Psyb0t Attacks Linux Routers (Update)

Mar 26, 2009

A botnet named psyb0t has been nesting for a few months in consumer devices that run on Linux with MIPS CPUs, notably routers. Infested devices connect through a botnet over a private Internet Relay Chat (IRC) server to await commands.

Already in January Australian Terry Baume had written a short paper describing the psyb0t malware that was beginning to crop up in Linux systems. Most of these are DSL routers, in that they allow a greater level of stealth because they are online longer than individual PCs. A whole range of devices are affected that use the CPUs under Linux, among them various versions of OpenWRT. Attack vectors are primarily TELNET or SSH that listen on the device's WAN interface, accepting weak passwords (such as admin). According to reports, the malware has a number of attack tools built in, among them a network scanner and brute forcer.

The botnet drew attention by doing a denial-of-service attack on a website with IP blacklists. Some sources say 80,000 to 100,000 clients were affected, all of which registered with the apparently hard to trace back IRC channel. The command and control channel that the attacker used has been temporarily deactivated. But the botnet remains as one of a kind in the large number of Linux devices it attacked.

This is how a botnet works. There are several network-enabled devices and appliances (PCs, DSL modems, refrigerators, etc.) out there. Some of them are vulnerable to one or another form of attack. As a result, the attacker can start a program called malware. One type of malware connects primarily to a chat system such as IRC, which your ordinary 14-year-old might join for the latest superstar gossip. IRC is comprised of several nodes to which users can connect. After a user (or the program) connects to one IRC network, they join a channel. Each IRC network usually has hundreds of these channels, typically starting with a hash mark in its name, such as #superstars.

A participant joining a channel who is not a human is usually a program called a bot. There are all kinds of bots lurking in the IRC, some of them explain UNIX commands, look up bus schedules or forecast the weather. Some, however, await special, often secret, commands or phrases and follow with some action, such as sending a payload of data to a specific target system. As long as just a single bot does this kind of action, usually no one is harmed. Now consider some 10,000 vulnerable hosts that have been infected with some bot malware, all joining a channel such as #mipsel and then idling. After a while, the attacker joins the channel and inputs some magic words, the secret commands (that's why it's called a command and control channel). All of a sudden 10,000 systems distributed from all over the world hurl their workloads at a single target and bring it to its knees.

The virtual swarm-like entity of all 10,000 bots is called a botnet. A botnet is very hard to track since its parts are distributed all over the Internet, making it rather resistant to countermeasures such as IP filters. To add fuel to the fire, enabling a botnet via a router has a greater chance of doing damage in that the router is usually awake and active while its member client units are asleep.

Related content

  • Psyb0t Attacks Linux Routers

    A botnet named psyb0t has been nesting for a few months in consumer devices that run on Linux with MIPS CPUs, notably routers. Infested devices connect through a botnet over a private Internet Relay Chat (IRC) server to await commands.

  • Chuck Norris Botnet Affects Linux Routers

    Researchers at the University of Masaryk in Brno, Czech Republic, have detected a botnet that can hit Linux routers and DSL modems.


  • good post

    Thanks a lot for enjoying this beauty article with me. I am apreciating it very much! Looking forward to another great article. Good luck to the author! all the best!
  • ...

    It's great that you give us one more reason to drink, how about a solution? <a href="" title="Medyum" target="_blank">Medyum</a>
  • @abitwise and fennec

    @abitwise Changing the port is just security through obscurity, it won't make a difference against a service scan. The best thing is to just use keys instead of just passwords.

    @fennec A constructive reply to your comment. This doesn't show how "even Linux is vulnerable" as this doesn't exploit anything other than people using insecure passwords. As already mentioned this piece of malware requires a practically open door in terms of security.
  • Easy solutions

    Use a key or strong password and also i recommend using a software called denyhosts, it blocks brute force attacks on SSH. If you like, you can even change the SSH port to something different than 22, if you are paranoid.
  • hahahah

    Fennec, you're a star happy
  • LoL The end of the internet the big crash

    We can't make jokes anymore or what !!!??? happy)). You need a lotta imagination guys. Because with the imagination we pass to the next level of innovation. Everything start with an IDEA to invent the future.
  • @ Fennec

    Come on, stop watching starwars movie and start reading Linux for Dummies at first, after you accomplish your mission, come back and re-post a comment !

    This message will destroy itsefl in the next.... bla bla bla
  • comments

    Although we're happy to have lively discussions on our site, we do try to keep a professional tone. Normally I only delete comments that are blatant spam or profanity-laced. In your case, you recommended that a poster commit suicide. Frankly, I find it completely inappropriate and insensitive. Feel free to give your opinion on the article or comments, but please keep it somewhat constructive or cordial. Thanks!

    American Foundation for Suicide Prevention:
  • rofl...

    @Fennec: Linux NT? Dude, you have no idea wtf your talking about. Learn something new, learn what the difference between embedded systems and server/desktop systems are.

    wtf? Cyber War between the two? Either quit smoking so much crack, or keep off the computer before you get in trouble by your teachers.
  • @ Fennec

    Fennec, you are a moron and need to quit watching movies.
  • oooooowwkaaay

    lol @ fennec, and that's all I have to say about that...
  • It is a Cyber War a war between Linux and Windows !!??

    My Hyphothesis is that there is New Cyber War between Linux and Windows before the war was positive in Innovations. Now is going to the distruction between the ITs and Hackers who support Windows and the others who support Linux by creating new Viruses and Worms more powerful. We saw a lot of distructive worms in the net. A lot of people believe that Linux OS and Linux NT is more secure that any Windows OS or NT. what we can see now even Linux is more vulnerable, means no body is immune from this Viruses and Worms. The questions are is it about MONEY !?. Is it about POWER!?. Is it about CONTROL !?
  • Re: Solutions?

    One of the possible solutions is to choose strong password (which is kind of obvious from reading the article) or implement some firewall and block the bruteforce attempts.
  • Yeay

    I've been a Linux fan for 15 years. Linux has always had very good security. We have always been proud of the lack of virus infections in Linux. People always said that this was only because Linux was so small that nobody bothered to target it. They can't say that anymore. Linux is definitely big enough to be worth targeting. Not only that big Linux is big enough that they are targeting Linux running on MIPS cpu devices! The good news is that in order to get infected by something like this you really have to open yourself up and let it in. This has always been the case for many years now and nothing new: If you allow root logins from the net and your root password is "root" you are going to be owned. But now there are enough Linux users out there that enough of them set things up with an ssh or telnet running on the WAN interface with a default or very simple guessable password that they are being actively targeted. Linux has hit the big time!
  • Just to make it clear

    Its worth noting that this botnet does not seem to be using vulnerabilities in the Linux routers it is infecting, generally speaking Linux devices are fairly secure, instead this botnet is infecting devices by guessing the passwords for the remote administration services that run on them (passwords such as: root, admin, password, password1, adminadmin etc) and then uploading and installing itself.

    All you have to do to prevent being infecting is using a strong password!
  • Solutions?

    It's great that you give us one more reason to drink, how about a solution?
comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More