|
|
|
The First Linux Botnet
By: Larry Seltzer
2009-03-24
Article Rating:  / 37
There are 24 user comments on this Network Security & Hardware story.
The First Linux Botnet (
Page 1 of 2 ) The main thing keeping Linux desktops out of botnets is the sophistication of their users, but the people who built Psyb0t knew most people don't pay much attention to router security.They're
calling it the first botnet designed for broadband equipment and routers,
and that it is. But it's also the first of something else: Psyb0t is the first Linux
botnet.
And even though it's running on hardware devices and even though it's
running on Linux, and an obscure distribution of Linux at that, the basic
mechanisms of it aren't that different from "conventional" botnets
that run on Windows PCs. There's a lesson here.
Linux seems to be a great platform for these little embedded devices. It's
small enough that it can fit in economical hardware, portable enough that you
can put it on almost any processor and platform, and it's got great networking
tools. This particular bot runs on Linux Mipsel devices ("Mipsel" refers to
little-endian implementations on MIPS processors, generally, but not
exclusively, on Linux). But it's not hard to see the same thing happening
to any sufficiently large population of Internet-facing devices based on Linux
or any other platform. I'm especially curious about DVRs now.
We often speak about how malware writers write for Windows because that's
where the systems are and because that's where the development tools are, for
malware and more generally. The same could be said now of Linux: The fact that
a device runs Linux means it's easy to write binaries for it that do networking
tasks, including hardening the bot and distributed denials of service.
How does Psyb0t work? The main vulnerability it seems to exploit is simply
weak or nonexistent authentication. One involved device is the NetComm NB5 ADSL (asymmetric
DSL) modem, earlier versions of which were administrable from the WAN side
by default. In fact, some were administrable without any log-in at all. Of course
updates were made, but when was the last time you applied an update to your
ADSL router? I've seen vaguer reports of other vulnerabilities used.
According to DroneBL, the DNS (Domain Name System) blacklist service that
found the botnet, Psyb0t appears to
have been shut down just recently.
The bot will not persist if the router is power-cycled, but who does that on
