Users of Linux-based routers are being warned of a new worm in the wild which attempts to take control and add their device to a growing botnet. As reported over on vnunet.com on March 25, the ‘psyb0t’ worm was first spotted by security research group DroneBL recently, but may have been spreading since the start of the year.
Designed to brute-force the password of routers running Linux compiled for the RISC-based MIPS chip, including ones running custom OpenWRT and DD-WRT firmwares, the worm takes control of poorly secured devices and joins a botnet which the DroneBL group estimates may have grown to as large as 100,000 compromised devices so far.
Because the worm relies on insecure passwords, or devices which have not been reconfigured from their default settings, the group claims that "ninety per cent of the routers and modems participating in this botnet are [doing so] due to user error." While it is always good advice to choose a very secure password for Internet-facing devices, it is unlikely that anyone reading a security blog needs telling. The payload of the worm is interesting: as well as allowing full remote control of the router via an IRC channel, the malware uses packet inspection techniques in an attempt to sniff traffic for usernames and passwords to Web sites and e-mail accounts. The worm also attempts to resist disinfection by locking out telnet, SSH, and Web access to the device’s management functionality — preventing the device from being flashed with a known-clean firmware. The group notes that "this is the first known botnet based on exploiting consumer network devices, such as home routers and cable/dsl modems" and warns that "many devices appear to be vulnerable."