More than 100,000 hosts have been infected with a new worm called psyb0t. This worm appears to present a serious threat to home networks everywhere:

  • It infects consumer grade router appliances.
  • It can be used to carry out DDoS attacks, which also affect the infected host’s available bandwidth while helping consume that of the target.
  • It may be able to perform deep packet inspection to harvest user names and passwords from unencrypted traffic.

Researchers at DroneBL, “a realtime monitor of abusable IPs, which has the goal of stopping abuse of infected machines,” in its own words, say of psyb0t:

This technique is one to be extremely concerned about because most end users will not know their network has been hacked, or that their router is exploited. This means that in the future, this could be an attack vector for the theft of personally identifying information. This technique will certainly not be going away.

It is certainly something to be concerned about in the aggregate, because there are sure to be many more people whose networking appliances will be compromised by this worm and descendants yet to come. DroneBL also says:

You are only vulnerable if:

  • Your device is a mipsel device.
  • Your device has telnet, SSH or web-based interfaces available to the WAN
  • Your username and password combinations are weak, OR the daemons that your firmware uses are exploitable.

If you’ve been paying attention so far, something should jump out at you right away. Specifically, you should notice that you probably aren’t vulnerable to this. It took some digging for me to get to that point, because the first couple sources I found online describing the worm and its effects didn’t include DroneBL’s page about the subject. What I found instead is what the guys at DroneBL describe thusly:

Many articles described this as a “end of the world, all routers are vulnerable” thing. This is simply not the case. We would prefer if you contact us if you do not understand fully now.

The reason you probably aren’t vulnerable is that this is a worm that only affects home network appliances running on MIPS hardware with a particular Linux-derivative OS, and even then only if the device is running telnet, SSH, or a Web-based interface available to the Internet, and even then only if you use weak passwords or vulnerable firmware.

In short, if you’re vulnerable, it’s your own damned fault, and the proper fix is to stop being a security idiot. Don’t provide telnet, SSH, or Web-based configuration interface access on the Internet-facing side of your router, and for the love of all you hold holy, don’t use weak passwords. In the words of DroneBL:

90% of the routers and modems participating in this botnet are participating due to user-error (the user themselves or otherwise). Unfortunately, it seems that some of the people covering this botnet do not understand this point, and it is making us look like a bunch of idiots.

  • Stop making people look like idiots by poor reporting.
  • Stop using unencrypted connections to log in to critical resources across the Internet.
  • Stop making yourself vulnerable by using weak passwords or leaving unnecessary services running (which I warned against in 10 security tips for all general-purpose OSes).

If you’re not doing any of those three things, you should be fine.

This concludes today’s Security 101, Remedial Edition lesson. For more reminders of what you should already know, see Security 101, Remedial Edition: obscurity is not security.

If you just want to know more about psyb0t, read about it at the DroneBL page about this threat, rather than relying on clueless reporters who get it wrong.