Router-Based Botnet On The Loose

Researchers discover spreading of new botnet malware that targets DSL home routers and modems

Dark Reading Staff, Dark Reading

March 25, 2009

2 Min Read
Dark Reading logo in a gray background | Dark Reading

Now your routers can become zombies, too: Researchers have discovered a botnet that uses home DSL devices to build out its army.

The so-called "psyb0t" malware may be the first such code to go after home network devices, say researchers at DroneBL, an organization that monitors abuse of infected machines. So far, somewhere around 100,000 devices have been infected, are being used to wage distributed denial-of-service (DDoS) attacks, and are stealing usernames and passwords, according to DroneBL.

DroneBL first discovered the botnet after it hit the site with a DDoS attack. The botnet is IRC-based and had been studied earlier this year by another researcher, Terry Baume, who wrote a white paper (PDF) detailing how vulnerabilities in embedded Linux devices, such as Netcomm's NB5 ADSL modem, were being infected and recruited into a botnet.

Routers traditionally have been considered relatively immune to malware and attacks, and botnets traditionally use PCs and servers. "Malware is starting to use routers -- in this case, still simple Linux boxes," says Felix "FX" Lindner, a researcher with Recurity Labs, who recently demonstrated how Cisco-router hacking isn't as difficult as once thought.

To be at risk of psyb0t infection, DroneBL researchers say a router must be Mipsel-Linux-based; have telnet, SSH, or Web-based interfaces available to the wide-area network; and have a weak username and password, or firmware daemons that are exploitable. "As such, 90 percent of the routers and modems participating in this botnet are participating due to user error (the user themselves or otherwise)," the researchers blogged.

The router-based botnet is stealthy. "Most end users will not know their network has been hacked, or that their router is exploited. This means that in the future, this could be an attack vector for the theft of personally identifying information. This technique will certainly not be going away," the researchers wrote.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

About the Author

Dark Reading Staff

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

See more from Dark Reading Staff
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

Pegasus Spyware concept with binary code background
Endpoint Security
WhatsApp: NSO Group Operates Pegasus Spyware for CustomersWhatsApp: NSO Group Operates Pegasus Spyware for Customers
byJai Vijayan, Contributing Writer
Nov 18, 2024
4 Min Read
Laptop with Palo Alto networks logo
Cyberattacks & Data Breaches
Palo Alto Networks Patches Critical Zero-Day Firewall BugPalo Alto Networks Patches Critical Zero-Day Firewall Bug
byBecky Bracken, Senior Editor, Dark Reading
Nov 18, 2024
3 Min Read
ChatGPT, typed out on a screen
Сloud Security
ChatGPT Exposes Its Instructions, Knowledge & OS FilesChatGPT Exposes Its Instructions, Knowledge & OS Files
byNate Nelson, Contributing Writer
Nov 15, 2024
4 Min Read
Reports
More Reports
Webinars
More Webinars
White Papers
More Whitepapers
Events
More Events