Orm makes modems and routers into zombies.The people who are behind DroneBL DNS Black List services sign on this page that they have discovered a new type of botnets. Instead of having control over a variety of infected PC's or servers, is it new bottom set of broadband modems and routers.
Zombies in the bottom set has been infected by a worm called "psyb0t".
Common for network equipment as worm attacks, is that it is based on the processor with mipsel architecture (MIPS little endian) and the Linux operating system. The attacks occur via administration interface, ssh or telnet to the devices that reside in a part of the local network that is partially revealed for the outside world (DMZ). This depends, however, that these services are open to the Internet.
It will be weak username and password combinations that allow the worm to access, not vulnerabilities in the systems.
Zombies in the bottom set collects according to DroneBL blog username and password through deep packet inspection. All non-encrypted traffic that passes through the network device, can in theory be scanned in this way.
The zombies will also be able to scan for PHP and MySQL servers that can be exploited, as well as help in Distributed Denial of Service attack (DDoS). DroneBL should have discovered the bottom set in connection with an investigation of just such an attack.
According to DroneBL blog it is assumed that at least 100 000 units have been infected.
A message that has been captured on IRC suggests that the bottom set has now been closed down, but according to DroneBL blog you'll still HTTP-based flood attacks from IP addresses involved in this bottom set.
Users of the network devices such as routers with OpenWrt or DD-WRT as the operating system, ensure the devices recommended by turning the power off, reboot the appliance and to select a good password. It can also be a good idea to upgrade to the latest version of the software on the device.
