How to Detect and Prevent Psyb0t, the Linux Router Worm
How Worms Crawl Into Routers
April 12, 2009
Recently, security researchers at DroneBL identified a botnet, named psyb0t, which attacks DSL modems and routers. It searches out and takes advantage of particular devices with ports opened to the Internet using a weak password. Once the worm enters a router, it blocks ports and could possibility do more damage by exposing sensitive information and/or attack other networks.
In this tutorial, we'll review the types of routers that are susceptible to this particular worm. Then we'll discuss how to prevent infection from this and other router worms. Finally, we'll see how to get rid of the worm on infected routers.
How worms crawl into routers
Router worms invade through ports that are used for the remote administration of the router. However, routers by default don't have these ports opened. They have to be manually enabled on the router's Web-based configuration utility. Moreover, the bigger vulnerability is having a weak password. In other words, if preventative measures are followed, remote administration is safe.
This latest worm targets setups that meet all of the following criteria:
- Linux-based devices that use a MIPS processor running in little-endian mode (mipsel). This includes roughly 30 Linksys devices, ten Netgear models, and about 15 others. Additionally, routers loaded with firmware replacements, such as DD-WRT, and OpenWRT, are vulnerable.
- Devices that have some type of remote (WAN) administration enabled, such as telnet, SSH, or Web-based access�providing only local access is not vulnerable.
- The username and password combinations for the remote administration access are weak, or the daemons that your firmware uses are exploitable.
Securing WAN services
Since router worms invade through remote administration ports, securing these ports is the key to prevent infection. Moreover, simply not enabling remote admin and keeping the ports closed up is the best solution, as the worms have no way to get in. However, if remote access is required, follow these guidelines to prevent invasion:
- Use strong, secure, passwords: Since router worms rely on brute-force dictionary attacks (they repeatedly try to guess the password), use passwords that can't be easily guessed. Instead of using admin, pass1234, or something simple for the router's password, mixed it up a bit. Try something like i1F3n8Es0yQ3ha. Use lower and upper case; and make use of numbers and letters. Though it is not easy to memorize these long and confusing passwords, you can save them in a file, stored in a safe place on your PC.
- Ensure the remote connections are encrypted: For example, use HTTPS for Web-based access, instead of HTTP that transmits everything in clear-text. Next to the remote Web access settings on the router's configuration utility, select the HTTPS option. If shell or command line access is needed, use SSH. Unlike Telnet, SSH is an encrypted protocol. Using encrypted connections won't necessary prevent router worms, however, it betters the overall security.
- Change the default ports: Worm bots might look to crawl in via default ports of these remote connections, such as port 80 or 8080 for HTTP Web access, 443 for encrypted (HTTPS) Web access, and 22 for SSH. Therefore, a router accepting connections on non-default ports will be better off. Most routers have a Port field next to the remote connection settings; enter a desired port number there. Then when accessing the router via a browser, use the custom port. For example, type the Internet IP address of where the router is located followed by a colon and the port. If connecting via SSH, specify the custom port in the connection settings of the SSH client program.
- Use inbound filters: Some routers can be configured to filter what IP addresses or ranges are allowed to use incoming connections, thus blocking worms originating from any IP address not listed. First, see if an address or range can be defined in the remote admin settings of the router. Next, check if the router has incoming filter settings.
You can always double-check the ports that are opened to the Internet by using online security auditors/scanners. ShieldsUP from Gibson Research Corporation and Firewall Test from Audit My PC are two great tools. They can scan the Internet connection and show any port vulnerabilities.