I was informed that this was discovered by Terry Baume a while ago, 12th January 2009. I have not verified the source. http://www.adam.com.au/bogaurd/PSYB0T.pdf
DroneBL DNS Blacklist services is reporting the discovery of "psyb0t" botnet comprising internet modems and routers. It seems that wireless routers and internet modems with WAN accessible management control has fallen victim to botnet. If your router has weak password, it is possible that it is compromised.
Easiest way to detect if your router is affected is the try your web management portal of the router. If you cannot access it, most likely you are affected. This is because according to the current exploit, the worm shuts down web access, telnet and SSL access to the router/modem.
Following information are known so far;
* is the first botnet worm to target routers and DSL modems
* contains shellcode for many mipsel devices
* is not targeting PCs or servers
* uses multiple strategies for exploitation, including bruteforce username and password combinations
* harvests usernames and passwords through deep packet inspection
* can scan for exploitable phpMyAdmin and MySQL servers
This type of botnets are very dangerous as it is very hard for end user to know that her/his router / modem is compromised and this could easily be used as an attack vector for other attacks such as identity theft. The storm botnet we reported is very simple compared to this.
There are reports that the botnet was shutdown and there will be many more such botnet in the future and Please make sure that your routers and modems are protected and that you use strong passwords. Disable remote management from WAN unless you absolutely must have that capacity.
Dronebl (Bookmark this address, might come handy one day)
Monday, March 23, 2009