Worm: Psybot

It is reported that a stealth worm "Psybot" targeting home routers and DSL modems are in the wild.

The worm infects any of a family of Linux Mipsel devices that contain one of several administration interfaces.

It is also reported that devices with the following properties are vulnerable:

• A mipsel (MIPS running in little-endian mode,) device.
• Devices having Telnet, SSH or web-based interfaces available to the WAN
• Weak username-password combinations, or the daemons that firmware uses are exploitable.

The worm packed with UPX, contains shell code for many mipsel devices capable of brute forcing username and password combinations, harvests usernames and passwords through deep packet inspection and can scan for exploitable phpMyAdmin and MySQL servers.

After successful attempt, it locks out other administrators with a series of iptables commands and then connects to the botnet over IRC.

Worm activity

• Vulnerable modem is located & connected to via Telnet
  Root login is performed, shell is spawned
• Custom binary is downloaded & executed and joining the botnet.
• Any further telnet/ssh connection attempts are rejected
• Connection to a private IRC server established with a random nickname
• Joins pre-determined IRC channel to receive commands

Once the compromised modem has joined the botnet, it will begin to scan for other vulnerable modems, connect to them & infect them, making them part of the botnet. Connect to them & infect them, making them part of the botnet.

Countermeasures

• Change the default password for the modem's interface and reboot devices.
• Restrict Web Management Interface to authorized users.
• Upgrade the firmware of the unit.