If you’re one of those people with a passing knowledge of Linux, you might see it as something used exclusively by network admins, developers, and hobbyists. What you may not realize is that these admins, devs, and hobbyists have taken this versatile OS and ported it to all sorts of devices over the years. While some of these ports were for fun (epitomizing the “because I could” attitude of many hardware enthusiasts), Linux slowly began to appear on everyday devices. Today you can find the operating system on anything from phones to cameras to PVRs. Even if you’re not a gadget geek, you may have Linux-embedded device yourself without even knowing it.
While this swell in usage is great news for open-source advocates, it also brings with it unwanted attention. As we’ve seen time and again—as software gains in popularity it becomes more of a target for malicious code. Over the last few months, security researchers have been tracking a threat that appears to have slowly built itself a significant botnet (what we’re calling Linux.Psybot). Now threats written for Linux are nothing new or all that newsworthy. What’s different about this threat is that it is written to specifically target a broad set of embedded Linux routers currently on the market.
Once on a device, the threat opens a back door, after which it can perform any number of malicious actions. The implications here sound severe, but it’s important to note that while the threat shows the potential to run on a broad swath of hardware, Linux.Psybot relies on two very common malicious code techniques:
- Brute-forcing weak passwords
- Exploiting vulnerabilities
The good news is protecting yourself is fairly simple—enforce strong passwords and patch. The problem is many people, even some that vigilantly keep their desktop OS up-to-date, don’t regularly administer their routers. In some cases they may have left the default password enabled and don’t keep abreast of patches for their routers.
There are a broad number of routers susceptible to this threat, and their configurations vary, which makes it difficult to give comprehensive advice on how to protect from the threat. Briefly, here are some guidelines to shore up your router. In all cases, if these tips don’t work, consult your router’s manual or your network admin for further details.
Strong passwords
Open a Web browser and type http://192.168.1.1/ or http://192.168.0.1/ in the address bar. In most cases this will take you to your router’s interface and you will be prompted for a user name or password. Most routers contain a default set, and may still be using this combination if you haven’t changed it. Try some of the following (or a blank password), known to work on some default router configurations:
• root
• admin
• default
• password
• 1234
Once you’re in, change that password to something more secure. The location of the password-changing feature will vary from device to device, but should be easy enough to perform.
Patch the router
Now that you’re in, navigate around the interface and look for a feature for upgrading the firmware. Many embedded Linux routers on the market today contain a feature that will check for updates. While the location of the upgrade feature varies from router to router, they’re usually quite easy to run. Just follow the in-browser instructions. (Alternatively, if you have installed custom firmware, check the project’s Web site for updates.)
Disable external Admin access
Another thing you can do to protect yourself from such threats is disable administrative access to the router from outside the network. Linux.Psybot must be able to establish an external connection to your network in order carry out its infection. While this will limit you to accessing the router’s interface from within the network, in most cases this should be sufficient to administer the router. This process is more complex than the previous two, and the steps needed vary greater, so we’ll have to refer you to your manual or network admin here.
Flush the router’s memory
Finally, if you suspect the threat is on your router, you can flush it out by performing a hard reset. This will return the device to its factory settings. Usually, it’s as simple as pushing a button on the back of the router. But before doing so, it’s important to note that you will likely lose any configuration information you may have changed in the router. This will clear out any saved changes in the router, as well as the worm. If you are unsure of the process here, consult your manual or network admin for help in completing this process.
Further reading on Trojan.Psybot
http://www.adam.com.au/bogaurd/PSYB0T.pdf
http://www.dronebl.org/blog/8
Message Edited by Ben Nahorney on 03-30-2009 01:45 AM