Spotlight | Reviews | Current Issue | Newsletter | Subscribe | Contact |
News
Features
Blogs
RSS Feeds
White Papers
Conference Videos
Departments
Current Issue
Special Editions
Spotlight
Reviews
Event Calendar
Archives
Article Code

Partner Links
Website builder
WinWeb OnlineOffice
Shopping and price comparison with product reviews at dooyoo.co.uk

user friendly

CeBIT 2010 CFP

Linux Magazine is offering free booths for the CeBIT 2010 computer fair to selected open source projects. Apply Now!

  linux-magazine.com » Online » News » Psyb0t Attacks Linux Routers (Update)  

Print this page. Recommend
Slashdot it! Delicious Share on Facebook Tweet! Digg

Psyb0t Attacks Linux Routers (Update)

Mar 26, 2009

A botnet named psyb0t has been nesting for a few months in consumer devices that run on Linux with MIPS CPUs, notably routers. Infested devices connect through a botnet over a private Internet Relay Chat (IRC) server to await commands.

Already in January Australian Terry Baume had written a short paper describing the psyb0t malware that was beginning to crop up in Linux systems. Most of these are DSL routers, in that they allow a greater level of stealth because they are online longer than individual PCs. A whole range of devices are affected that use the CPUs under Linux, among them various versions of OpenWRT. Attack vectors are primarily TELNET or SSH that listen on the device's WAN interface, accepting weak passwords (such as admin). According to reports, the malware has a number of attack tools built in, among them a network scanner and brute forcer.

The botnet drew attention by doing a denial-of-service attack on a website with IP blacklists. Some sources say 80,000 to 100,000 clients were affected, all of which registered with the apparently hard to trace back IRC channel. The command and control channel that the attacker used has been temporarily deactivated. But the botnet remains as one of a kind in the large number of Linux devices it attacked.

This is how a botnet works. There are several network-enabled devices and appliances (PCs, DSL modems, refrigerators, etc.) out there. Some of them are vulnerable to one or another form of attack. As a result, the attacker can start a program called malware. One type of malware connects primarily to a chat system such as IRC, which your ordinary 14-year-old might join for the latest superstar gossip. IRC is comprised of several nodes to which users can connect. After a user (or the program) connects to one IRC network, they join a channel. Each IRC network usually has hundreds of these channels, typically starting with a hash mark in its name, such as #superstars.

A participant joining a channel who is not a human is usually a program called a bot. There are all kinds of bots lurking in the IRC, some of them explain UNIX commands, look up bus schedules or forecast the weather. Some, however, await special, often secret, commands or phrases and follow with some action, such as sending a payload of data to a specific target system. As long as just a single bot does this kind of action, usually no one is harmed. Now consider some 10,000 vulnerable hosts that have been infected with some bot malware, all joining a channel such as #mipsel and then idling. After a while, the attacker joins the channel and inputs some magic words, the secret commands (that's why it's called a command and control channel). All of a sudden 10,000 systems distributed from all over the world hurl their workloads at a single target and bring it to its knees.

The virtual swarm-like entity of all 10,000 bots is called a botnet. A botnet is very hard to track since its parts are distributed all over the Internet, making it rather resistant to countermeasures such as IP filters. To add fuel to the fire, enabling a botnet via a router has a greater chance of doing damage in that the router is usually awake and active while its member client units are asleep.

(Nils Magnus, Bert Gassmann)

Comments

@abitwise and fennec

existsec Apr 13, 2009 5:40pm GMT

@abitwise Changing the port is just security through obscurity, it won't make a difference against a service scan. The best thing is to just use keys instead of just passwords.

@fennec A constructive reply to your comment. This doesn't show how "even Linux is vulnerable" as this doesn't exploit anything other than people using insecure passwords. As already mentioned this piece of malware requires a practically open door in terms of security.

Easy solutions

abitwise Apr 11, 2009 8:03pm GMT

Use a key or strong password and also i recommend using a software called denyhosts, it blocks brute force attacks on SSH. If you like, you can even change the SSH port to something different than 22, if you are paranoid.

hahahah

Nenad Mar 31, 2009 8:14pm GMT

Fennec, you're a star

LoL The end of the internet the big crash

Fennec Mar 29, 2009 1:50am GMT

We can't make jokes anymore or what !!!??? )). You need a lotta imagination guys. Because with the imagination we pass to the next level of innovation. Everything start with an IDEA to invent the future.

@ Fennec

Fouin Mar 27, 2009 5:37pm GMT

Come on, stop watching starwars movie and start reading Linux for Dummies at first, after you accomplish your mission, come back and re-post a comment !

