Content
Linux/Psybot
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 03/24/2009
- Length
- varies
- Minimum DAT
- 5564 (03/25/2009)
- Updated DAT
- 5564 (03/25/2009)
- Minimum Engine
- 5.2.00
- Description Added
- 03/24/2009
- Description Modified
- 03/24/2009 8:00 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
This detection is for a worm which attacks small home network routers based on embedded Linux. The compromised router is capable of joining the botnet and accepts commands from the Command & Control Server.
The worm uses multiple strategies for infection including bruteforcing usernames and passwords.
After gaining access to the router, the worm downloads the malicious component from
- http://dweb.web[blocked].net
and copies the file to the following location.
- /var/tmp/udhcpc.env
The worm then drops port 22 (ssh), port 23 (telnet), port 80 (web) to prevent administrator from accessing the router.
The worm also receives commands from the control server mentioned below:
- strcpy.[blocked] on port 5050.
Symptoms
- Prevent user from accessing router with the defined credentials.
- The commonly used ports (22/23/80) remaining inaccessible.
Note: As the site being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.
Method of Infection
This worm attacks routers with interfaces exposed to Internet.
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants
Variants
N/A
All Information
Overview -
-- Update March 24, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/03/24/psyb0t_home_networking_worm/
--
This detection is for a worm which attacks small home network routers based on embedded Linux. The compromised router is capable of joining the botnet and accepts commands from the Command & Control Server.
Characteristics
Characteristics -
This detection is for a worm which attacks small home network routers based on embedded Linux. The compromised router is capable of joining the botnet and accepts commands from the Command & Control Server.
The worm uses multiple strategies for infection including bruteforcing usernames and passwords.
After gaining access to the router, the worm downloads the malicious component from
- http://dweb.web[blocked].net
and copies the file to the following location.
- /var/tmp/udhcpc.env
The worm then drops port 22 (ssh), port 23 (telnet), port 80 (web) to prevent administrator from accessing the router.
The worm also receives commands from the control server mentioned below:
- strcpy.[blocked] on port 5050.
Symptoms
Symptoms -
- Prevent user from accessing router with the defined credentials.
- The commonly used ports (22/23/80) remaining inaccessible.
Note: As the site being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.
Method of Infection
Method of Infection -
This worm attacks routers with interfaces exposed to Internet.
Removal -
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