purpose? I also wouldn't discount the possibility that such a bot could be
built to flash itself into an EPROM (erasable programmable ROM) or some other
persistent memory, and then the device would probably be unsalvageable. Such an
attack would be highly model-specific.
| | Reader Comments: The First Linux Botnet | | >>> Post your comment now!
| | oops....Make that "instructions ... do" ... bah, no "edit post" button here? Posted At: 04-01-09
By: Anonymous Coward #31415 | | | | | | | | | | | | A user comment on this articleIt doesn't matter if the problem is specifically Linux related or not. Linux will get the bad rap, and you can bet your jffs2 file system that the... Posted At: 03-31-09
By: Jon Spencer | | | | | | No, It Doesn't.I run a Linux server at home, and it's been owned. Partly. For about 20 minutes, and only the Apache account. But had I been serving something... Posted At: 03-31-09
By: unclesmrgol | | | | | | Admin has always been the problemFor as long as I have been working with security (real security, not just encryption), the vast majority of security breaches have been caused by... Posted At: 03-31-09
By: Jon Spencer | | | | | | A user comment on this articleI find this statement very out-of-date:
The main thing keeping Linux on the desktop out of botnets is the sophistication of its users.
Anyone... Posted At: 03-26-09
By: Jason | | | | | | bad designActually, I think the story explains all that very well. Sorry if you don't like my headline. Posted At: 03-26-09
By: Larry Seltzer | | | | | | >>> Post your comment now! | | | | | |
|
 |
|
|
�������x}ks8q�8c�H)ٖmmlk)dV(�8H-I'ΗSOx��%N='-�`�n4�O�~vv"IM��לٔN\Sãw�w$5vv~]�2q=*_rdz&9%G�jT7�R}f]S� k���kLN�შ���:#:@�.�Sk4�Z5��3껲5Gԗoˏne0��-ZIa6)V�j��9i�?xi='@I�Rb(Ӈ�Ѻ�}(D>�ߵ-m:��]'|��*�7�܉x8ѽ/DeO�^b&{�Bu8��5��;^7�Ӄw2`y�|!�k`TOmq�l�ڮ�U�X'�[vkx!�BP�#"F�\ς�wK�ŤQؓ�IuhlUD`iRi13�L�mC1+k9Rը>lYG|ݑ|YCXw:Qt� ��æ�q/#!꿩$f�
0��
̳ؖ�#vR8N8CEn�O�e[پ�t�sgOff��.j.�9ac�M c
��Ї@2zz`N��{tXa_eY7;�Ͱ-6@6�M-jZUQ�
b�k�{}rL-g`TN;yk[7�+eU�vѽl]H�QPw;@
ږVj0��Ns#Owq@α�{A�$Fj��}�&
D%\.��&I&0h�5�tt^�X}x\卒^�ny%R+
�h��٥z`$YS)2�!�,ԐY�ۭޱlni]ZWnZGg �f٘Y�ji�ed�X�]2��,U5Ms%'kr>ju�>3ɀ&�dXAZ|[kUV�1?�!ab; d�Pp9LwjT{d_;GW-2�୫#dp$ǽcY��tǷP[,.s$�BFrZ~@X*,>JAͼ�94��o��ߦI&@w[��@KUk�oUڏ^T7o`��2��&4 �?f]=w��za4z�Au�&:h�)5?�&�Țb.L2o4x)=mRU/��(AK/�
�5z>�]R${3BD�ȝ`g@ �BD4?CC���0&pt/ݜ�~��5M.Ӱfeќ,Ӆ�]WaLo^#L
.�uFVuLWn�?]i�8^%g�5F8�i�e4%!�8WG5MGRŦc~+%Y��E*�X@8ʍ�??6m!SG�ñA
SM:gvY0`���;}B�Oi&89~��t$�AG66^�zK