This message will destroy itsefl in the next.... bla bla bla

comments

Rikki Kite Mar 27, 2009 4:22pm GMT

Jack,
Although we're happy to have lively discussions on our site, we do try to keep a professional tone. Normally I only delete comments that are blatant spam or profanity-laced. In your case, you recommended that a poster commit suicide. Frankly, I find it completely inappropriate and insensitive. Feel free to give your opinion on the article or comments, but please keep it somewhat constructive or cordial. Thanks!

American Foundation for Suicide Prevention: http://www.afsp.org/

rofl...

btrthenu Mar 27, 2009 3:18pm GMT

@Fennec: Linux NT? Dude, you have no idea wtf your talking about. Learn something new, learn what the difference between embedded systems and server/desktop systems are.

wtf? Cyber War between the two? Either quit smoking so much crack, or keep off the computer before you get in trouble by your teachers.

@ Fennec

sm1ley Mar 27, 2009 2:08pm GMT

Fennec, you are a moron and need to quit watching movies.

oooooowwkaaay

Anonymous Mar 27, 2009 1:56pm GMT

lol @ fennec, and that's all I have to say about that...

It is a Cyber War a war between Linux and Windows !!??

Fennec Mar 27, 2009 11:17am GMT

My Hyphothesis is that there is New Cyber War between Linux and Windows before the war was positive in Innovations. Now is going to the distruction between the ITs and Hackers who support Windows and the others who support Linux by creating new Viruses and Worms more powerful. We saw a lot of distructive worms in the net. A lot of people believe that Linux OS and Linux NT is more secure that any Windows OS or NT. what we can see now even Linux is more vulnerable, means no body is immune from this Viruses and Worms. The questions are is it about MONEY !?. Is it about POWER!?. Is it about CONTROL !?

Re: Solutions?

hellokitty Mar 27, 2009 6:22am GMT

One of the possible solutions is to choose strong password (which is kind of obvious from reading the article) or implement some firewall and block the bruteforce attempts.

Yeay

Tracy R Reed Mar 27, 2009 5:06am GMT

I've been a Linux fan for 15 years. Linux has always had very good security. We have always been proud of the lack of virus infections in Linux. People always said that this was only because Linux was so small that nobody bothered to target it. They can't say that anymore. Linux is definitely big enough to be worth targeting. Not only that big Linux is big enough that they are targeting Linux running on MIPS cpu devices! The good news is that in order to get infected by something like this you really have to open yourself up and let it in. This has always been the case for many years now and nothing new: If you allow root logins from the net and your root password is "root" you are going to be owned. But now there are enough Linux users out there that enough of them set things up with an ssh or telnet running on the WAN interface with a default or very simple guessable password that they are being actively targeted. Linux has hit the big time!

Just to make it clear

base10k Mar 27, 2009 4:51am GMT

Its worth noting that this botnet does not seem to be using vulnerabilities in the Linux routers it is infecting, generally speaking Linux devices are fairly secure, instead this botnet is infecting devices by guessing the passwords for the remote administration services that run on them (passwords such as: root, admin, password, password1, adminadmin etc) and then uploading and installing itself.

All you have to do to prevent being infecting is using a strong password!

Solutions?

.. Mar 27, 2009 4:26am GMT

It's great that you give us one more reason to drink, how about a solution?

Print this page. Recommend
Slashdot it! Delicious Share on Facebook Tweet! Digg
Related Articles
Psyb0t Attacks Linux Routers
(Update:) Fedora: Chronicle of a Server Break-in
First Maintenance Update for Firefox 3
25C3: Severe Vulnerabilities in SSL and SSH
Gargoyle: Web Interface for Router Configuration
Security Bug in Konqueror, Updates for Seamonkey & Co
Rikki's Open Source Exchange

Stop by Rikki's Open Source Exchange for dispatches from the world of women in open source.

Rikki Kite examines the experience of women across the spectrum of open source –
the people, projects, organizations, events, articles, issues, and news.

more...

 

In the US and Canada, Linux Magazine is known as Linux Pro Magazine.
Entire contents © 2009 [Linux New Media USA, LLC]
Linux New Media web sites:
North America: [Linux Pro Magazine]
UK/Worldwide: [Linux Magazine]
Germany: [Linux-Magazin] [LinuxUser] [EasyLinux] [Linux-Community] [Linux Technical Review]
Eastern Europe: [Linux Magazine Poland] [Linux Community Poland] [Open Source DVD Poland]
International: [Linux Magazine Brazil] [EasyLinux Brazil] [Linux Magazine Spanish]
Corporate: [Linux New Media AG]