psyb0t-related PC infection

I’ve detected scans apparently related to psyb0t - probing the gateway for URLs specific to various home routers. Luckily my gateway is a Linux system. However, the probes are coming from inside the LAN, specifically a particular Vista laptop. We’ve scrubbed the system with all the usual tools (spybot/HJT/Ad Aware/Avast) and none of it seems to find anything unusual or is able to clean up whatever’s doing the scan.

I’ve not been able to find any mention on the 'Net about PC infections related to psyb0t, only about compromised/vulnerable routers and how to deal with them.

I’m almost to the point of wiping the HD and reinstalling the OS :-[. I should probably do that anyway, but I’d at least like to identify the bastard first.

I’ve considered the possibility of a rootkit infection, but from what I’ve read there don’t seem to be any real effective rootkit detectors for Vista.

Suggestions would be greatly appreciated.

Hi padarjohn,

Are you vulnerable: http://nemesisv.blogspot.com/2009/03/psyb0t-am-i-vulnerable.html
The Psyb0t worm can only be compiled on certain Linux-based residential routers which run on the MIPS little-endian processor architecture and can only infect a router if the routers management interface (telnet, SSH or a web-based interface) is exposed to the Internet (WAN interface on the router) and a weak password (one that can be guessed using a dictionary attack) is being used on the router.

Many different kinds of routers can be affected by this kind of worm, including Westnet supplied routers such as the iConnect and Netgear.

Other brands of routers can also be infected so it would be worth checking with their relevant Support department to find out whether or not your specific router is susceptible.

However, it is always a good idea to change the default password for your router and ensure that any management interface is not exposed to the Internet (WAN interface on the router).
Removal and Prevention

Removal and prevention of re-infection of the Psyb0t worm is quite simple if you follow these steps:

  1. Factory reset your router, a guide to this can generally be found in your router’s documentation. Alternatively if you get in contact with your Support team, they will be able to guide you through this.
  2. Re-configure your router so that you are able to get online
  3. Change the default username/password for your modem’s configuration page so that it is difficult to guess (you may want to write it down)
  4. Ensure that any kind of remote management is disabled on the modem

Changing the username and password for the router to something not easily guessable will help to prevent any future accessing to the router, the more difficult to guess the better as the Psyb0t worm breaks in to your router by dictionary attacks (http://en.wikipedia.org/wiki/Dictionary_attack).

psyb0t Worm Targets Home Users’ Routers (March 23 & 24, 2009)
The psyb0t worm recruits home networking devices into powerful botnets.
The malware is believed to have infected more than 100,000 routers.
The botnet has been used to conduct distributed denial-of-service (DDoS) attacks.
The malware may also be capable of conducting deep packet inspection to steal usernames and passwords.
-http://www.theregister.co.uk/2009/03/24/psyb0t_home_networking_worm/
-http://www.h-online.com/security/Botnet-based-on-home-network-routers--/news/112
913

polonus

No, I’m not vulnerable. My “router” is an Ubuntu 8.04LTS Linux system with very strong passwords.

You’re missing the point, and at the same time making my point.

I already know all about the router infections. I don’t have a router infection, I have an infected Vista system looking for routers to infect. All I can find online is what you are telling me, which is how to deal with the router. I’m trying to figure out how to clean the PC that’s probing for routers.

Hi padarjohn,

The Vista machine must have been infected by IRC bot activities. You can establish bot activity with BotHunter, download here: http://www.bothunter.net/doc/WinInstall-Advice.html
The best anti-rootkit device for Vista is Ice Sword: http://202.38.64.10/~jfpan/download/is120en_vista.zip
Be interesting to read what you found there, did Trend Micro’s RUBotted alert for that machine?

polonus