Psyb0t worm breeds botnets using home gear.

A worm known as psyb0t 2.9L has been identified that compiles and runs on Linux-based embedded routers running in Mipsel mode (little-endian).

According to The Register security site, “vulnerable devices include any home router or modem that uses Linux Mipsel, has an administration interface, sshd, or telnet in a DMZ, and employs a weak password.”

There doesn’t seem to be a definitive list of exactly which devices are affected but my poking around seems to find that there could be up to 30 Linksys devices, some Netgear models, as well as some brands of DSL modems and routers including  those running  OpenWRT and DD-WRT firmware. This worm does NOT target PCs or servers.

Interestingly, DroneBL, the realtime scanner organization who identifies botnets and abusable IPs in the wild, has a very informative blog post on this particular worm here.  They have indicated that the infection is 90% due to user fault for allowing weak passwords and opening ssh port 22, telnet (23), and http (80).  Which, as a matter of fact, will be BLOCKED to you if you try to scan them from your own network.  If you run a scan and see these ports blocked, knowing you opened them to run your server from outside the network, you may want to do some further investigation; chances are, you’re infected.  (Since you will be, effectively,  locked out of these ports when you attempt to connect, you’ll probably already guess something is amiss.)   DroneBL says detecting this exploit is tricky and requires you to monitor traffic coming in and out of the router.

The fix is easy: It is recommended that infected routers undergo a hard reset (However…). The factory default log in should be changed to something more secure, and the router firmware should be updated.

According to an update by DroneBL, the actual botnet that was spawned from psybOt is presumed to be shut down.