Worm turns Linux routers into botnet

The Psyb0t worm targets routers running Mipsel

Researchers are warning of a new worm that targets DSL routers running a distribution of Linux.

The psyb0t worm appears to have been in circulation since the start of the year, and targets routers running Mipsel, a form of the Debian Linux distribution designed for MIPS processors.

The worm is believed to be the first of its kind, and the researchers at DroneBL estimate that it may have infiltrated as many as 100,000 routers.

Psyb0t uses a brute force dictionary attack against the router to obtain username and passwords. This shows that the exploitation is not an attack on the flaw in the operating system itself, but against poor user security.

"Ninety per cent of the routers and modems participating in this botnet are participating due to user error (the user themselves or otherwise). Unfortunately, it seems that some of the people covering this botnet do not understand this point, and it is making us look like a bunch of idiots," said a posting on the DroneBL blog.

"Any device that meets the above criteria is vulnerable, including those built on custom firmware such as OpenWRT and DD-WRT. If the above criteria are not met, then the device is NOT vulnerable."

Once installed, psyb0t allows remote control of the router, and infected hardware has already been used to take part in botnet attacks. It also uses deep packet inspection to try and harvest usernames and passwords for other sites.