This article details why I recently bought my parents a newer model non-Linksys router.
The first known botnet worm to target routers and DSL modems is circulating in the wild, according to research revealed this week.
Unlike your home computer it’s easy to remedy any lost router password.
If you lose the password for your home router you can always use the RESET function on your router to bring it back to factory default and quickly rebuild the settings through the web interface.
In fact, simply resetting your router will kill the bot program however without creating a hard to crack password your home router may become re-infected. Additionally I recommend and use at least 25 character admin password phrase with numerals and characters.
In short, following our password document from SOEC to set a harder password for your wireless router or DSL Modem/Router will immunize you from this threat.
From SC Magazine: Researchers uncover botnet comprised of routers – SC Magazine US
Researchers at DroneBL, a DNS blacklist company that tracks offensive IP addresses, said they have detected a live botnet — dubbed Psyb0t — that is impacting any MIPS-based Linux router that either contains a weak username-password combination or an interface accessible from outside the local-area network (LAN). (The latter issue, though, was resolved with a firmware update.) An estimated 100,000 devices have been infected by this worm, according to DroneBL.
“Your best bet would be to take action to upgrade the device firmware and secure any passwords if there is concern that the device may be vulnerable,” the blog post said. “Such actions will help to avoid exploitation by the worm.”
In January, an independent researcher from Australia, Terry Baume, was the first person to detect the botnet. He initially noticed increased activity on port 23, used for Telnet client and server communication, and soon discovered the worm impacting Australian-based NetComm’s NB5 routers. NetComm said in a statement Thursday that affected versions shipped between June and December 2005.
“Amongst this small group of versions, the bot only has the potential to manifest in those devices where users have not changed their default password and upgraded to the latest firmware,” the statement said. The company recommended users change their password that contains a mix of letters and numbers.
It didn’t take long for the botmaster to extend his reach beyond Australia.
“It’s the first time I’ve ever heard of anything infecting embedded devices,” Baume told SCMagazineUS.com on Wednesday.
He said that though a group of zombie routers may not have the processing power of a legion of compromised PCs, it still can be leveraged by botmasters to do a lot of damage. For instance, it could be used to carry out distributed denial-of-service attacks or DNS hijacking, by which users trying to visit legitimate websites would be redirected to malicious destinations.
Also, Baume said, compromised routers could be “coded to inspect packets” as they pass through “to look for things like usernames and passwords if the information is not encrypted.”
However, at this point, the owner of the botnet is not using his botnet army to do anything malicious, Baume said. To protect themselves from this worm, users should reset their router to clear any infection and then set their administrative password to something strong, which cannot be cracked by techniques such as dictionary attacks, Baume said.
Other reports confirm this trend / issue: ‘Psyb0t’ worm infects Linksys, Netgear home routers, modems
However, the most recently discovered generation (dubbed ‘version 18′ in the code) targets a wide range of devices, and contains the shellcode for over 30 different Linksys models, 10 Netgear models, and 15 other models of cable and DSL modems, APC reports. It did not specify which models.
Another article gives this advice:
Psyb0t is armed with 6000 common usernames and 13,000 popular passwords that it tries in various combinations to gain entry to your home network. Most home-based routers will give you unlimited attempts to get the username and password correct, making these devices an ideal target for infection. Also, unlike your PC, your router and modem are running 24 hours a day meaning psyb0t has a relatively unlimited amount of time to try and gain access.
- The best way to protect yourself is to make sure you are not using the default password and username that came with your equipment.
- Consult the materials that came with your device or the manufacturer’s website for instructions on how to change your username and password.
- If you’re worried you have been infected, a simple factory reset of your device will kill the worm.