Last Updated: 2009-03-24 13:13:59 UTC - "...document (pdf - dated January 11th, 2009) by Terry Baume* goes into detail about how a specific brand of DSL Modem (Netcomm NB5
) can be compromised with malicious code that turns the device into a IRC based Bot - named PSYB0T 2.5L. While discovered several months ago, some recent entries on the DroneBL blog that (among further detail into "PSYB0T") state "We came across this botnet as part of an investigation into the DDoS attacks against DroneBL's infrastructure...". It certainly appears that PSYB0T may be alive and kicking! Some further insight into the possibility that this Bot is still evolving (Now Version 2.9L, 3 months later) has been presented on the TeamFurry blog**..."
"You are only vulnerable if:
• Your device is a mipsel device.
• Your device has telnet, SSH or web-based interfaces available to the WAN
• Your username and password combinations are weak, OR the daemons that your firmware uses are exploitable.
As such, 90% of the routers and modems participating in this botnet are participating due to user-error
(the user themselves or otherwise)... Any device that meets the above criteria is vulnerable, including those built on custom firmware such as OpenWRT and DD-WRT
. If the above criteria is not met, then the device is NOT vulnerable.
How can I tell if I have been infected?
Ports 22, 23 and 80 are blocked as part of the infection process (but NOT as part of the rootkit itself, running the rootkit itself will not alter your iptables configuration). If these ports are blocked, you should perform a hard reset on your device, change the administrative passwords, and update to the latest firmware. These steps will remove the rootkit and ensure that your device is not reinfected...
Mar-24-2009 ...botnet itself is still active..."
24 March 2009
March 23, 2009 - "...targets routers and DSL modems..."