What to do against Psyb0t

antivir_okSome hype established around the malware known as Psyb0t. It is unusual as it doesn’t infect windows machines, but MIPS-based Internet-routers and DSL-modems – which are very widespread. (This is only half of the story. There is a windows malware floating around which starts infecting the Internet gateway; this malware is detected and removed by Avira AntiVir though.)

In our analysis we found plenty of interesting strings in the Psyb0t-variant 2.9L.

Fig. 1: Disassembled Psyb0t and the function graph.

Fig. 1: Disassembled Psyb0t and its function graph.

This malware is quite sophisticated and has a whole lot of functions which a bot master may need. Psyb0t connects to an IRC-Server and can be controlled from there.

It tries to exploit weak passwords on devices reachable via the Internet and contains an extensive list of default passwords and some often used passwords, too. Also it attacks SQL servers and software like PHPMyAdmin. So it doesn’t only infect Netcomm-DSL-Modems as has been reported on the media sometimes, but can break into plenty of other MIPS-based devices from other brands as well – even in OpenWRT installations, if they use some insecure service versions.

How can you detect if your router is infected? There is no easy way to tell. But the malware adds a firewall rule to block telnet connections (iptables -A INPUT -p tcp –dport 23 -j DROP). So if there is a telnet deamon running on your router and you can’t reach it, it would be a bad sign.

How to get rid of an infection? You have to connect via wired network to your Internet gateway in this situation. Fetch the latest firmware version available from a different network, maybe at a neighbour’s place or at a friend’s. Then you usually have to initiate a hard reset on the Internet gateway. Most devices reset their settings to the default ones when pressing the reset knob for 10 seconds, then pulling the power plug and reinserting the plug again.

After that, first change the default password to a good and safe one – you know the drill: Small and capital letters, special characters and numbers in most random fashion. Then upgrade the firmware to the most recent version. After that you can start configuring your Internet gateway again.

Dirk Knop
Technical Editor

Markus Hinderhofer
R&D Engine Team