WiFi on and unsecured.

Not just Virgin Mobile, for a good while there almost all residential Wi-Fi was being shipped with the wireless security turned off. The quick start guides never even mentioned it.


Quoting Dan Warne:
I think this botnet proof of concept is one of the most serious threats we've seen for a long time

It's not really a new concept, even if this Botnet is a pioneer. Any device with communications and a configurable operating system is a potential for infiltration.

It's all about relative risk. I'm keen to know what Andy's router is? I don't doubt what he says but I still believe it would be a rarity to see those services open on the Wan side by default. However I do know of many modems where the remote configuration option from the menu can be ticked and subsequently forgotten.

A two stage Trojan that could attack a router from the LAN side would be a cause of greater concern. To achieve this however multiple vulnerabilities would need to be present.



25 March 2009, 9:08 PM (4 years ago)report abuse Send to a friend reply

Dan Warne (Regular user):

Quoting Raindog:
Not just Virgin Mobile, for a good while there almost all residential Wi-Fi was being shipped with the wireless security turned off.


Yeah, though most of those modems required -some- configuration in order to get them connected to the net. Usually a quick-start wizard would at least advise people that they should secure their WiFi.

Virgin Mobile, on the other hand, was sending out fully pre-provisioned modems that you just had to plug in to power to get connected (as they used SIM card authentication), with WiFi open to the world. Luckily their plans didn't have excess data charges, but an average Joe user would find his 4GB chewed up very quickly by the neighbours, with the connection returning to dialup speed after that.

Hopefully they've changed this practice nowadays.

BigPond is one of the more impressive ISPs in terms of wireless security. They send out the modems pre-provisioned with wireless enabled, but the SSID and password are randomly generated and are printed on a little card that comes with the modem.

25 March 2009, 10:56 PM (4 years ago)report abuse Send to a friend reply

ultim8 (New user):

Quoting Dan Warne:
BigPond is one of the more impressive ISPs in terms of wireless security. They send out the modems pre-provisioned with wireless enabled, but the SSID and password are randomly generated and are printed on a little card that comes with the modem.

Optus use the same system for their Wireless DSL and Cable modems



27 March 2009, 10:49 AM (4 years ago)report abuse Send to a friend reply

Raindog (New user):

Quoting AndyCee:
I checked and saw that my modem/router has the telnet port wide open

On which side? Telnet open on the Lan side isn't good. Telnet open on the WAN side is suicide.

Which model are we talking about?

25 March 2009, 8:54 PM (4 years ago)report abuse Send to a friend reply

raphtee (New user):

The default settings for every home router I have ever owned are such that you are safe. You would have had to mess with the advanced settings of the router to open it up to the outside world. For people who just buy a router and plug it in, there is no issue.

26 March 2009, 6:34 AM (4 years ago)report abuse Send to a friend reply

Tin (User):

You do know how trivial it would be to take this tactic and insert it into a program run on a local machine, right?
1) Write trojan program.
2) Put on Limewire calling it some game name.
3) ????
4) Profit.

26 March 2009, 12:03 PM (4 years ago)report abuse Send to a friend reply

walkerjian (New user):

hello
My name is Ian Walker, and I know quite a bit about these hacks (well
'of' not 'about' - I am not a security person and have never professed
to be one)
I have been hacked in this way for the past few YEARS!
I first knew about this when my NB9W router kept on being hacked -
intrusion logs seemed to indicate that it was Chinese and Taiwanese
hackers doing it, but I also suspect a group of MCT's as well as a
company i once worked for. I tried and tried to get netcomm interested
to no avail. Repeated new bios flashes (every day, with strong
passwords every day) did not work. I begged netcomm to help and they
just plain ran me in circles. I even tried to get my ISP involved
(OPTUS) and they were stunningly unhelpful, I even tried the
Ombudsman! All to no avail - no-one "seemed" to take me seriously. I
contacted the federal police, local police, and even tried ASIO. Which
probably makes me out to be a nutjob, but I was desperate and I was
also very concerned about the extent and sophistication of the
hacking, surely a worry if it was Chinese originated.
Nothing worked. NOTHING.
I persisted though.
I was given an NB5 about a year ago, and it seemed to be OK, but now I
see that it was compromised almost immediately. This router was not
able to let me log external addresses like the NB9W "seemed" to, and
OPTUS was no help at all with monitoring the router side of my
traffic. Netcomm ignored me when I asked if there were a shell I could
use to get to the linux cl of the routers so as to try and prevent
this hacking, or at least try to determine who was doing it. In fact
it seemed as though netcomm and optus colluded to try and prevent me
from doing this whilst they gave the hackers carte-blanche to do the
same to me. It was like trying to fight with both hands tied whilst
netcomm and OPTUS watched on and pretended nothing was happening.

Very Strange!

I just did a pathping on my router to dweb.webhop.net and got back 127.0.0.1 !
So yes my router (patched) is compromised...
I dare say it is the *prototype* for the hack!

In fact I stumbled across another psy type address in my ports list
the other day. It seemed they were trying to phrack a mobile phone I
attached to my internet computer - digging further took me to several
sites where a fellow was complaining about a firewall preventing him
from phracking a mobile (he thought, he was wrong). This led me to
other sites that listed my IP (which is changed by optus regularly) as
having connected to several web sites around the world, one of which
was a Taiwanese kindergarten! So his hacks were fresh, and were shaped
to new devices attached to my internet computer. The way this fellow
sounded on the posts he made did not indicate to me that he was
Chinese either! His writing style was aussie!
I think this botnet has been spawned by a fellow, maybe others as
well, who has been plaguing me for several years. I think my routers
have been compromised by him as prototypes and I have known about his
DNS re-routing for quite a while as well (certificates have blown up
where they shouldn't for example, or when I visited web sites I
normally didn't go to).
I want to catch this person (or people) and can muster a large amount
of money to do so. I can also provide my router equipment for testing
as well.

do you have any suggestions on how I can go about hunting this rat down?

cheers

Ian Walker

26 March 2009, 2:23 PM (4 years ago)report abuse Send to a friend reply

Raindog (New user):

A more pressing worry is "Conficker".
Today would be a very good day for ensuring all your Anti-Virus and Anti spyware measures are working and up to date!

31 March 2009, 10:08 AM (4 years ago)report abuse Send to a friend reply

kandoo (New user):

Just to clarify: if you ping dweb.webhop.net and get 127.0.0.1 that is a GOOD thing, because you'll never get there. It is your localhost address and it doesn't indicate you're running a web server or such.
Your DNS provider has obviously set this precaution, and if you install SpyBot and include Blacklist blocking, it will put a list of banned web sites in your localhost file all pointing to 127.0.0.1 so that requests to those addresses never get there.

27 September 2009, 12:48 PM (3 years ago)report abuse Send to a friend reply

Not signed in
anonymous user Anonymous user