Knowledge Essentials - 3Essentials Hosting

Security Bulletin: Is your Cable/DSL modem or router infected?

Article ID: 977

 Back to Search

You've made sure that all the PC's in your office or home are running automatic updates and apply every new security update immediately when it's available. 
You've got a firewall enabled at your home/office router and a firewall enabled on your PC's. 
You've made sure every PC in your office or home have up to date anti-virus software that updates itself with new virus signatures daily, and you have it configured to run complete daily scans. 
So you are absolutely protected, and there's no way any malware can affect you, right?

Maybe... If you have a Cable/DSL modem or router, maybe not, thanks to a worm called "psyb0t" or "Bluepill" which is targeting these types of devices.  And any home user or small office which uses Cable or DSL based internet services, will have at least one of these devices.

In an article in March '09, reports:
Researchers at DroneBL have spotted signs of a stealthy router-based botnet worm targeting routers and DSL modems.

The worm, called “psyb0t,” has been circulating since at least January this year, infecting vulnerable embedded Linux devices such as the Netcomm NB5 ADSL modem (above) and launching denial-of-service attacks on some Web sites.

Some characteristics:

  • It’s the first botnet worm to specifically target routers and DSL modems
  • Contains shellcode for many mipsel devices
  • It’s not targeting PCs or servers
  • Uses multiple strategies for exploitation, including brute-force username and password combinations
  • Harvests user names and passwords through deep packet inspection
  • can scan for exploitable phpMyAdmin and MySQL servers
A follow up article further details that the worm "targets a wide range of devices, and contains the shellcode for over 30 different Linksys models, 10 Netgear models, and 15 other models of cable and DSL modems". 

It's important to realize that if you have one of these devices and it is infected, that all data that traverses between your PC and the internet is going through this device.  The impact of that will vary...
  • If you're accessing your bank's website over HTTPS/SSL, your login credentials and your data is encrypted as it's passed back and forth, so the router, even though it passes that data back and forth, will be unable to see the raw data. 
  • But not all communication protocols do this.  FTP for example, still the standard for transferring files between server, and for publishing your websites from your PC to your website hosting provider (like 3Essentials), does NOT encrypt anything... neither your FTP credentials (login/password) nor the files you are transferring.  So an infected cable/DSL modem or router could easily grab FTP credentials, and transmit them to the hackers that control the worm. 
Here's the complete article, including recommendations:

You may also wish to:
  • contact your Cable or DSL provider regarding your Cable or DSL modem's potential for vulnerability.
  • contact your router manufacturer regarding your router's potential for vulnerability.
Downloads Associated With This Article
No downloads are currently associated with this article.