tcl���>#ä ��p|w��͇v13�O�/|�\aR���քzN�j$�i��-DCwM0Ieg!� uG��νdrg�oM~�Ё4}a���q�jS〧 !Tgg ,z�z��C�
�SP��lmNl}``1 �5g�%aJ�@i0x?�zE�У���I.B$(ZȻ�B�!A�lq���[$p X�V0(VAZzGBjK%6Os@PGҹ;rjP*�τb��Z
z)0ٜ��ʬ$5M_
X�*ȉ#�m"0�%X����
?,gZ
X�+5沭�Z)m�
*�LBgȕJV��Ȋ*/ğ.�w8-��v�Ό`�?Y^0~��)�ioLI ?,xpo
aB?9bѪ)C=�=-f�
ӛm�S�Zԛ01M�,dk6q?:2`
M
l4�T f��FfO���~5lwfr�n9Y螺�Gc�NEi[J/ι_o2ES�|(�n^ßf�1�d��_w\ճ&AB
�glCC�2{�ڡ[Z3R;=�=Mrʳ$�#��}_7�X>ťHN(m�t'�й+>q^t.iԚ'eiV[J��ͪRue�I�J{ۅakk)�T���7�Bj^¼ye<4�@V`9HM^>��kp6X"@�@�7w�/IJ*6*f�XSȝ�yд\�"ҝzGnzcπ|pf:��g3?&نdpcpLa1e�-֓BSdg`m1JL=PF˸h�Fqm@XĞ=N�9pJ.,]q2tg~a;_XTvOZkʎtٔz�pMVp��v�*��1f&6XC˦>oُ�qAʫ%U�f z6,ƴL~�5<2eX]2X�rmٔA�utn\?09CL-�˙�@�0ρ6UT8�[.O#BE-��Dd�
�??uPV����.;OY�ͨ�lEkJc�\�CКy]։;lRjzȦ\Q݀+�E)'>�5 c�d��]X�z�mAS�0"�u�n�_8R" @�4��
y�| *��Ojq�1�
b
(h
bAzp�E��nabIt?a1�:C.5f�z_=2dB4�]E�i�,ASt!VB�[O�AQT*8+
:?CUQ@HSj�}w8�8}�M/?1Yo�N>+>k냽ܮ[KG~g^l^��cv"O`��R$,p2HUN>]Ik0�1Sle`Sxt �b*��䪢#?݀�έ�l/�#��Џ]���Mt��Ak[�,
�ܠYA�aiϖҚZ-�,?A�lA�ޯќ�1oE`���9\R˶SL*H@8��u8|[\YS
Q�|7z0dƏQ�abY[�ສTjՂʾ_ٳqW�c�g!h�"QkF:�Fd@�tΈ+6RЎT8ί )q�>:(TX�7cmE{H^ac7U�[@o�F)�[GWG&hT�JE4}&-nj^[uo�ሻ,Op{SK)~�9XD4W
�atx/ V$8У4�H>ױgQ#M8W�^&�&>ϣ�*騫VJe2�YhSYpg#HٚIuU}�l,On?�jT�Sc\� U�<@�nΦ�"�>sԵйtNsl s��ܒ;� +@X'V-(7ϙ40p�2Z>](lYVj嬙fwrģ:
�߀&�\@qcc��A��HNow�07�_~F85ovթr�Vg�HWt�Z/3O�iy$
ҧo�&�rj��{4}B��Y�Ծ;o��F��!$�
_9z��y}ھ�_>w!�rlI^z+փ �� yrG!hUHV:<��b�Shmƛ&���a֖5!�xidD��V �J_ĥs}ܺ̂!sQל$�"j�\N3dn,ʆq�WsgCs�~e�YLO1ߐdxPR�� (ʁ�=`����` v9:̝�\b;͞A��B�0FG_TJi�)�4j'u�3xv:\79S9j6� EïJN�nV�[LӷoHW蘧k���tE�p[(+��h,�UdsJ;t�0?x�>ow����z? i^�3_��{��"TS�8f-ӤN)fT��XSao�y�0;{�8쀒N1�һTlOܢMF]�nĖ�9)ŔN yr4
AGJ脊bye5))e3O5NR�MLC]�OC/�$$�;�+B:zs ݫ�gaM�6mn3�j/Nn�_"�'�X�;[
.VH0_Ӹ\b赏D XY�+o�x�tװ>CT䵤�
g[YUHN~@��)�!\8)H�z@0QHeZA>?j�^w&�Z{�yr@g�q?Ilظ�2U�(3Xsw�{eB�s~�ݾCO6r?Fdc:� M"�I^U֩UdU)I]YD㣑)?8��b[�`@L6CGz�����g=#tzoo=إG֛��-3�����'K-�x<|lor:߇L?G Of�x�f79#9��@��Id=p�l|n�wcJljl�� 4�Qbh,r9٦h��r�"�Va'�zYOC,'�_/!Wc#ZT^�1;o*N{cE�|3̔
u�\w�5;�5p M�ko!/1�%S%_h3�[aG0^
<�"�t�(u��߂Kd[:��a8Y&?�6#d,GeBQ-��]&�u�ruW,wŁ�v\ȅn0�ȝL=Rgf9\RX=AK<�Lw�/�F�~3�Ey;sA-:ļEM�օE%'nPX_��tmlZ[�s?�xlu�p@v�k*�ԧ�=߶8���(݄�=L*59Ķ�HI�FϏQM)q~@��NRڝW)~?-5+��(]F݃ÂE*@\�L�x}�g7npÐD${l�Q`ig{�(kvotf�ؽ|�F2��$,F��C@H�!a"��i (VHѯ%/C��ؤV|STMR+M�ǥO3����%8�u8t�sPKG@��<\
x㴃 �$�u)'$$�Ix{[[MRZޔ݊/nC�t�HvPYCS:x� eೀ�*D0]��I-rynZ�=;Mvx�3Gnꎥ�w �Ϝ`�3|5}Yk�/x6
�S{q��7�Vd(3�qj�v7w7�O%;�� A0k*���jֺu{#}cr;
$�67dw~)G-LK��M[P3_;VVu�N�_쎖W^w66᰿s�̵/JxWԆ}˶��0:~>3�Y�J"R�CU+#je_ԆPw`;�u&UB;6yq{A5^�ֆ|�g6�Juhd9��P}v5'ұXNNW_�Ѧ
�+
6�z�7��A<>|5''.�R<`k$|�թhFa�fu56�˗w[^Q�uHKtZ,�l!PD1tx JJ@mL7C7t#��Z)?\?\?\?\?\[�[�KvA�a8��!�7p'�_=hnνrMC� cz0;%6�F؞�ɰpolye��#F]"��E5#cLđ�<όN�Xmr̳k+wŷQz4
