MIPs Routers being targeted by virus???

Well not really a virus, but to the techno laymen, per say, you could call it that. There is a new botnet that is targeting certain routers and taking control of them. According to this security site, it seems that any router or DSL modem with a MIPS based processor - (ie many variants of the popular Linksys WRT54G wireless internet router), can be potentially hacked if all of the following criteria are met:

• Have a MIPS CPU
• You have opened ports 80, 22, 23 to the public internet
• Have an easy password (anything found in a dictionary)

ALL of the above need to be met, and trully this is not a hack, it is a vulnerability created by you the user, which someone has chosen to take advantage of. To my knowledge, I have never seen a router that opens the above noted ports to the public internet, although 99% of them give the user capability to do so in the router settings.

On to what it does: A botnet as discussed earlier is a group of several infected devices that work together to spread their infection to other devices and perform other ill-will over the internet, all of this done in complete autonomous fashion - in other words its creator {Dr. Frankenstein} unleashes it on the world, and it grows and lives completely independent of its creator.

This botnet attacks weak routers using its dictionary of passwords, once it logs in it replaces a service on the router with one of its own, this new infected service then blocks all access to the router to you the user, then it logs into a chat service where it receives commands from the other bots, kind of a cloud of nastiness. This site lists all of the possible commands a device may perform; there are several, from scanning the internet for other compatible devices that it may infect, to sending massive amounts of traffic to someones network (causing them to loose internet connection).

MIPS based devices can probably be found on a good half of the worlds internet routers, so this is something people should be careful of, most likely nobody has unknowingly opened the noted ports - duh thus they would have awareness of it, at which point the password they use is extremely crucial. Passwords should be at least 8 characters with both numbers and letters which cannot be found in the dictionary, and other signs if allowed by your platform.

This is a truly scary because the infected device may go on un-noticed for days or even weeks doing its dirty deeds, whereas a virus infected computer will usually quickly be noticed by its user. More than likely a user would notice slow internet due to an infected router, but many of its day to day actions may not affect your internet speed.

How to stop an infected device - unplug your internet, then run a factory reset to erase all settings, please first consult your routers manual (usually available for download on the manufacturers website), then start from scratch with a BETTER PASSWORD!!!

What is DroneBL.org?- Well plainly stated at the top of their site: "DroneBL is a realtime monitor of abusable IPs, which has the goal of stopping abuse of infected machines." Which means it may be of interest to security geeks unlike myself (I am not insecure;).