Psyb0t Attacks Linux Routers (Update)

Already in January Australian Terry Baume had written a short paper describing the psyb0t malware that was beginning to crop up in Linux systems. Most of these are DSL routers, in that they allow a greater level of stealth because they are online longer than individual PCs. A whole range of devices are affected that use the CPUs under Linux, among them various versions of OpenWRT. Attack vectors are primarily TELNET or SSH that listen on the device's WAN interface, accepting weak passwords (such as admin). According to reports, the malware has a number of attack tools built in, among them a network scanner and brute forcer.

The botnet drew attention by doing a denial-of-service attack on a website with IP blacklists. Some sources say 80,000 to 100,000 clients were affected, all of which registered with the apparently hard to trace back IRC channel. The command and control channel that the attacker used has been temporarily deactivated. But the botnet remains as one of a kind in the large number of Linux devices it attacked.

This is how a botnet works. There are several network-enabled devices and appliances (PCs, DSL modems, refrigerators, etc.) out there. Some of them are vulnerable to one or another form of attack. As a result, the attacker can start a program called malware. One type of malware connects primarily to a chat system such as IRC, which your ordinary 14-year-old might join for the latest superstar gossip. IRC is comprised of several nodes to which users can connect. After a user (or the program) connects to one IRC network, they join a channel. Each IRC network usually has hundreds of these channels, typically starting with a hash mark in its name, such as #superstars.

A participant joining a channel who is not a human is usually a program called a bot. There are all kinds of bots lurking in the IRC, some of them explain UNIX commands, look up bus schedules or forecast the weather. Some, however, await special, often secret, commands or phrases and follow with some action, such as sending a payload of data to a specific target system. As long as just a single bot does this kind of action, usually no one is harmed. Now consider some 10,000 vulnerable hosts that have been infected with some bot malware, all joining a channel such as #mipsel and then idling. After a while, the attacker joins the channel and inputs some magic words, the secret commands (that's why it's called a command and control channel). All of a sudden 10,000 systems distributed from all over the world hurl their workloads at a single target and bring it to its knees.

The virtual swarm-like entity of all 10,000 bots is called a botnet. A botnet is very hard to track since its parts are distributed all over the Internet, making it rather resistant to countermeasures such as IP filters. To add fuel to the fire, enabling a botnet via a router has a greater chance of doing damage in that the router is usually awake and active while its member client units are asleep.