Psybot

Netcomm NB5 Botnet – PSYB0T 2.5L 11th January, 2009
Terry Baume terry.baume@gmail.com Should you have any additional information, please email me.

It appears that Netcomm NB5 ADSL modems are not the only devices affected by this bot. Modems with similar hardware configurations (unknown brands) from Italy, Brazil, Ecuador, Russia, Ukraine, Turkey, Peru, Malaysia, Columbia, India and Egypt (and likely more countries) also seem to be affected, and are spreading the bot.

Introduction: The NB5 was a popular ADSL/ADSL2+ modem-router, produced by Netcomm circa 2005. The NB5 is based on the Texas Instruments TNETD7300, featuring a 32bit RISC MIPS 4KEc V4.8 processor, 2MB of flash ROM, 8MB of RAM, Ethernet + USB connectivity, and runs an embedded Linux distribution. Stored in the 2MB ROM is the ADAM2 bootloader, MontaVista Linux 2.4.17 kernel & a read only file system. The NB5 offers a web interface, as well as SSH and telnet interfaces. Connecting to the NB5 with telnet spawns a session of the modem CLI, used for configuring the modem. A Linux ash shell can be spawned by issuing the command 'shell': BusyBox on localhost login: root Password: DSL Modem CLI Copyright (c) 2004 Texas Instruments, Inc. cli> shell Starting /bin/sh Type exit to return to the CLI BusyBox v0.61.pre (2007.02.27-08:37+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. # The NB5 includes several binaries one might expect to find on a Linux machine – ls, cat, wget, etc. Given that the NB5 features a MIPS processor & is based upon a Linux platform, it is trivial to compile binaries to run on the modem using a cross compiler. These can then be loaded onto the modem using wget, made executable & run. As the NB5's filesystem is read only & RAM based, any binaries loaded onto the modem (unless it is reflashed) will be erased upon the modem being rebooted.

Botnet & malicious uses Several revisions of the NB5 modem shipped with a flaw which meant that the web configuration...