"Psyb0t" Worm Targets Home Routers

Avatar

Please consider registering
Guest

Search

— Forum Scope —






— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

Register Lost password?
sp_Feed sp_topic_old
"Psyb0t" Worm Targets Home Routers
Avatar
Ken Harthun
Mod
Forum Posts: 86
Member Since:
August 11, 2011
sp_UserOfflineSmall Offline
1
March 25, 2009 - 2:11 pm
sp_Permalink sp_Print

The latest news on the security front is the "psyb0t" worm. This the first known case of a worm that infects routers and creates a botnet. At last count, one group of security researchers estimated that over 100,000 routers had been affected. You can get all the gory details from my [url=http://itknowledgeexchange.techtarget.com/security-corner/worm-targets-home-networking-equipment/:34al2mo3]Security Corner[/url:34al2mo3] blog and these articles:

[url:34al2mo3]http://www.theregister.co.uk/2009/03/24/psyb0t_home_networking_worm/[/url:34al2mo3]
[url:34al2mo3]http://www.h-online.com/security/Botnet-based-on-home-network-routers--/news/112913[/url:34al2mo3]

[u:34al2mo3]What you should do[/u:34al2mo3]

1. Power cycle your router.
2. Disable WAN-facing telnet, SSH or web-based configuration interfaces.
3. Change the passwords to something unguessable (see [url=http://www.davescomputertips.com/articles/security/create_and_use_an_unguessable_password_pt2.php:34al2mo3]this article[/url:34al2mo3]).
4. Upgrade to the latest firmware.

Avatar
David Hartsock
Admin
Forum Posts: 1105
Member Since:
August 7, 2011
sp_UserOfflineSmall Offline
2
March 25, 2009 - 9:35 pm
sp_Permalink sp_Print

Wow, I did some reading on this. Looks like a couple providers sent out quite a few routers with WAN side access to the web interface and SSH telnet access enable. Of course with the default password of "admin". What were they thinking?! Who would enable SSH and telnet, knowing most users don't even know what it is? Amazing.

Avatar
Jim Hillier
Admin
Forum Posts: 2492
Member Since:
August 9, 2011
sp_UserOfflineSmall Offline
3
March 25, 2009 - 10:40 pm
sp_Permalink sp_Print

Hey Ken - I just changed my router's access password from 'admin' to 'Jimmysvistamachine'..........just kidding!!

I was told very early on to always change the password from default to something, anything else....and preferably very difficult to guess.

Okay Dave - I put my hand up. So what are 'Wan side access' and 'SSH telnet access'? Since I am among the 'most users who don't even know what it is'...please enlighten.

cheers....JIM

Avatar
Ken Harthun
Mod
Forum Posts: 86
Member Since:
August 11, 2011
sp_UserOfflineSmall Offline
4
March 26, 2009 - 6:56 am
sp_Permalink sp_Print

"WAN side access" means there's a way to access the configuration screens of the router from the Internet. Not a good thing if it's enabled by default. WAN stands for [u:2hjc9ph9]W[/u:2hjc9ph9]ide [u:2hjc9ph9]A[/u:2hjc9ph9]rea [u:2hjc9ph9]N[/u:2hjc9ph9]etwork--in this case, it's all the computers on the Internet--as opposed to LAN which stands for [u:2hjc9ph9]L[/u:2hjc9ph9]ocal [u:2hjc9ph9]A[/u:2hjc9ph9]rea [u:2hjc9ph9]N[/u:2hjc9ph9]etwork--all the computers in your home or business that are connected to the router.

SSH stands for [u:2hjc9ph9]S[/u:2hjc9ph9]ecure [u:2hjc9ph9]SH[/u:2hjc9ph9]ell. It's a way to connect to a remote device so that your login, password, and any information flowing on the connection is encrypted making it impossible to sniff out anything of value. Telnet stands for [u:2hjc9ph9]TEL[/u:2hjc9ph9]ecommunications [u:2hjc9ph9]NET[/u:2hjc9ph9]work. It's the unsecure way to connect to a remote device, as everything is transmitted both directions in clear text. Anyone sniffing a telnet session can see everything going back and forth.

