Psyb0t Attacks Linux Routers (Update)
A botnet named psyb0t has been nesting for a few months in consumer devices that run on Linux with MIPS CPUs, notably routers. Infested devices connect through a botnet over a private Internet Relay Chat (IRC) server to await commands.
Already in January Australian Terry Baume had written a short paper describing the psyb0t malware that was beginning to crop up in Linux systems. Most of these are DSL routers, in that they allow a greater level of stealth because they are online longer than individual PCs. A whole range of devices are affected that use the CPUs under Linux, among them various versions of OpenWRT. Attack vectors are primarily TELNET or SSH that listen on the device's WAN interface, accepting weak passwords (such as admin). According to reports, the malware has a number of attack tools built in, among them a network scanner and brute forcer.
The botnet drew attention by doing a denial-of-service attack on a website with IP blacklists. Some sources say 80,000 to 100,000 clients were affected, all of which registered with the apparently hard to trace back IRC channel. The command and control channel that the attacker used has been temporarily deactivated. But the botnet remains as one of a kind in the large number of Linux devices it attacked.
This is how a botnet works. There are several network-enabled devices and appliances (PCs, DSL modems, refrigerators, etc.) out there. Some of them are vulnerable to one or another form of attack. As a result, the attacker can start a program called malware. One type of malware connects primarily to a chat system such as IRC, which your ordinary 14-year-old might join for the latest superstar gossip. IRC is comprised of several nodes to which users can connect. After a user (or the program) connects to one IRC network, they join a channel. Each IRC network usually has hundreds of these channels, typically starting with a hash mark in its name, such as #superstars.
A participant joining a channel who is not a human is usually a program called a bot. There are all kinds of bots lurking in the IRC, some of them explain UNIX commands, look up bus schedules or forecast the weather. Some, however, await special, often secret, commands or phrases and follow with some action, such as sending a payload of data to a specific target system. As long as just a single bot does this kind of action, usually no one is harmed. Now consider some 10,000 vulnerable hosts that have been infected with some bot malware, all joining a channel such as #mipsel and then idling. After a while, the attacker joins the channel and inputs some magic words, the secret commands (that's why it's called a command and control channel). All of a sudden 10,000 systems distributed from all over the world hurl their workloads at a single target and bring it to its knees.
The virtual swarm-like entity of all 10,000 bots is called a botnet. A botnet is very hard to track since its parts are distributed all over the Internet, making it rather resistant to countermeasures such as IP filters. To add fuel to the fire, enabling a botnet via a router has a greater chance of doing damage in that the router is usually awake and active while its member client units are asleep.
Comments
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.
good post
http://www.gucciguccis.com
http://www.urboots.com
http://www.handbags2012.com
http://www.louisvuittonslv.com
...
@abitwise and fennec
@fennec A constructive reply to your comment. This doesn't show how "even Linux is vulnerable" as this doesn't exploit anything other than people using insecure passwords. As already mentioned this piece of malware requires a practically open door in terms of security.
Easy solutions
hahahah
LoL The end of the internet the big crash
@ Fennec
This message will destroy itsefl in the next.... bla bla bla
comments
Although we're happy to have lively discussions on our site, we do try to keep a professional tone. Normally I only delete comments that are blatant spam or profanity-laced. In your case, you recommended that a poster commit suicide. Frankly, I find it completely inappropriate and insensitive. Feel free to give your opinion on the article or comments, but please keep it somewhat constructive or cordial. Thanks!
American Foundation for Suicide Prevention: http://www.afsp.org/
rofl...
wtf? Cyber War between the two? Either quit smoking so much crack, or keep off the computer before you get in trouble by your teachers.
@ Fennec
oooooowwkaaay
It is a Cyber War a war between Linux and Windows !!??
Re: Solutions?
Yeay
Just to make it clear
All you have to do to prevent being infecting is using a strong password!
Solutions?