In-depth discussion on how to clear worms infected with Routers

A few days ago, security researchers discovered a botnet worm called psyb0t, which can attack DSL modems and routers. This worm can search for and exploit specific devices with open ports. The attacked device also has a weak password. Once a worm enters a vro, it can do whatever it wants, block the port, leak sensitive information, and attack other networks.

In this article, I will analyze the router types that are vulnerable to this specific worm attack, and then discuss how to prevent such and other types of router worms from being infected. Finally, we will discuss how to clear worms infected with routers.

How do worms enter the vro

The router worm enters the router through the port used to remotely manage the router. However, the router does not open these ports by default. It must be manually enabled on the configuration program of the Router Web interface. As shown in 1:

In addition, a larger vulnerability lies in weak passwords. In other words, remote management is secure if defense measures are taken.

According to media research, the latest worm attacks basically need to meet the following standards:

1. These devices are generally devices using MIPS processors, which run the simple version of The Endian mode (mipsel. This includes about 30 Linksys devices, 10 Netgear devices, and many other devices. In addition, routers that load other firmware replacements, such as DD-WRT and OpenWRT, are also vulnerable to attacks.

2. enable some remote management devices, such as telnet, SSH, or Web-based access. It is not easy to provide local access.

3. The combination of user names and passwords for remote access management is not strong enough to be easily cracked. Or its firmware is easily exploited by the Vulnerability exploitation program.

Since vro worms invade through remote management ports, ensuring the security of these ports becomes the key to preventing infection. In addition, it is the best solution to disable remote management and disable these ports because worms are inaccessible. However, if remote access is required, follow the following guidelines to prevent worms from intruding:

1. Use a strong and secure password

You know, the router worm relies on powerful dictionary attacks (constantly trying to guess the password), so we should use a password that is not easy to guess. Do not use any "admin", "router", or "12345" as vro passwords, but use a combination, such as rDF4m9Es0yQ3ha. It must contain at least uppercase and lowercase letters and contain numbers and letters. Although this password is hard to remember, we can store it in a certain file (such as a text file), and use TrueCrypt, Cryptainer LE and other software to encrypt various files that save the password.

2. Secure Remote Connection Encryption

For example, try not to use HTTP because it uses plain text transmission. You can use HTTPS to transmit Web-based access. You can enable the remote access settings of the vro configuration program and select the "https" option. If you need command lines to access the vro, you can use SSH. Because SSH is an encrypted protocol. Encrypted connections are not necessary to prevent router worms, but they can enhance the overall security of the router. See Figure 2:

3. Change the default port

Worms can intrude through the default ports of these remote connections, such as port 80 or port 8080 accessed through HTTP Web, port 443 accessed by encrypted Web, and port 22 of SSH. Therefore, a router that receives connections on non-default ports is more secure. Many routers have a Port field next to the remote connection setting function. Enter the desired Port number here. For example, enter the Internet-facing IP address where the router is located, add a colon, and then the port number. If you are connecting through SSH, You need to specify the port number in the connection settings of the SSH client program. As shown in 3:

4. Use the inbound Filter

In fact, we can configure some routers to filter out which IP addresses or ranges allow access connections, so that we can block worms from any IP addresses in the list. To do this, you can first check whether the IP address or IP address range can be defined in the vro Remote Management settings. Then, check whether the router can set inbound connection settings. 4:

Ensure the latest firmware of the vro

As we mentioned above, the software used by the router firmware also makes the router vulnerable to worms. Therefore, keeping the router always loaded with the latest firmware version can help prevent this vulnerability. Vro manufacturers and firmware replacement projects regularly release these firmware updates to fix known security vulnerabilities.

To update the firmware of A vro, you must download a new image from the vendor's website. Then log on to the configuration program of the vro, open "Admin"/"Misc" or "System", select the latest firmware, and load it. 5:

Clear worms: Clean the routers

The preventive measures we discussed earlier prevent routers from being attacked and harmed by worms. Remember, do not enable it if you do not need remote access. If you need to use this function, we recommend that you make the user name and password more complex, use a mix of upper and lower case passwords, numbers, and other passwords, and use SSH or HTTPS for transmission, consider using non-default ports and try to use any inbound filter.

If the vro is infected, some incredible things will happen. For example, it is reported that Psyb0t will block communication between port 22, port 23, and port 80.

To clear the worm, the most thorough solution is to restore the router to the factory default value, which can ensure that the worm is cleared. Press the reset button on the back of the vro and wait a few seconds (different vendors have different requirements. For example, if my vro needs to be pressed for more than 30 seconds), it can be restored to the factory status. Once the worm is cleared, remember to use the method described in this article.