Psyb0t

Last updated February 20, 2023

Psyb0t or Network Bluepill is a computer worm discovered in January 2009. It is thought to be unique in that it can infect routers and high-speed modems.^[1]

Progress

Psyb0t was first detected in January 2009 by Australian security researcher Terry Baume in a Netcomm NB5 ADSL router/modem. Then, in early March, it ran a DDoS attack against DroneBL (an IP blacklisting service). From this attack, DroneBL estimated that it had infected about 100,000 devices. This attack brought some public attention to it in later March which probably caused its operator to shut it down. Also DroneBL successfully attempted to bring its command-and-control and its DNS servers down.

Description

Psyb0t targets modems and routers with little-endian MIPS processor running on Mipsel Linux firmware. It is a part of botnet operated by IRC command-and-control servers. After infecting, psyb0t blocks access to the router TCP ports 22, 23, 80.

Psyb0t contains many attack tools. It is known that it is able to perform network scan for vulnerable routers/modems, check for MySQL and phpMyAdmin vulnerabilities or perform website DoS attack.

There are two versions known. The first version 2.5L was affecting Netcomm NB5 ADSL router/modem. Newer version 2.9L now affects over 50 models by Linksys, Netgear and other vendors, including those running DD-WRT or OpenWrt firmware.^[2]

Attack vectors and countermeasures

The primary attack vector is SSH or telnet access. Using brute-forcing, it tries to gain access from over 6000 usernames and 13000 passwords. However, 90%^[2] of infections are caused by insecure configuration, mostly no or default administration password and allowed remote administration. Recommended countermeasures are to change default access credentials to more secure ones and to update router/modem firmware. In case of infection suspicion, it is advised to perform hard reset of the router, and to not restore the router configuration from a backup.

Related Research Articles

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Backdoor (computing)</span> Method of bypassing authentication or encryption in a computer

A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device, or its embodiment. Backdoors are most often used for securing remote access to a computer, or obtaining access to plaintext in cryptosystems. From there it may be used to gain access to privileged information like passwords, corrupt or delete data on hard drives, or transfer information within autoschediastic networks.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.

<span class="mw-page-title-main">Linksys WRT54G series</span> Series of wireless routers manufacturered by Linksys

The Linksys WRT54G Wi-Fi series is a series of Wi-Fi–capable residential gateways marketed by Linksys, a subsidiary of Cisco from 2003 until acquired by Belkin in 2013. A residential gateway connects a local area network to a wide area network.

A wireless router is a device that performs the functions of a router and also includes the functions of a wireless access point. It is used to provide access to the Internet or a private computer network. Depending on the manufacturer and model, it can function in a wired local area network, in a wireless-only LAN, or in a mixed wired and wireless network.

The NSLU2 is a network-attached storage (NAS) device made by Linksys introduced in 2004 and discontinued in 2008. It makes USB flash memory and hard disks accessible over a network using the SMB protocol. It was superseded mainly by the NAS200 and in another sense by the WRT600N and WRT300N/350N which both combine a Wi-Fi router with a storage link.

SpeedTouch is the brand name of a line of networking equipment produced by Alcatel and Technicolor SA. Before 27 January 2010 Technicolor was known as Thomson SA.

The DSL-G604T is a first D-Link Wireless/ADSL router which firmware is based on open source the MontaVista Linux. The DSL-G604T was introduced in November 2004. This model has been discontinued.

<span class="mw-page-title-main">Fritz!Box</span>

Fritz!Box, stylised as FRITZ!Box, is a series of residential gateway devices produced by the German company AVM GmbH. In 2010 it was estimated the series had a market share of 68% of the digital subscriber line (DSL) consumer equipment in Germany.

A residential gateway is a small consumer-grade gateway which bridges network access between connected local area network (LAN) hosts to a wide area network (WAN) via a modem, or directly connects to a WAN, while routing. The WAN is a larger computer network, generally operated by an Internet service provider.

The DG834 series are popular ADSL modem router products from Netgear. The devices can be directly connected to the phone line and establish an ADSL broadband Internet connection to the ISP and share it among several computers via 802.3 Ethernet and 802.11b/g wireless data links.

The BT Smart Hub is a family of wireless residential gateway router modems distributed by BT for use with their own products and services and those of wholesale resellers but not with other Internet services. Since v 5 Home/Smart Hubs support the faster Wi-Fi 802.11ac standard, in addition to the 802.11b/g/n standards. All models of the Home Hub prior to Home Hub 3 support VoIP Internet telephony via BT's Broadband Talk service, and are compatible with DECT telephone handsets. Since the Home Hub 4, all models have been dual band.

The Texas Instruments AR7 or TI-AR7 is a fully integrated single-chip ADSL CPE access router solution. The AR7 combines a MIPS32 processor, a DSP-based digital transceiver, and an ADSL analog front end.

<span class="mw-page-title-main">Mobile security</span> Security risk and prevention for mobile devices

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

OpenWrt is an open-source project for embedded operating systems based on Linux, primarily used on embedded devices to route network traffic. The main components are Linux, util-linux, musl, and BusyBox. All components have been optimized to be small enough to fit into the limited storage and memory available in home routers.

Custom firmware, also known as aftermarket firmware, is an unofficial new or modified version of firmware created by third parties on devices such as video game consoles and various embedded device types to provide new features or to unlock hidden functionality. In the video game console community, the term is often written as custom firmware or simply CFW, referring to an altered version of the original system software inside a video game console such as the PlayStation Portable, PlayStation 3, PlayStation Vita/PlayStation TV, PlayStation 4, Nintendo 3DS and Nintendo Switch. Installing custom firmware typically requires bootloader unlocking.

Mirai is a malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a white hat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs' website, an attack on French web host OVH, and the October 2016 Dyn cyberattack. According to a chat log between Anna-senpai and Robert Coelho, Mirai was named after the 2011 TV anime series Mirai Nikki.

Remaiten is malware which infects Linux on embedded systems by brute forcing using frequently used default username and passwords combinations from a list in order to infect a system.

VPNFilter is malware designed to infect routers and certain network attached storage devices. As of 24 May 2018, it is estimated to have infected approximately 500,000 routers worldwide, though the number of at-risk devices is larger. It can steal data, contains a "kill switch" designed to disable the infected router on command, and is able to persist should the user reboot the router. The FBI believes that it was created by the Russian Fancy Bear group. The FBI later announced that they believe that Fancy Bear and Sandworm are the same group. In February 2022, the CISA announced that a new malware called Cyclops Blink produced by Sandworm had replaced VPNFilter.

References

↑ Paul, Ian (25 March 2009). "Nasty New Worm Targets Home Routers, Cable Modems". PC World. Retrieved 2009-03-26.
1 2 Kristin Shoemaker (25 March 2009). "Psyb0t Evolves, Targets Unprotected Linux Mipsel Routers". OStatic. Retrieved 2009-04-05.

External links

This malware-related article is a stub. You can help Wikipedia by expanding it.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Paul, Ian (25 March 2009). "Nasty New Worm Targets Home Routers, Cable Modems". PC World. Retrieved 2009-03-26.

[shoemaker-2] 1 2 Kristin Shoemaker (25 March 2009). "Psyb0t Evolves, Targets Unprotected Linux Mipsel Routers". OStatic. Retrieved 2009-04-05.

[1]

[2]