Deprecated: Assigning the return value of new by reference is deprecated in /home/teamfurr/public_html/wordpress/wp-includes/cache.php on line 36

Deprecated: Assigning the return value of new by reference is deprecated in /home/teamfurr/public_html/wordpress/wp-includes/query.php on line 21

Deprecated: Assigning the return value of new by reference is deprecated in /home/teamfurr/public_html/wordpress/wp-includes/theme.php on line 508

Deprecated: Function split() is deprecated in /home/teamfurr/public_html/wordpress/wp-content/plugins/inspector-wordpress/InspectorWordpress.php on line 110
MW-Blog » Blog Archive » Botnet running on MIPS CPU devices.

Botnet running on MIPS CPU devices.

Finally, something new :) An IRC capable bot has been making the rounds. Now, instead of infecting PC’s or servers this baby goes after DSL modems.

Terry Baume has a pretty nice PDF on his site , I suggest you check it out. I downloaded the updated botbinary from the update site and noticed that it was around 3k smaller than the one Terry wrote about. I threw the UPX command line tool towards it but it failed. Now, I can chew x86 and a few others pretty nicely but I do admit this was the first time I’ve hit a MIPS binary.

After prodding it a bit with IDA it became obvious that the new version was also packed with UPX, but apparently the guys had either read Terrys PDF or seen that they’ve been seen, so they had manually modified the binary and made all telltale signs of UPX go away. Except for the entrypoint.

So, with a small dilemma of not having proper devices running MIPS and not being able to unpack itwith the command line tool the was one thing left: grab my favourite hexeditor and repair the file. So, after few minutes of wanking around I got the UPX commandline tool to swallow and unpack the sample :)

The malware can spread itself through telnet admin interfaces of the DSL modems. It also has the capability to scan for PHPMyAdmin installations _and_ Windows SMB shares.

It also seems to have the capability to perform clickfraud on if the author wishes so.

The version string in the sample I downloaded was 2.9L as opposed to 2.5L that Terry saw 2 months ago so it’s a pretty safe bet that this puppy is undergoing steady development. Will be really interesting to see how things develope from here. Playing in the MIPS device field gives you lot less targets to swing at but on the other hand there’s no competition and the risk of the infection being noticed is somewhat smaller.

The worst thing is that it’s possible to alter the DNS settings of all client inside the LAN through this. As well as transparently redirecting certain valuable connections into places where they shoudln’t go.

Only time will tell how this will proceed.

One Response to “Botnet running on MIPS CPU devices.”

  1. Psyb0t Evolves, Targets Unprotected Linux Mipsel Routers | google android os blog Says:

    […] now appears to have returned, and evolved into a new beast, PSYB0T 2.9L, and it affects more than Netcomm NB5 devices. Approximately 30 Linksys devices, 10 Netgear models, and 15 other models and brands of DSL modems […]

If you want to comment on this article please send e-mail
to authors(_at_) or go to the forums.

InspectorWordpress has prevented 27 attacks.