Proactive IT Security
 

Hot stuff: Exploitable routers - a flash of the whole iceberg

2009-03-26 [Malware discussion, Mobile and wireless technologies, Spreading mechanisms, Trends & predictions]

Introduction

This week a new type of malicious software has been getting some media attention. The most interesting part of this is the fact that the malware's targets are not traditional computers. Rather does this malware attack different types of devices, namely routers and modems.

Some malware details

The malware in question is called psyb0t and supposedly attacks routers and DSL modems running MIPS operating system in a particular mode (mipsel).

The malware was first reported by DRONEBL and is described as a worm which participates in a botnet that enables Distributed Denial of Service (DDoS) attacks. DRONEBL was affected by such an attack, which was the reason why investigation was initiated and the worm identified.

The psyb0t worm uses brute force to guess user credentials (name/password) to gain access to the device, and is then able to download malicious program code.

To clean infected devices, one may detach the device from the Internet, reboot by a hard reset and change the password to a strong one. The worm and accompanying rootkit do not survive a hard reset. It is also recommended to update the firmware (if available) after reconnecting the device to the Internet.

Implications and worrying stuff

The psyb0t worm may be a frontrunner for a new trend: Infecting other devices than the (traditional) computers. One of the worrying aspects with this is that routers and modems usually do not have any kind of antivirus and other security as protection mechanisms. Thus, an infected device may continue to be infected without anyone noticing for quite a long time.

Since such devices usually are up and running without restarts very long time, the malware may continue to do its deed, undetected by the user and/or other parties. The particular malware briefly described in the introduction above, may have been detected when it participated in a DDoS attack. Other types of malicious software installed on a router could have been programmed to forward all information running through the router to a third party, or to redirect certain web requests to rogue websites. This could enable identity theft, stealing corporate and personal secrets, surveillance of all Internet activity and so on. All this could go on without the user's knowledge, as no security software is in place to protect the vulnerable device.

A compromised router/modem could also be the entry point to attacks on the ordinary computers and network behind this device. A chain is never more solid that its weakest point, and in this case, the router/modem may be the frail one.

Tip of the iceberg

Malware attacking routers/modems may, however, only be the tip of the iceberg.

More and more of the devices that we are surrounded by and use in our daily routine activities are based on computer technology and have simple and more advanced operating systems as well as applications. An increasing number of these in turn connect to the Internet to enable better or enhanced functionality.

Every device that is connected to the Internet is in principle a potential target for malicious intent from anyone in the whole world.

Examples of devices with computer technology are endless, suffice it to mention:

  • your private car
  • your refrigerator
  • your freezer
  • your electric cooker
  • your gaming console
  • your music system (including the portable ones)
  • your systems for remotely controlling devices in your home (including those mentioned above)

Some imagination is required to see what harm could be accomplished if some of the abovementioned were compromised. Note though, that any compromised device behind your local router/firewall may be the entry point to other devices, which "strategic" importance is more obvious.

And it is really food for thought what remotely accessible cookers could mean for a pyromaniac or someone with such affections. It is less severe, obviously but nonetheless annoying, if someone who holds a grudge to you decides to turn off your freezer and thereby ruins all its content.

It is probably just a question of time before we see reports describing attacks on these kinds of systems. The complete lack of security mechanisms is worrying.

More information

More deails about the worm psyb0t is available from several websites. See for example the initial report from DroneBL, which was said to have been attacked by routers infected by this worm.