The main thing keeping Linux desktops out of botnets is the sophistication of their users, but the people who built Psyb0t knew most people don't pay much attention to router security.
calling it the first botnet designed for broadband equipment and routers,
and that it is. But it's also the first of something else: Psyb0t is the first Linux
And even though it's running on hardware devices and even though it's
running on Linux, and an obscure distribution of Linux at that, the basic
mechanisms of it aren't that different from "conventional" botnets
that run on Windows PCs. There's a lesson here.
Linux seems to be a great platform for these little embedded devices. It's
small enough that it can fit in economical hardware, portable enough that you
can put it on almost any processor and platform, and it's got great networking
tools. This particular bot runs on Linux Mipsel devices ("Mipsel" refers to
little-endian implementations on MIPS processors, generally, but not
exclusively, on Linux
). But it's not hard to see the same thing happening
to any sufficiently large population of Internet-facing devices based on Linux
or any other platform. I'm especially curious about DVRs now.
We often speak about how malware writers write for Windows because that's
where the systems are and because that's where the development tools are, for
malware and more generally. The same could be said now of Linux: The fact that
a device runs Linux means it's easy to write binaries for it that do networking
tasks, including hardening the bot and distributed denials of service.
How does Psyb0t work? The main vulnerability it seems to exploit is simply
weak or nonexistent authentication. One involved device is the NetComm NB5 ADSL (asymmetric
earlier versions of which were administrable from the WAN side
by default. In fact, some were administrable without any log-in at all. Of course
updates were made, but when was the last time you applied an update to your
ADSL router? I've seen vaguer reports of other vulnerabilities used.
According to DroneBL, the DNS (Domain Name System) blacklist service that
found the botnet, Psyb0t appears to
have been shut down just recently.
The bot will not persist if the router is power-cycled, but who does that on
purpose? I also wouldn't discount the possibility that such a bot could be
built to flash itself into an EPROM (erasable programmable ROM) or some other
persistent memory, and then the device would probably be unsalvageable. Such an
attack would be highly model-specific.