David Baxter PhD
Late Founder
Psyb0t Compromising Insecure Home Routers
MX Logic IT Security Blog
27 March 2009
Word is spreading of a botnet called Psyb0t that is going around and compromising the home routers of people who have not changed the default login password on those devices. According to published numbers around 80,000-100,000 Linksys and Netgear routers have been affected by Psyb0t. It is important note there are a couple of criteria that must be met before your router can be exploited via Psyb0t. First, the router must be a MIPS device (x86 devices are not vulnerable to Psyb0t). Second, it has to be configured to be administered remotely (from the internet, not the local LAN), and third it needs to be using the default password that the device was originally configured with (a common insecure practice).
Although Psyb0t is the first botnet alleged to be exploiting home routers, the concept of compromising routers with default passwords is not a new one. One of the things that I have the honor of doing as part of my job is a quarterly section for SC Magazine called the Threat of the Month. The piece that I submitted for their February 2009 issue was on the topic of Drive By Pharming. Essentially what drive by pharming entails is the compromise of home routers that have the "Remote Administration" port enabled so that you can modify their settings from the internet. If the factory password is still set as the password used to login to the device it is trivial for an attacker to get in, modify your settings to point you to a malicious DNS server such that traffic to legitimate sites gets repointed to sites setup to phish passwords or inject malware. That is only one possibility. Another is that a new version of firmware could be uploaded to turn the device into a bot.
At their core, these home routers are mini computers, susceptible to attack and infection if proper precautions are not made to protect them. Default passwords for just about every router made are trivial to find on the internet. In fact, there are sites setup, like routerpasswords.com, that allow you to select the manufacturer of the router and it will tell you the default password based on their known models. Be sure to secure all layers of your home or business (plenty of SOHO businesses use standard Cable/DSL modems for their internet connectivity) network. Never assume that this is being done by someone else or that it is someone else's responsibility. The default settings on most of the gear that you will buy are setup such that initial access and administration of the device is easy (reduces support costs and angry customers). From there it is up to you to make sure best practices are followed to keep your network and data secure from outside intrusion.
MX Logic IT Security Blog
27 March 2009
Word is spreading of a botnet called Psyb0t that is going around and compromising the home routers of people who have not changed the default login password on those devices. According to published numbers around 80,000-100,000 Linksys and Netgear routers have been affected by Psyb0t. It is important note there are a couple of criteria that must be met before your router can be exploited via Psyb0t. First, the router must be a MIPS device (x86 devices are not vulnerable to Psyb0t). Second, it has to be configured to be administered remotely (from the internet, not the local LAN), and third it needs to be using the default password that the device was originally configured with (a common insecure practice).
Although Psyb0t is the first botnet alleged to be exploiting home routers, the concept of compromising routers with default passwords is not a new one. One of the things that I have the honor of doing as part of my job is a quarterly section for SC Magazine called the Threat of the Month. The piece that I submitted for their February 2009 issue was on the topic of Drive By Pharming. Essentially what drive by pharming entails is the compromise of home routers that have the "Remote Administration" port enabled so that you can modify their settings from the internet. If the factory password is still set as the password used to login to the device it is trivial for an attacker to get in, modify your settings to point you to a malicious DNS server such that traffic to legitimate sites gets repointed to sites setup to phish passwords or inject malware. That is only one possibility. Another is that a new version of firmware could be uploaded to turn the device into a bot.
At their core, these home routers are mini computers, susceptible to attack and infection if proper precautions are not made to protect them. Default passwords for just about every router made are trivial to find on the internet. In fact, there are sites setup, like routerpasswords.com, that allow you to select the manufacturer of the router and it will tell you the default password based on their known models. Be sure to secure all layers of your home or business (plenty of SOHO businesses use standard Cable/DSL modems for their internet connectivity) network. Never assume that this is being done by someone else or that it is someone else's responsibility. The default settings on most of the gear that you will buy are setup such that initial access and administration of the device is easy (reduces support costs and angry customers). From there it is up to you to make sure best practices are followed to keep your network and data secure from outside intrusion.
