14 DAY TRIAL // The team at DroneBL, a project that monitors Internet abuse and maintains a list of offending IP addresses, has announced the discovery of a worm infecting routers and DSL modems running the mipsel Debian distribution. The botnet created by this worm is controlled from IRC and, according to a message left by its creator, has reached 80,000 clients.
DroneBL have come across this new type of threat after their own infrastructure was under attack. According to them, they have received HTTP-based floods from IPs associated with the botnet. Upon further investigation, they have found the binary responsible with infected devices using MIPS processors and running the mipsel version of Debian.
This threat affects a significant number of devices, but a certain criterion has to be met for a device to be compromised. This includes the router allowing external access on telnet, SSH, or to the web-interface. In addition, using weak administration passwords or failing to install the latest available firmware are also important factors.
"90% of the routers and modems participating in this botnet are participating due to user-error (the user themselves or otherwise)," is stressed in a DroneBL advisory. "Any device that meets the [...] criteria is vulnerable, including those built on custom firmware such as OpenWRT and DD-WRT," is also pointed out.
The worm uses multiple strategies for exploitation, including bruteforce username and password combinations, harvests usernames and passwords through deep packet inspection and can scan for exploitable phpMyAdmin and MySQL servers.
The attacker controls the botnet from an IRC (Internet Relay Chat) channel, where the drones connect and listen for commands that include multiple methods of flooding (launching denial of service attacks) and scanning for other vulnerable devices."The author of this worm has some sophisticated programming knowledge, given the nature of this executable," "nenolod," a DroneBL project member, writes.
Meanwhile, the botnet runner has left a message via the topic feature on the IRC channel suggesting that the botnet was some sort of an experiment and has been dismantled. "Research is over: for those interested i reached 80K. That was fun :), time to get back to the real life...," the topic set by someone nicknamed "DRS" reads. In addition, he has left a note for the DroneBL investigators claiming that, "I never DDOSed/Phished anybody or peeked on anybody's private data for that matter."
Concerned individuals that suspect that their devices have been compromised are advised to perform a reset to factory defaults, install the latest firmware and choose stronger passwords. Ports 22 (ssh), 23 (telnet) and 80 (http) being blocked is a sign of the infection. This is part of the worm's playload in order to block everyone out of the device.