Wednesday, March 25, 2009

psyb0t Attacks Home Routers

The endless battle for your home network continues.

The new worm called "psyb0t", or Bluepill, is on the move, targeting a large number of highly popular home routers and cable modems from leading manufacturers. Armed with 6000 common usernames and more than 13,000 popular passwords, a psyb0t infection could conceivably turn your home networking gear into part of a larger botnet.

One of the downsides of this type of attack is the target-rich environment. There are hundreds of thousands of home routers and modems to be plucked, and for the most part, home users tend to be less technology-savvy and security conscious, making them lucrative prospects.

Since most home routers are not configured for lockout after a set number of failed login attempts, and given the fact that they are typically online 24 hours a day, psyb0t can run brute force attacks, trying combo after combo from its vast store of usernames & passwords until a successful compromise occurs. Worse still, most home users would probably not be able to detect that they had been infected.

The key to being protected from worms like psyb0t is to follow customary best practices, such as changing the default (factory-set) admin credentials on your home devices to something not easily guessed. Since I'm assuming you don't log into your router's admin console often, there's no excuse for not using complex usernames and passwords, or better yet, passphrases that are nearly impossible to compromise via dictionary attack. A combination such as n00bAdmin and ILikeStinkyCheese will survive such a brute force attempt. And no, that's not my configuration, so don't even try it. Plus, I have a hardware firewall on the perimeter with a VLAN that segregates my secure network from my wireless access point, so neener neener.

If you're a bit more techie, be sure to regularly log in to your home router, be it wired or wireless, and review the log files occasionally. If you see repeated failed login attempts, or a bunch of suspicious traffic, you may want to reset the device to factory defaults to wipe out anything that's loaded, and then reconfigure the device using more secure settings.

Comments welcome!

No comments:

Post a Comment

Please tell me what you think.