psyb0t: Prvi crv koji inficira modeme / rutere!(apc, Samantha Rose Hunt: 25 March 2009, 2:00 PM)
Citat:
A new botnet, “psyb0t” is the first known to be capable of directly infecting home routers and cable/DSL modems.
It is suspected that the botnet originated in Australia, as the first activity from the botnet was detected here. Australian IT consultant Terry Baume first observed it infecting a Netcomm NB5 modem/router. You can read his full analysis here.
The botnet binary was further analysed by members of the website DroneBL (a real-time IP tracker that scans for and botnets and vulnerable machines) which came to the conclusion that the “psyb0t” or "Network Bluepill" botnet was mostly a test run to prove the technology. After the botnet's discovery and public outing, the botnet operator swiftly shut it down.
The first generation targeted very few models of router, though the current, most recently discovered generation (dubbed 'version 18' in the code) targets a wide range of devices.
The malware contains the shellcode for over 30 different Linksys models, 10 Netgear models, and a variety of other cable and DSL modems (15 different shellcodes).
A list of 6000 usernames and 13,000 passwords were also included, to be used for brute force entry to Telnet and SSH logins which are open to the LAN and sometimes even the public WAN side of the routers. Generally, routers do not lock a user out after a number of incorrect password attempts, making brute force attacks possible.
According to DroneBL, any router that uses a MIPS processor and runs the Linux Mipsel operating system (a simple operating system for MIPS Processors) is vulnerable if they have the router administration interface, or sshd/telnetd in a DMZ, with weak username/passwords. DroneBL noted this includes devices flashed with the open-source firmwares openwrt and dd-wrt, and the group also said that other routers may be vulnerable, as it had observed the bot running on routers based on the Vxworks operating system.
Of course, exploiting home network devices is more useful than infecting PCs because they are mostly running 24 hours a day, unlike PCs. The attack of a router additionally enables hackers and exploiters to exploit a network with greater levels of stealth, as there's no change to PCs on a network, except perhaps reduced network performance.
The staff of DroneBL noted that the exploit is very difficult to detect, as the only way to discover it is to monitor traffic going in and out of the router itself, and that's beyond the reach of software running on a computer. In the past, exploits on professional-grade Cisco routers were easier to detect, as Cisco provides dedicated ports for connecting to the router, monitoring internal performance and configuring them. However, the vast majority of home routers sacrifice these features for the sake of cost savings.
According to DroneBL, the botnet is capable of scanning for vulnerable PHPMyAdmin and MySQL installations. It can also disable access to the control interfaces of a router, meaning a factory reset will be necessary to clear the worm.
DroneBL attempted to shut down the Command & Control channel that the botnet utilized, and was successful. The DNS which was hosted with afraid.org was also nullrouted. The Command & Control is now defunct, but at the height of its penetration, the botnet was suspected to control 100,000 hosts. The author of the botnet, chatting anonymously on an IRC channel, claimed to have infected 80,000 routers at one point.
...
It is suspected that the botnet originated in Australia, as the first activity from the botnet was detected here. Australian IT consultant Terry Baume first observed it infecting a Netcomm NB5 modem/router. You can read his full analysis here.
The botnet binary was further analysed by members of the website DroneBL (a real-time IP tracker that scans for and botnets and vulnerable machines) which came to the conclusion that the “psyb0t” or "Network Bluepill" botnet was mostly a test run to prove the technology. After the botnet's discovery and public outing, the botnet operator swiftly shut it down.
The first generation targeted very few models of router, though the current, most recently discovered generation (dubbed 'version 18' in the code) targets a wide range of devices.
The malware contains the shellcode for over 30 different Linksys models, 10 Netgear models, and a variety of other cable and DSL modems (15 different shellcodes).
A list of 6000 usernames and 13,000 passwords were also included, to be used for brute force entry to Telnet and SSH logins which are open to the LAN and sometimes even the public WAN side of the routers. Generally, routers do not lock a user out after a number of incorrect password attempts, making brute force attacks possible.
According to DroneBL, any router that uses a MIPS processor and runs the Linux Mipsel operating system (a simple operating system for MIPS Processors) is vulnerable if they have the router administration interface, or sshd/telnetd in a DMZ, with weak username/passwords. DroneBL noted this includes devices flashed with the open-source firmwares openwrt and dd-wrt, and the group also said that other routers may be vulnerable, as it had observed the bot running on routers based on the Vxworks operating system.
Of course, exploiting home network devices is more useful than infecting PCs because they are mostly running 24 hours a day, unlike PCs. The attack of a router additionally enables hackers and exploiters to exploit a network with greater levels of stealth, as there's no change to PCs on a network, except perhaps reduced network performance.
The staff of DroneBL noted that the exploit is very difficult to detect, as the only way to discover it is to monitor traffic going in and out of the router itself, and that's beyond the reach of software running on a computer. In the past, exploits on professional-grade Cisco routers were easier to detect, as Cisco provides dedicated ports for connecting to the router, monitoring internal performance and configuring them. However, the vast majority of home routers sacrifice these features for the sake of cost savings.
According to DroneBL, the botnet is capable of scanning for vulnerable PHPMyAdmin and MySQL installations. It can also disable access to the control interfaces of a router, meaning a factory reset will be necessary to clear the worm.
DroneBL attempted to shut down the Command & Control channel that the botnet utilized, and was successful. The DNS which was hosted with afraid.org was also nullrouted. The Command & Control is now defunct, but at the height of its penetration, the botnet was suspected to control 100,000 hosts. The author of the botnet, chatting anonymously on an IRC channel, claimed to have infected 80,000 routers at one point.
...
(nastavak teksta na gornjem linku)
:(