L.�`�yc7��*D1�b
yOLlW챦6SI{�M_ro��&`�l�j�V���s�(7T=~ӧS�@VE[6bĽ�ٹfTU�c0;͑�=W7�%i��f%e։�ɚV$���0"*Nh斖�&P2}aJD��o�pA$�`<)́Nptowwv]g�i7�ε7
�5�Ox_ڋKۨ_xd�����3ɗy�=_�'Kӈat�pb��1Y|�Gj�O�OQ5)^.sF�PCX�nx.+.�4n�
/3.eã_EbzmOӪ{
es�7>kE_A-
ϴjgϡ?�K�_�@gjFc4$t�{��#iWj�TnX��3,M?�",O�˘3Mᝓ).b�ƭ?@y7�긯�7q?6FҋCM\K�UXCL7V?މ
!X����^,~
j~`���3&?�ME�*ނ0H�R�&BŢ{@JVH4i�3wMQ58��k��j�k�b�hm;Xy�_��SJ[7�^6�]4_q�=!o7QxfUj"_l?uv'>r��0pE�8a6���cPNG�D6�"A�dko)8G@�
`ʖC_a̷Uqhi\-c"WK�+Te; �$pև5�
㽽Ԙ�n$�DXC冞LfNx�Ӊ�F;6CWѵ6ATJ{=�yJ-h>#Թ#oI XPpS��MA+WTD~V�Nz�ـ�j#E~�:��td2�6ɝ�<"&s'
ُp�+S�'"N�௹oX��{+$̽O��g-� ?4u=oz.zxX�2��16�=6�L��3%Nf�ldaQ({b8M�t߃3,ȏ%%nN���K
၊b~L�
]ǒ�4�Bq0hVX �oX2�ӱe2���{�}�bRU+J)|�U��3ʰ�LXUKsʷ�o,�Ͳ={�8~�\O�z%r�uW0`A='i92dg4t\K�
,C#�&O=lFLr5WWI4uE��G^sI�[�\}>i_ۗ\�QT_s}i |Q)Xt�5e�š�6uF\�«�.Y3U94dG_0=4�e`W:O|;_C)Qe3ʋ, QNiec�y||vljŵ6�v��_L%�֔�fyS�M�/G��}*4]V0.8���SDnu#V�n�<�(�(GMdQށNF9rzou1ตQ~�GO>'�9f#\]~5ګǹF8��gڗ�vF?ts�Pyu9?π�]"c|.��/�E�|E�}/>���/2��ϋ�D��(?A2/"�2c|/A~.3�2c:NF;:��_?2
x�:7�.�P_�3�*�>e )~7P~U�{7MF77�$)c�f5pvJEsQ^5�3T�}~�)�P'�5(ge�3�VڍN�a�{Ar!{�e_7C@q�}u9N+ťW�*7YKxM}%kk[J1nv�d}�G{1>2�y&fs��e���^>&c����˼VP�w;]�KҤ�]�r�{%])rXѧ��i>Ś/J�̙Y�mJ5�f�aOd_LmO=�QǒGЬ��]#=Dx%?|�[2�19N~�L(M���(.�v뻸)n7W�pK��SG0V+n1:&7S��#8�ţ;ZʈPcv�dm�o߆z�H��O>�{�P�[4יq`ޢD�)'F�yk@�ǁ[xO�J�n�Amg4`/i=tfz}ǠIP4Us
!QaWEjo2x�s҇)Ł.Ȯ2tcLMb�!rR҈ù֦@$~�{7l�cH$7
rQӊj�~JR�#\#5L�{D��",1T5YUdJ*'�jeV*V�&���K=#
��.mM3_ &M-ϡ'N��"�3qC>&J�"D+)��x��Yx�cE"y�_m\rp�0l{y�ث��ގe�@���7�J�̅�5vW�;��ЫـD!ASGŝ}gxNj1ij�m��{{�[hW�e�:Am�=2h*?TMqkq�B4;Po6@c�mdC�"/C�<:8e`�ˠ&TЫ�&�g"�9�oޚ_�΅*K �YV-4�3�961H��R,��CV}>#��(�uy1<�[N/ipz@\<{��E$F4���a:n�ś��L��N�olb5v�%f�f^32�/mçOn3A ��^L��m��o1N425~�ɡf�( �kEF(t#bÝPnl@PJmX"a,<�T#0?f
}u'K6�a`ﲮnǝ)ZDœj@@rĶͯo��~l�Y3!?cI�TȘ��b2OZ>ಓ_c�(cy��wy&b%b P|_A>�~�\='G�̄08E8O\&Qw��)#,|HNLt:v�>+up�o��a`a?�>V@U}����1,���t ,�Mav;Mă��v,='�IDπl���eMf@g^l(VxXF�)KPRJ��Vu.Q
?�NfwU�c`�K�x�I/_|�3�Obx`#�Yޱ�ߚP
TDO�Ş�i#h|��@ ](ۊnfTt}���`GY&e`+v�8u
vQѲ
V�7"ְ0^q۷�ST�l@�sxS�az
\nXe�܄�UF.Dm�hT_ )*l+c�V
��/߶c3�LTVc2��X!.�I;s�__�@�>���{|��wn}C\��:1F`,�ƫ
�ɤ{)̅Fda��'Z.2?g'R\�F$�0(�y��lHbK9��m5G0X&1'(���RGTf7=M`�N*)As�a#�El���[ApN7�\2�9LgѸ�Gjf�V+u5%ӫr&uv{e��7�5w�S�F
u�#'yA����Ӱ�3=�z9��:~0�~b~8uLQ�|/eٍ1�}br�rY�W`0-�Z�.<�̳�(`)�,��dv"V�KjMΡmdpR!Ef�Ʋ0� 7cP.Xd�]-'oB@:S 1�.x�C�G1,*?�ˋ�}P�S9�9�/@OI"cXM1}aE�|R<'\B�/0,L%{�N�|]p7N�d!'˞tҼh!�L*`'�h���>!>D!6�xVs֍[^znA0�,}U}y�uM+_0jF-<��#@5̺J"<&/�)FҢpL\岞Ԕbѽ;�7�p6JL?
۔́9MR"GZj/%!.zR4��'r0>gv�=-Mӝ/4a-d4džI�lck�j[b!)��
|
Network Security & Hardware 
