protection against the Psyb0t worm
mustbjones
Enthusiast - Level 2

Are the modem/router that Verizon supplies protected/hardened against this worm?

Here is a link to the article: http://blogs.zdnet.com/BTL/?p=15197

Thanks,

MBJ

0 Likes
Re: protection against the Psyb0t worm
DzWR
Contributor - Level 1

I don't see any mention of the Actiontec in that article -- you should be fine.

0 Likes
Re: protection against the Psyb0t worm
cjacobs001
Contributor - Level 3
Also, the article tells you how to fix it if your router is attacked
0 Likes
Re: protection against the Psyb0t worm
mustbjones
Enthusiast - Level 2
Yes I saw that the Actiontec router/modem is not mentioned, but it also says that any router that is running mipsel (MIPS running in little endian mode) is in danger.
0 Likes
Re: protection against the Psyb0t worm
dslr595148
Community Leader
Community Leader
However, I would still recommend:

#1 Changing the default password, if you have not.

#2 If UPnP exist in the router, turning that off.

#3 Making sure remote access to the router is turned off.

--

You can use any port checking site, to see if any port is open from the outside.

If there any ports open from the outside does not mean bad news right away, because it depend(s) if you are forwarding any ports.

What you really want is, only the ports that you forwarded open from the net.
Re: protection against the Psyb0t worm
prisaz
Legend

@dslr595148 wrote:
However, I would still recommend:

#1 Changing the default password, if you have not.

#2 If UPnP exist in the router, turning that off.

#3 Making sure remote access to the router is turned off.

--

You can use any port checking site, to see if any port is open from the outside.

If there any ports open from the outside does not mean bad news right away, because it depend(s) if you are forwarding any ports.

What you really want is, only the ports that you forwarded open from the net.

Gibson Research "Shields UP" is a good site for checking your ports. Stealth status is best. The ports are better off not showing at all. Closed status will still show something is there. Also turning off responses to ICMP Ping requests in you router is not a bad idea. I have also found the Ident Port 113 responds in many routers, and the way I handle this is designate one private IP on my network as a deadend. Do not use the deadend IP address for anything on your private network. Also pick an IP that is not in your DHCP distribution list. Forward that port to the deadend and when scaned it will not respond.

http://www.grc.com/default.htm

Message Edited by prisaz on 03-28-2009 06:58 PM
0 Likes
Re: protection against the Psyb0t worm
VikeFan1961
Enthusiast - Level 3

"Version 17 of the malware contains “shellcode for 30 different linksys models, and 10 netgear models, as well as several kinds of cable and dsl modems (15 different shellcodes)” as well as a list of “6000 usernames and 13000 passwords” which is used for bruteforcing Telnet and SSH logins that are open to the LAN and sometimes even on the WAN side of those routers."


Read more: "psyb0t - A stealthy router-based botnet discovered [Updated] | IRC-Junkie.org - IRC News" - http://www.irc-junkie.org/2009-03-22/psyb0t-a-stealthy-router-based-botnet-discovered/#ixzz0BByn8pYZ

If you are using a router that is vunerable and a weak password that is easily hacked via the brute force attack that is used you should easily be able to determine if you are infected.  Since port 80 gets blocked by the bot you will lose basic HTTP connectivity through your router.  You would then need to do a factory reset of your router to get it back into it's default configuration (this clears the malware from the router) and assign a more robust password.

I would then send a complaint to Verizon.