How to: Prevent, Detect, and Recover from Router Worms

By Eric Geier

April 10, 2009

Psyb0t, a botnet that attacks DSL modems and routers, can cause some pesky issues. In this tutorial, we reveal the types of routers that are susceptible, and explain how to detect, prevent, and get rid of this and other router worms.

Recently, security researchers at DroneBL identified a botnet, named psyb0t, which attacks DSL modems and routers. It searches out and takes advantage of particular devices with ports opened to the Internet using a weak password. Once the worm enters a router, it blocks ports and could possibility do more damage by exposing sensitive information and/or attack other networks.

In this tutorial, we’ll review the types of routers that are susceptible to this particular worm. Then we’ll discuss how to prevent infection from this and other router worms. Finally, we’ll see how to get rid of the worm on infected routers.

How worms crawl into routers

Router worms invade through ports that are used for the remote administration of the router. However, routers by default don’t have these ports opened. They have to be manually enabled on the router’s Web-based configuration utility. Moreover, the bigger vulnerability is having a weak password. In other words, if preventative measures are followed, remote administration is safe.

This latest worm targets setups that meet all of the following criteria:

  • Linux-based devices that use a MIPS processor running in little-endian mode (mipsel). This includes roughly 30 Linksys devices, ten Netgear models, and about 15 others. Additionally, routers loaded with firmware replacements, such as DD-WRT, and OpenWRT, are vulnerable.
  • Devices that have some type of remote (WAN) administration enabled, such as telnet, SSH, or Web-based access—providing only local access is not vulnerable.
  • The username and password combinations for the remote administration access are weak, or the daemons that your firmware uses are exploitable.

Securing WAN services

Since router worms invade through remote administration ports, securing these ports is the key to prevent infection. Moreover, simply not enabling remote admin and keeping the ports closed up is the best solution, as the worms have no way to get in. However, if remote access is required, follow these guidelines to prevent invasion:

  • Use strong, secure, passwords: Since router worms rely on brute-force dictionary attacks (they repeatedly try to guess the password), use passwords that can’t be easily guessed. Instead of using admin, pass1234, or something simple for the router’s password, mixed it up a bit. Try something like i1F3n8Es0yQ3ha. Use lower and upper case; and make use of numbers and letters. Though it is not easy to memorize these long and confusing passwords, you can save them in a file, stored in a safe place on your PC.
  • Ensure the remote connections are encrypted: For example, use HTTPS for Web-based access, instead of HTTP that transmits everything in clear-text. Next to the remote Web access settings on the router’s configuration utility, select the HTTPS option. If shell or command line access is needed, use SSH. Unlike Telnet, SSH is an encrypted protocol. Using encrypted connections won’t necessary prevent router worms, however, it betters the overall security.
  • Change the default ports: Worm bots might look to crawl in via default ports of these remote connections, such as port 80 or 8080 for HTTP Web access, 443 for encrypted (HTTPS) Web access, and 22 for SSH. Therefore, a router accepting connections on non-default ports will be better off. Most routers have a Port field next to the remote connection settings; enter a desired port number there. Then when accessing the router via a browser, use the custom port. For example, type the Internet IP address of where the router is located followed by a colon and the port. If connecting via SSH, specify the custom port in the connection settings of the SSH client program.
  • Use inbound filters: Some routers can be configured to filter what IP addresses or ranges are allowed to use incoming connections, thus blocking worms originating from any IP address not listed. First, see if an address or range can be defined in the remote admin settings of the router. Next, check if the router has incoming filter settings.

You can always double-check the ports that are opened to the Internet by using online security auditors/scanners. ShieldsUP from Gibson Research Corporation and Firewall Test from Audit My PC are two great tools. They can scan the Internet connection and show any port vulnerabilities.

Keeping the router’s firmware up-to-date

As mentioned earlier, a piece of software a router’s firmware uses can also make it susceptible to worms. Keeping routers loaded with the most current firmware releases can help prevent this vulnerability. Router manufacturers and firmware-replacement projects periodically release these firmware updates to patch known security holes and bugs.

To upgrade the firmware, download the new image from the vendor’s Website. Then log into the router’s Web-based configuration utility from a wired connection and go to the Admin, Misc, or System section. From there, select the new firmware image and upload it.

Ridding your router from a worm

The preventative measures we discussed should keep our routers safe from worms. Remember, don’t enable remote access unless it is really needed. If it is necessary, use long, mixed character and case passwords via HTTPS or SSH, and think about using non-default ports and enabling any inbound filter.

If a router does become infected, strange things might happen. For example it has been reported that the Psyb0t worm blocks ports 22 (SSH), 23, and 80 (Web) on the router. Thus, routers that seem to block these ports out of nowhere may be infected with the worm.

Getting rid of the worm, however, likely only requires a power cycle. Simply unplugging the router for a couple of seconds should do the trick. If problems persist, resetting it back to factory defaults should definitely clear out the bug. Hold the reset button on the back of the router in for up to 30 seconds. Once the worm is out, be sure to follow the tips in this tutorial.

Eric Geier is the author of many networking and computing books, including Home Networking All-in-One Desk Reference For Dummies (Wiley 2008) and 100 Things You Need to Know about Microsoft® Windows Vista (Que 2007).



Comment and Contribute
(Maximum characters: 1200). You have
characters left.