Botnet based on home network routers

DroneBL a distributed DNS Blacklist service, says in a recent blog post that a botnet named Psybot gained control of approximately one hundred thousand routers and that it became a victim of a distributed denial-of-service (DDoS) attack that was carried out by this botnet.

A botnet consisting primarily of routers is actually rather unusual. Usually Windows PCs are enslaved to act like zombies in a botnet. Psybot seems to have specialised in attacking small home network routers that run an embedded Linux for MIPS CPUs.

According to a description by Terry Baume, the Netcomm NB5 is one of the main targets. Baume says that for older versions of the DSL modem with router functionality, the web interface and an SSH port were directly accessible from the internet, access didn't even require a password. While this problem was later solved with a firmware update, it is questionable whether this update was installed on all the routers.

Once it had access to a system, the bot loaded a file called udhcpc.env into /var/tmp and started it. The program is a MIPSel (the little endian version of MIPS) binary for Linux; its name is similar to the udhcp DHCP software often used in embedded systems. Psybot was then also able to search for systems with vulnerable versions of phpMyAdmin and MySQL, and attack those.

The botnet operator has since discontinued his activities – at least that's what he claims in the status message of the IRC channel used for controlling the bots. He claims to have taken control of 80,000 systems, although DroneBL estimates a figure of approximately one hundred thousand. While these figures need to be taken with a grain of salt, Psybot demonstrates that the botnet problem is not something that only affects Windows PCs.

(crve)