– IRC News

All about Internet Relay Chat

psyb0t – A stealthy router-based botnet discovered [Updated]

The folks at DroneBL discovered and analyzed a router-based botnet that is suspected to have DDoS’ed them for about 2 weeks.

The bot software, named “psyb0t”, is the “first known botnet based on exploiting consumer network devices, such as home routers and cable/dsl modems”.

Exploiting routers is in some cases more “useful” than infecting PC’s – because “most people will keep the router on 24/7″ as opposed to their computers which “most people shut down [...] in the evening before they go to bed, or when they leave the office” nenolod writes.
In his paper (which was written back in 2006 and at that time he’s been “called looney for”) he also mentions another reason why targeting SOHO routers is a good idea:

Attacking the router will enable you to monitor network activity with a much higher level of stealth. As most people think the router is a dumb device which simply does NAT translation, it will not be considered a device with a high security risk. Most intrusion analysts at this time will not even consider the router as the place where the malware is hiding.

nenolod, amongst others, disassembled and analyzed the botnet binary, coming to the conclusion that the current incarnation we’re seeing now “was mostly a test botnet”. “Terry Baume discovered the first generation, which only targeted a handful of specific models. The current generation, would be the second generation, which targets a much wider range of devices”.

Version 17 of the malware contains “shellcode for 30 different linksys models, and 10 netgear models, as well as several kinds of cable and dsl modems (15 different shellcodes)” as well as a list of “6000 usernames and 13000 passwords” which is used for bruteforcing Telnet and SSH logins that are open to the LAN and sometimes even on the WAN side of those routers.

His efforts to shutdown the Command&Control channel the bot uses have been successful and the DNS, which has been hosted with, has been nullrouted. In a conversation held on IRC he also mentions that the “current version is version 18, but he [the author - ed.] has changed the way he obfuscates the executable” which formerly was packed using the UPX packer.

The now defunct C&C  was suspected to control “100,000 hosts at the moment, but the ircd does not give us any information”. The bot in its current incarnation does “hijack DNS for rapidshare” and “phishes login info” which leads nenolod to believe it is more of a proof-of-concept right now and is going to grow more sophisticated in the future. Asked about the origin of the worm he says that several traces point to Australia being the country of origin and given some reports of increased telnet activity there he could be right.

The bot is able to scan for vulnerable PHPMyAdmin and MySQL installations, contains an update function and the usual flooding functionality. It also disables access to the routers control interfaces using iptables rules, denying access to the ports 22, 23 and 80. Also, he notes that the bot is “not linux-specific, a couple of the routers we have seen in the botnet are running VxWorks.

Detecting the bot isn’t easy since you’d need to capture and analyze the traffic it sends and receives to find out if you are infected – which is impossible if the infected device does not have dedicated USB/Ethernet ports to configure them and it then “would require monitoring at the CMTS or DSLAM” level.

In his posting on the DroneBL blog nenolod writes that they “are looking into finding out more information about this botnet, and its controller. If you have any information, we would like to know.”

Update and patch your routers so they don’t swallow a blue pill :)


The botnet apparently has been shutdown by it’s owner:

* Now talking on #mipsel
* Topic for #mipsel is: .silent on .killall .exit ._exit_ .Research is over:
 for those interested i reached 80K. That was fun :) , time to get back to the real life... (To the DroneBL guys:
 I never DDOSed/Phished anybody or peeked on anybody's private data for that matter)
* Topic for #mipsel set by DRS at Sun Mar 22 17:02:15 2009

nenolod writes in their blog:

While this information may or may not be true, we have received HTTP-based floods from IPs participating in this botnet.

We are still interested in this DRS person. If you have any information, please provide it to DroneBL. We will not disclose our sources.

Further reading:

  • Andrew says:

    The original article published by Terry Baume

    March 24, 2009 at 8:05 am
  • Ian Walker says:

    My name is Ian Walker, and I know quite a bit about these hacks (well
    ‘of’ not ‘about’ – I am not a security person and have never professed
    to be one)
    I have been hacked in this way for the past few YEARS!
    I first knew about this when my NB9W router kept on being hacked -
    intrusion logs seemed to indicate that it was Chinese and Taiwanese
    hackers doing it, but I also suspect a group of MCT’s as well as a
    company i once worked for. I tried and tried to get netcomm interested
    to no avail. Repeated new bios flashes (every day, with strong
    passwords every day) did not work. I begged netcomm to help and they
    just plain ran me in circles. I even tried to get my ISP involved
    (OPTUS) and they were stunningly unhelpful, I even tried the
    Ombudsman! All to no avail – no-one “seemed” to take me seriously. I
    contacted the federal police, local police, and even tried ASIO. Which
    probably makes me out to be a nutjob, but I was desperate and I was
    also very concerned about the extent and sophistication of the
    hacking, surely a worry if it was Chinese originated.
    Nothing worked. NOTHING.
    I persisted though.
    I was given an NB5 about a year ago, and it seemed to be OK, but now I
    see that it was compromised almost immediately. This router was not
    able to let me log external addresses like the NB9W “seemed” to, and
    OPTUS was no help at all with monitoring the router side of my
    traffic. Netcomm ignored me when I asked if there were a shell I could
    use to get to the linux cl of the routers so as to try and prevent
    this hacking, or at least try to determine who was doing it. In fact
    it seemed as though netcomm and optus colluded to try and prevent me
    from doing this whilst they gave the hackers carte-blanche to do the
    same to me. It was like trying to fight with both hands tied whilst
    netcomm and OPTUS watched on and pretended nothing was happening.

    Very Strange!

    I just did a pathping on my router to and got back !
    So yes my router (patched) is compromised…
    I dare say it is the *prototype* for the hack!

    In fact I stumbled across another psy type address in my ports list
    the other day. It seemed they were trying to phrack a mobile phone I
    attached to my internet computer – digging further took me to several
    sites where a fellow was complaining about a firewall preventing him
    from phracking a mobile (he thought, he was wrong). This led me to
    other sites that listed my IP (which is changed by optus regularly) as
    having connected to several web sites around the world, one of which
    was a Taiwanese kindergarten! So his hacks were fresh, and were shaped
    to new devices attached to my internet computer. The way this fellow
    sounded on the posts he made did not indicate to me that he was
    Chinese either! His writing style was aussie!
    I think this botnet has been spawned by a fellow, maybe others as
    well, who has been plaguing me for several years. I think my routers
    have been compromised by him as prototypes and I have known about his
    DNS re-routing for quite a while as well (certificates have blown up
    where they shouldn’t for example, or when I visited web sites I
    normally didn’t go to).
    I want to catch this person (or people) and can muster a large amount
    of money to do so. I can also provide my router equipment for testing
    as well.

    do you have any suggestions on how I can go about hunting this rat down?


    Ian Walker

    March 26, 2009 at 6:12 am

Your email address will not be published. Required fields are marked *