Psyb0t: varying the angle of attack

DroneBL, a site that tracks IP addresses that considered vulnerable to abuse that some sites use for its DNSBL (blocking list), blogged yesterday on the fact that it’s been subjected to a Distributed Denial of Service attack (DDoS), apparently by systems infected with malware going by the name of psyb0t.

According to the blog, this is an IRC (Internet Relay Chat) botnet – at one time, nearly all botnets were controlled using the IRC protocol, though other mechanisms have been used more and more in recent years.

This bot looks interesting, though, in that it doesn’t seem to target PCs (at least, not for recruiting as drones): instead, it targets routers and DSL modems, containing shellcode for a number of mipsel devices (that is,  devices running on an architecture supported by some flavours of embedded linux), and including some wrinkles that would make it difficult for a home user to get back control of their router, even if they became aware of the problem.

This is by no means a brand-new idea: Nenolod released a paper on the potential attack in 2006, and I reviewed an interesting conference paper submission a year or so ago (unfortunately, I can’t remember the source, so I don’t know if it was accepted or published!) that covered similar ground from a more formal standpoint. And it’s far from the first attack to target devices that aren’t normally thought of as computers – one that springs to mind is a long-gone PostScript Trojan that could render some Apple printers to all intents and purposes unusable.

(This attack doesn’t make the device unusable – there’s no potential profit in that – but if it manages to take hold of your router/modem, it will try to lock you out so that you can’t easily remove it.)

However, the site estimates that somewhere in the region of 100,000 systems are affected (or were): if Dronebl is anywhere near the right ballpark, that looks like a serious exploration of the concept.

I suspect that it’s a concept (or a real attack) that we’ll see more of: for an attacker, it makes a lot of sense to use systems that the average home user never even thinks about, and that are available 24/7. Now is probably the time to think about checking the device that connects your home PC to the world for weak username/password combinations.

Tip of the hat to Mikko for pointing out the blog report.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Author David Harley, ESET

  • Christian

    WE HAVE A NEW SYSTEM ROUTER FOR OUR HOME SERVER WHEN FIRST IT WAS BOUGHT THE SIGNAL IS GOOD BUT AFTER A MONTH THE SIGNAL CAME POOR AND DETERIORATE MAYBE PSYBOT YOU SAID JOIN IN OUR ROUTERS USABILITY PLEASE EMAIL US FOR THE SLUTIONS ABOUT THIS PROBLEM PS WE PUT A VERY LONG PASSWORD AND USERNAME ON IT. THANK YOU FOR READING.

    • I’m afraid we don’t have the resources to do this sort of support. You need to contact your router supplier in the first instance: it very probably has nothing to do with psybot, and even if it does they ought to be able to tell you about remediation.

Follow us

Copyright © 2016 ESET, All Rights Reserved.