[nsp-sec] dsl modem worm PYSBOT
Smith, Donald
Donald.Smith at qwest.com
Thu Mar 26 12:30:16 EDT 2009
This is a diary that was written about a dsl modem worm named PSYBOT.
It is MIPSEL based. They get in via weak passwords and possibly some other exploits. This worm RUNS on the router itself. We have done some testing and got it to run on a mipsel based box.
I this site that had the exploit appears to be down. (127.0.0.1)
http//dweb.webhop.net/.bb/udhcpc.env
You can see infected systems in netflow by looking for tcp port 5050 and IP address 207.155.1.5. I will try to get a report out later if people are interested.
http://isc.sans.org/diary.html?storyid=6061
http://android-blog.org/2009/03/25/psyb0t-evolves-targets-unprotected-linux-mipsel-routers/
http://isc.sans.org/diary.html?storyid=6061
Donald.Smith at qwest.com<mailto:Donald.Smith at qwest.com>
Please cc the handlers to keep them all in the loop.
________________________________
From: Rob Thomas [robt at cymru.com]
Sent: Wednesday, March 25, 2009 5:26 PM
To: Smith, Donald
Cc: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] sites that are preying on the conficker victims withscareware and scams.
Hey, Don.
> $ whois 74.217.128.133
> Internap Network Services Corporation PNAP-SJE-01-2008 (NET-74-217-0-0-1)
> 74.217.0.0 - 74.217.255.255
> Netfirms INAP-TOR001-NETFIRMS-23422 (NET-74-217-128-0-1)
> 74.217.128.0 - 74.217.129.255
There's also a bit of mircscript hosted there which is often a bad sign.
We see a few DNS RRs over the past 30+ days.
timestamp | dns_name | ip
--------------------- ---------------------- ----------------
2009-03-11 07:35:20 | dl.pacyrus.com | 74.217.128.133
2009-03-11 07:35:16 | forum.pacyrus.com | 74.217.128.133
2009-03-09 09:25:07 | marketingimagery.com | 74.217.128.133
2009-03-23 13:20:05 | mirctrivia.net | 74.217.128.133
2009-03-08 03:28:03 | subs.geekstogo.com | 74.217.128.133
2009-03-08 11:50:49 | www.pacyrus.com<http://www.pacyrus.com/> | 74.217.128.133
2009-02-27 22:35:08 | thehousewatch.sslpowered.com | 74.217.128.133
2009-02-24 07:20:26 | www.fraganciasalpormayor.com<http://www.fraganciasalpormayor.com/> | 74.217.128.133
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");
More information about the nsp-security
mailing list