Psyb0t

Psyb0t or Network Bluepill is a computer worm discovered in January 2009. It is thought to be unique in that it can infect routers and high-speed modems.

Progress
Psyb0t was first detected in January 2009 by Australian security researcher Terry Baume in a Netcomm NB5 ADSL router/modem. Then, in early March, it ran a DDoS attack against DroneBL (an IP blacklisting service). From this attack, DroneBL estimated that it had infected about 100,000 devices. This attack brought some public attention to it in later March which probably caused its operator to shut it down. Also DroneBL successfully attempted to bring its command-and-control and its DNS servers down.

Description
Psyb0t targets modems and routers with little-endian MIPS processor running on Mipsel Linux firmware. It is a part of botnet operated by IRC command-and-control servers. After infecting, psyb0t blocks access to the router TCP ports 22, 23, 80.

Psyb0t contains many attack tools. It is known that it is able to perform network scan for vulnerable routers/modems, check for MySQL and phpMyAdmin vulnerabilities or perform website DoS attack.

There are two versions known. The first version 2.5L was affecting Netcomm NB5 ADSL router/modem. Newer version 2.9L now affects over 50 models by Linksys, Netgear and other vendors, including those running DD-WRT or OpenWrt firmware.

Attack vectors and countermeasures
The primary attack vector is SSH or telnet access. Using brute-forcing, it tries to gain access from over 6000 usernames and 13000 passwords. However, 90% of infections are caused by insecure configuration, mostly no or default administration password and allowed remote administration. Recommended countermeasures are to change default access credentials to more secure ones and to update router/modem firmware. In case of infection suspicion, it is advised to perform hard reset of the router, and to not restore the router configuration from a backup.