Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

Researchers uncover botnet comprised of routers

Updated on Thursday, March 26 at 10:44 a.m. EST

The first known botnet worm to target routers and DSL modems is circulating in the wild, according to research revealed this week.

Researchers at DroneBL, a DNS blacklist company that tracks offensive IP addresses, said they have detected a live botnet -- dubbed Psyb0t -- that is impacting any MIPS-based Linux router that either contains a weak username-password combination or an interface accessible from outside the local-area network (LAN). (The latter issue, though, was resolved with a firmware update.)

An estimated 100,000 devices have been infected by this worm, according to DroneBL.

"Your best bet would be to take action to upgrade the device firmware and secure any passwords if there is concern that the device may be vulnerable," the blog post said. "Such actions will help to avoid exploitation by the worm."

In January, an independent researcher from Australia, Terry Baume, was the first person to detect the botnet. He initially noticed increased activity on port 23, used for Telnet client and server communication, and soon discovered the worm impacting Australian-based NetComm's NB5 routers.

NetComm said in a statement Thursday that affected versions shipped between June and December 2005.

"Amongst this small group of versions, the bot only has the potential to manifest in those devices where users have not changed their default password and upgraded to the latest firmware," the statement said. The company recommended users change their password that contains a mix of letters and numbers.

It didn't take long for the botmaster to extend his reach beyond Australia.

"It's the first time I've ever heard of anything infecting embedded devices," Baume told on Wednesday.

He said that though a group of zombie routers may not have the processing power of a legion of compromised PCs, it still can be leveraged by botmasters to do a lot of damage. For instance, it could be used to carry out distributed denial-of-service attacks or DNS hijacking, by which users trying to visit legitimate websites would be redirected to malicious destinations.

Also, Baume said, compromised routers could be "coded to inspect packets" as they pass through "to look for things like usernames and passwords if the information is not encrypted."

However, at this point, the owner of the botnet is not using his botnet army to do anything malicious, Baume said.

To protect themselves from this worm, users should reset their router to clear any infection and then set their administrative password to something strong, which cannot be cracked by techniques such as dictionary attacks, Baume said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.