Psyb0t Attacks Linux Routers (Update)
A botnet named psyb0t has been nesting for a few months in consumer devices that run on Linux with MIPS CPUs, notably routers. Infested devices connect through a botnet over a private Internet Relay Chat (IRC) server to await commands.
Already in January Australian Terry Baume had written a short paper describing the psyb0t malware that was beginning to crop up in Linux systems. Most of these are DSL routers, in that they allow a greater level of stealth because they are online longer than individual PCs. A whole range of devices are affected that use the CPUs under Linux, among them various versions of OpenWRT. Attack vectors are primarily TELNET or SSH that listen on the device's WAN interface, accepting weak passwords (such as admin). According to reports, the malware has a number of attack tools built in, among them a network scanner and brute forcer.
The botnet drew attention by doing a denial-of-service attack on a website with IP blacklists. Some sources say 80,000 to 100,000 clients were affected, all of which registered with the apparently hard to trace back IRC channel. The command and control channel that the attacker used has been temporarily deactivated. But the botnet remains as one of a kind in the large number of Linux devices it attacked.
This is how a botnet works. There are several network-enabled devices and appliances (PCs, DSL modems, refrigerators, etc.) out there. Some of them are vulnerable to one or another form of attack. As a result, the attacker can start a program called malware. One type of malware connects primarily to a chat system such as IRC, which your ordinary 14-year-old might join for the latest superstar gossip. IRC is comprised of several nodes to which users can connect. After a user (or the program) connects to one IRC network, they join a channel. Each IRC network usually has hundreds of these channels, typically starting with a hash mark in its name, such as #superstars.
A participant joining a channel who is not a human is usually a program called a bot. There are all kinds of bots lurking in the IRC, some of them explain UNIX commands, look up bus schedules or forecast the weather. Some, however, await special, often secret, commands or phrases and follow with some action, such as sending a payload of data to a specific target system. As long as just a single bot does this kind of action, usually no one is harmed. Now consider some 10,000 vulnerable hosts that have been infected with some bot malware, all joining a channel such as #mipsel and then idling. After a while, the attacker joins the channel and inputs some magic words, the secret commands (that's why it's called a command and control channel). All of a sudden 10,000 systems distributed from all over the world hurl their workloads at a single target and bring it to its knees.
The virtual swarm-like entity of all 10,000 bots is called a botnet. A botnet is very hard to track since its parts are distributed all over the Internet, making it rather resistant to countermeasures such as IP filters. To add fuel to the fire, enabling a botnet via a router has a greater chance of doing damage in that the router is usually awake and active while its member client units are asleep.
Comments
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Red Hat Adds New Deployment Option for Enterprise Linux Platforms
Red Hat has re-imagined enterprise Linux for an AI future with Image Mode.
-
OSJH and LPI Release 2024 Open Source Pros Job Survey Results
See what open source professionals look for in a new role.
-
Proton 9.0-1 Released to Improve Gaming with Steam
The latest release of Proton 9 adds several improvements and fixes an issue that has been problematic for Linux users.
-
So Long Neofetch and Thanks for the Info
Today is a day that every Linux user who enjoys bragging about their system(s) will mourn, as Neofetch has come to an end.
-
Ubuntu 24.04 Comes with a “Flaw"
If you're thinking you might want to upgrade from your current Ubuntu release to the latest, there's something you might want to consider before doing so.
-
Canonical Releases Ubuntu 24.04
After a brief pause because of the XZ vulnerability, Ubuntu 24.04 is now available for install.
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
good post
http://www.gucciguccis.com
http://www.urboots.com
http://www.handbags2012.com
http://www.louisvuittonslv.com
...
@abitwise and fennec
@fennec A constructive reply to your comment. This doesn't show how "even Linux is vulnerable" as this doesn't exploit anything other than people using insecure passwords. As already mentioned this piece of malware requires a practically open door in terms of security.
Easy solutions
hahahah
LoL The end of the internet the big crash
@ Fennec
This message will destroy itsefl in the next.... bla bla bla
comments
Although we're happy to have lively discussions on our site, we do try to keep a professional tone. Normally I only delete comments that are blatant spam or profanity-laced. In your case, you recommended that a poster commit suicide. Frankly, I find it completely inappropriate and insensitive. Feel free to give your opinion on the article or comments, but please keep it somewhat constructive or cordial. Thanks!
American Foundation for Suicide Prevention: http://www.afsp.org/
rofl...
wtf? Cyber War between the two? Either quit smoking so much crack, or keep off the computer before you get in trouble by your teachers.
@ Fennec
oooooowwkaaay
It is a Cyber War a war between Linux and Windows !!??
Re: Solutions?
Yeay
Just to make it clear
All you have to do to prevent being infecting is using a strong password!
Solutions?