© 2009 System-Protector.com All Rights Reserved.
Bit Defender | Kaspersky | ESET NOD32 | AVG Antivirus | F-Secure Antivirus | Trend Micro | McAfee VirusScan | Norton antivirus | CA Antivirus | Norman Antivirus | G DATA Antivirus | Panda Antivirus | AVAST Antivirus | F-Prot antivirus | PC Tools Antivirus | Webroot Antivirus | ViRobot
Latest in trend:
» viruses
Linux.Psybot
What is Linux.Psybot?
This is a worm which attacks small home network routers based on embedded Linux. The compromised router is capable of joining the botnet and accepts commands from the Command & Control Server.
The worm uses multiple strategies for infection including brute forcing usernames and passwords. After gaining access to the router, the worm downloads the malicious component from:
- http://dweb.web[blocked].net
and copies the file to the following location:
- /var/tmp/udhcpc.env
The worm then drops port 22 (ssh), port 23 (telnet), port 80 (web) to prevent administrator from accessing the router. The worm also receives commands from the control server mentioned below:
- strcpy.[blocked] on port 5050.
How does it affect your PC?
Once on a device, the threat opens a back door, after which it can perform any number of malicious actions. The implications here sound severe, but it’s important to note that while the threat shows the potential to run on a broad swath of hardware, Linux.Psybot relies on two very common malicious code techniques:
- Brute-forcing weak passwords
- Exploiting vulnerabilities
This in turn results in:
- Preventing the user from accessing router with the defined credentials.
- The commonly used ports (22/23/80) remaining inaccessible.
Note: As the site being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.
How to remove Linux.Psybot?
- Strong passwords
Open a Web browser and type http://192.168.1.1/ or http://192.168.0.1/ in the address bar. In most cases this will take you to your router’s interface and you will be prompted for a user name or password. Most routers contain a default set, and may still be using this combination if you haven’t changed it. Try some of the following (or a blank password), known to work on some default router configurations:
• root
• admin
• default
• password
• 1234
Once you’re in, change that password to something more secure. The location of the password-changing feature will vary from device to device, but should be easy enough to perform.
- Patch the router
Now that you’re in, navigate around the interface and look for a feature for upgrading the firmware. Many embedded Linux routers on the market today contain a feature that will check for updates. While the location of the upgrade feature varies from router to router, they’re usually quite easy to run. Just follow the in-browser instructions. (Alternatively, if you have installed custom firmware, check the project’s Web site for updates.)
- Disable external Admin access
Another thing you can do to protect yourself from such threats is disable administrative access to the router from outside the network. Linux.Psybot must be able to establish an external connection to your network in order carry out its infection. While this will limit you to accessing the router’s interface from within the network, in most cases this should be sufficient to administer the router. This process is more complex than the previous two, and the steps needed vary greater, so we’ll have to refer you to your manual or network admin here.
- Flush the router’s memory
Finally, if you suspect the threat is on your router, you can flush it out by performing a hard reset. This will return the device to its factory settings. Usually, it’s as simple as pushing a button on the back of the router. But before doing so, it’s important to note that you will likely lose any configuration information you may have changed in the router. This will clear out any saved changes in the router, as well as the worm. If you are unsure of the process here, consult your manual or network admin for help in completing this process.