Researchers uncover botnet comprised of routers

Share this article:
Updated on Thursday, March 26 at 10:44 a.m. EST

The first known botnet worm to target routers and DSL modems is circulating in the wild, according to research revealed this week.

Researchers at DroneBL, a DNS blacklist company that tracks offensive IP addresses, said they have detected a live botnet -- dubbed Psyb0t -- that is impacting any MIPS-based Linux router that either contains a weak username-password combination or an interface accessible from outside the local-area network (LAN). (The latter issue, though, was resolved with a firmware update.)

An estimated 100,000 devices have been infected by this worm, according to DroneBL.

"Your best bet would be to take action to upgrade the device firmware and secure any passwords if there is concern that the device may be vulnerable," the blog post said. "Such actions will help to avoid exploitation by the worm."

In January, an independent researcher from Australia, Terry Baume, was the first person to detect the botnet. He initially noticed increased activity on port 23, used for Telnet client and server communication, and soon discovered the worm impacting Australian-based NetComm's NB5 routers.

NetComm said in a statement Thursday that affected versions shipped between June and December 2005.

"Amongst this small group of versions, the bot only has the potential to manifest in those devices where users have not changed their default password and upgraded to the latest firmware," the statement said. The company recommended users change their password that contains a mix of letters and numbers.

It didn't take long for the botmaster to extend his reach beyond Australia.

"It's the first time I've ever heard of anything infecting embedded devices," Baume told SCMagazineUS.com on Wednesday.

He said that though a group of zombie routers may not have the processing power of a legion of compromised PCs, it still can be leveraged by botmasters to do a lot of damage. For instance, it could be used to carry out distributed denial-of-service attacks or DNS hijacking, by which users trying to visit legitimate websites would be redirected to malicious destinations.

Also, Baume said, compromised routers could be "coded to inspect packets" as they pass through "to look for things like usernames and passwords if the information is not encrypted."

However, at this point, the owner of the botnet is not using his botnet army to do anything malicious, Baume said.

To protect themselves from this worm, users should reset their router to clear any infection and then set their administrative password to something strong, which cannot be cracked by techniques such as dictionary attacks, Baume said.
Share this article:

Sign up to our newsletters

More in News

Instagram iOS and Android apps vulnerable to session hijacking

Two researchers wrote about the Instagram app for iOS and Android is vulnerable to session hijacking because both send unsecured information through HTTP.

Report: Hackers stole data from Israeli defense firms

A report by Brian Krebs detailed the intrusions, which occurred between Oct. 2011 and Aug. 2012.

Neverquest trojan targets regional banks in Japan

Symantec researchers found a new variant of the banking trojan.