Network Bluepill - stealth router-based botnet has been DDoSing dronebl for the last couple of weeks<http://www.dronebl.org/blog/8> Below is a description of a botnet we found in the wild. However, Update 4 -- Before you read anything else, read this Am I Vulnerable? You are only vulnerable if: * Your device is a mipsel device. * Your device has telnet, SSH or web-based interfaces available to the WAN * Your username and password combinations are weak, OR the daemons that your firmware uses are exploitable. From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, March 24, 2009 7:13 PM To: ISAPros Mailing List Subject: [isapros] Re: home router exploit based botnets in the news.. The vendor expects them to be replaced within a year or so - why plan a maintenance process for them? From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak Sent: Tuesday, March 24, 2009 3:00 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: home router exploit based botnets in the news.. Sure but how is the home user going to know which OS their router uses, which brands are good, which ones aren't? Every one that I've seen has no update mechanism. thanks, Amy Babinchak Harbor Computer Services | 248-850-8616 Mobile 248-890-1794 Web http://www.harborcomputerservices.net<http://www.harborcomputerservices.net/> Client Blog http://smalltechnotes.blogspot.com<http://smalltechnotes.blogspot.com/> Tech Blog http://securesmb.harborcomputerservices.net<http://securesmb.harborcomputerservices.net/> Buy My House: http://www.shannonrealty.com/vassar_mls_tour.html Are you an IT Pro? http://www.thirdtier.net<http://www.thirdtier.net/> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, March 24, 2009 5:47 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] home router exploit based botnets in the news.. Importance: Low Well, that didn't take long.. http://www.theregister.co.uk/2009/03/24/psyb0t_home_networking_worm/ More than 100,000 hosts invaded By Dan Goodin in San Francisco<http://forms.theregister.co.uk/mail_author/?story_url=/2009/03/24/psyb0t_home_networking_worm/> * Get more from this author<http://search.theregister.co.uk/?author=Dan%20Goodin> Posted in Security<http://www.theregister.co.uk/security/>, 24th March 2009 00:20 GMT Free whitepaper - Trend Micro threat management solution<http://go.theregister.com/tl/44/-765/white-paper-threat-management-solution.pdf?td=wptl44> Security researchers have identified a sophisticated piece of malware that corrals consumer routers and DSL modems into a lethal botnet. The "psyb0t" worm is believed to be the first piece of malware to target home networking gear, according to researchers from DroneBL<http://www.dronebl.org/>, which bills itself as a real-time monitor of abusable internet addresses. It has already infiltrated an estimated 100,000 hosts. It has been used to carry out DDoS, or distributed denial of service, attacks and is also believed to use deep-packet inspection to harvest user names and passwords. "This technique is one to be extremely concerned about because most end users will not know their network has been hacked, or that their router is exploited," the DroneBL researchers wrote here<http://www.dronebl.org/blog/8>. "This means that in the future, this could be an attack vector for the theft of personally identifying information. This technique is not going away." Vulnerable devices include any home router or modem that uses Linux Mipsel, has an administration interface, sshd, or telnet in a DMZ, and employs a weak password. Once the malware takes hold, it locks legitimate users out of the device by blocking telnet, sshd, and web access. It then makes the devices part of a botnet. The researchers said they first learned of the worm while investigating DDoS attacks that hit DroneBL's infrastructure two weeks ago. The worm also helps identify exploitable phyMyAdmin and MySQL servers. More information about psyb0t is available from this research paper (PDF)<http://www.adam.com.au/bogaurd/PSYB0T.pdf> published in January Yeh - "hardware" is secure; especially when it runs a "thin Linux". JimmyJoeBobAlooba From: Jim Harrison (FF EDGE CS) [mailto:Jim.Harrison@xxxxxxxxxxxxx] Sent: Tuesday, March 24, 2009 2:44 PM To: Jim Harrison Subject: FW: home router exploit based botnets in the news.. Importance: Low Jim Harrison Forefront Edge CS If We Can't Fix It - It Ain't Broke! [cid:image001.png@01C9ACB8.49F0AF40] From: George Spix Sent: Tuesday, March 24, 2009 1:07 PM To: Product Security Discussion Forum Subject: home router exploit based botnets in the news.. Importance: Low ExchangeDefender Message Security: Check Authenticity<http://www.exchangedefender.com/verify.asp?id=n2OM0hgG023772&from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>