So, armed with that information and knowing what the default password is, anyone can connect to a router that has these outside connection interfaces open. And that's exactly what the writer of psyb0t did. Once connected, he was able to dump his malware into the router's operating system and make it join the botnet.

If you want to see telnet at work, open a command prompt and type [b:2hjc9ph9]telnet smtp.fuse.net 25[/b:2hjc9ph9] the server will connect to you. Type [b:2hjc9ph9]HELO kennyhart.com[/b:2hjc9ph9] and watch the server open up an Internet mail session.

Hope this helps.

Avatar
David Hartsock
Admin
Forum Posts: 1105
Member Since:
August 7, 2011
sp_UserOfflineSmall Offline
5
March 26, 2009 - 6:58 am
sp_Permalink sp_Print

Only for you Jim!

LAN - Local Area Network. This is everything on your side of a router or switch. All of your connected computers reside on the same LAN (generally in home use).
WAN - Wide Area Network. Almost everything else with an internet connection is on your WAN! It's more complicated than that, but that pretty much sums it up. Businesses can be connected by a WAN with remote locations, etc.

Think of your Router as the door to your house, only in this case the door is monitored by a doorman (no tips required). The doorman monitors the doorway and controls who enters and leaves your home.
Every connected computer inside your home is your LAN. Computers on the LAN do not necessarily have to have internet access. Every internet connected computer outside of your home is the WAN, usually a connection provided by your ISP. In the case of the internet this is quite a few million computers, each who can access your 'door' (router or single pc) if they know or guess your IP. That is one of the most important reasons to run a router, so it can control access to your LAN from the WAN.

Telnet - Telecommunication Network. Basically a command line interface to the machine you are connected to Generally using port 23 that generally does not require authentication and not quite so secure.
SSH - Secure Shell. Originally designed to replace telnet in the mid 90's, hence the 'secure' in Secure Shell, and generally uses port 22. SSH does require authentication.

Think of these as a way to issue commands to a remote computer. Another way to look at these is - imagine a super powerful version of WinVNC/UltraVNC that uses a command line interface. If you have Telnet or SSH access to a computer, switch, or router (routers and switches are slimmed down computers - many run a version of Linux) you have access to everything beyond that device in one way or another. NOT a good thing! Don't get me wrong. SSH has many useful purposes (managing remote computers and servers), but allowing access to the wrong thing will get you in a world of hurt in a hurry.

Sorry Ken! I just hit reply after Jim's msg. I'm a goofball.

Avatar
Jim Hillier
Admin
Forum Posts: 2492
Member Since:
August 9, 2011
sp_UserOfflineSmall Offline
6
March 26, 2009 - 5:23 pm
sp_Permalink sp_Print

Wow, thanks guys.....great explanations, both. Now I fully understand Ken's advisory and the amazement you expressed in your post Dave....seems too stupid to be true!!!

thanks again,
JIM

Avatar
Ken Harthun
Mod
Forum Posts: 86
Member Since:
August 11, 2011
sp_UserOfflineSmall Offline
7
March 26, 2009 - 7:42 pm
sp_Permalink sp_Print

Wow, thanks guys.....great explanations, both. Now I fully understand Ken's advisory and the amazement you expressed in your post Dave....seems too stupid to be true!!!

thanks again,
JIM[/quote:ye430up0]

Glad to help, as always, Mate! And I agree--great job, Dave

Forum Timezone: America/Indiana/Indianapolis

Most Users Ever Online: 188

Currently Online:
14 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Member Stats:

Guest Posters: 10

Members: 1272

Moderators: 3

Admins: 4

Forum Stats:

Groups: 8

Forums: 19

Topics: 1538

Posts: 11824

Administrators: Jim Hillier, Richard Pedersen, David Hartsock, Marc Thomas

Moderators: Judy Novotny, Jason Shuffield, Mail Poet