In the world of home networking, when people shop for a router, they check to see f it has some sort of firewall protection, buy it, bring it home and just plug it in. If the manufacturer is a good one, there may be a quick setup for the first boot and that’s about that.
This turnkey approach has lead to a new virus called psyb0t. This nasty virus attacks MIPS based routers and their embedded Linux OS. As most users do not bother to go in and check for things like remote management, UPnP [Universal Plug and Play], SSH [Secure Socket Handler] access after the initial setup – it’s not surprising to see this new vector of attack on a previously untapped security hole. At the time of writting, the psyb0t code base cannot affect x86 based systems; it only affects MIPS running in little-endian mode, which is unfortunately around 90% of the current consumer DSL Modem and Home Router market.
The attack was discovered by DroneBL. It seems to have multiple functions for use – from deep packet inspection [looking for usernames and passwords], searching for exploitable MySQL and MSSQL systems, to establishing a BotNet for DDoS attacks. In fact, DroneBL has been subjected to a flood of HTTP requests as part of a DDoS attack. It was this attack that allowed them to identify the source and find this new virus.
The code is inserted through the use of a brute force attack and attempts to use the most common ports for remote management and SSH, along with the list of common usernames and passwords. Once in, the infection closes ports 22, 23 and 80. Psyb0t also appears to be using a modified version of UPX for packing; this allows it to escape detection from most virus scanners since it will not unpack with standard tools. It is not known at this time if the attack can exploit port triggers or UPnP features available on most consumer routers.
The elegance of this attack is that it does not need to affect systems inside the network and can avoid detection by most casual users. Once the router is compromised the attacker is in a stealth mode for additional attacks and exploits. This technique is very concerning, since it can be just a precursor to a series of more sophisticated attacks and personal information gathering schemes. Imagine if an attacker can attack your internal network from the inside – using your own hardware against you.
The upside to this is that, as of this writing, it is fairly easy to remove this bug. All you need to do is to reset your router to factory defaults as this wipes all configurations and then upgrade to the latest firmware to overwrite the code. Once this is done change the default passwords for the Admin Account and any User accounts. While you are there, make sure you disable any remote management or monitoring features and UPnP. As an added security measure it is also advisable to change the username for the Admin and Any User account from their defaults if that feature exists as an option.
We have contacted DroneBL about this new attack but have not heard back from them as of this writing. More information on the Pysb0t virus can be found on DroneBL’s Blog.
**Update 25 March 2009 18:39 EDT (US) **
We have heard back form DroneBL and they have confirmed that pysb0t cannot spread throught port triggers or UPnP. As of thie writing the only vector of attack is throug the brute force method listed.