« A little something that brightened my day
Scans for default Tomcat admin passwords »

Botnet running on MIPS CPU devices.

Finally, something new :) An IRC capable bot has been making the rounds. Now, instead of infecting PC’s or servers this baby goes after DSL modems.

Terry Baume has a pretty nice PDF on his site , I suggest you check it out. I downloaded the updated botbinary from the update site and noticed that it was around 3k smaller than the one Terry wrote about. I threw the UPX command line tool towards it but it failed. Now, I can chew x86 and a few others pretty nicely but I do admit this was the first time I’ve hit a MIPS binary.

After prodding it a bit with IDA it became obvious that the new version was also packed with UPX, but apparently the guys had either read Terrys PDF or seen that they’ve been seen, so they had manually modified the binary and made all telltale signs of UPX go away. Except for the entrypoint.

So, with a small dilemma of not having proper devices running MIPS and not being able to unpack itwith the command line tool the was one thing left: grab my favourite hexeditor and repair the file. So, after few minutes of wanking around I got the UPX commandline tool to swallow and unpack the sample :)

The malware can spread itself through telnet admin interfaces of the DSL modems. It also has the capability to scan for PHPMyAdmin installations _and_ Windows SMB shares.

It also seems to have the capability to perform clickfraud on clickhype.com if the author wishes so.

The version string in the sample I downloaded was 2.9L as opposed to 2.5L that Terry saw 2 months ago so it’s a pretty safe bet that this puppy is undergoing steady development. Will be really interesting to see how things develope from here. Playing in the MIPS device field gives you lot less targets to swing at but on the other hand there’s no competition and the risk of the infection being noticed is somewhat smaller.

The worst thing is that it’s possible to alter the DNS settings of all client inside the LAN through this. As well as transparently redirecting certain valuable connections into places where they shoudln’t go.

Only time will tell how this will proceed.

This entry was posted on Monday, March 23rd, 2009 at 10:05 pm and is filed under General InfoSec, Malware FreakShow. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.

One Response to “Botnet running on MIPS CPU devices.”

  1. Psyb0t Evolves, Targets Unprotected Linux Mipsel Routers | google android os blog Says:
    March 25th, 2009 at 9:26 pm

    […] now appears to have returned, and evolved into a new beast, PSYB0T 2.9L, and it affects more than Netcomm NB5 devices. Approximately 30 Linksys devices, 10 Netgear models, and 15 other models and brands of DSL modems […]

If you want to comment on this article please send e-mail
to authors(_at_)teamfurry.com or go to the forums.

InspectorWordpress has prevented 2 attacks.