Now viruses attack BIOS and DSL-modems

The end of March this year was marked by two important News â€“ firstly, they found a way to place malicious code into BIOS memory, and secondly, they detected massive infection of home routers by worm called â€œpsyb0tâ€, which turns the router into botnet-network component.
The infection of BIOS chip in a computer was considered as something fantastic. It is BIOS (Basic Input/Output System) which is responsible for maintaining the system configuration in an unchanged mode, and also for performance of basic functions of input and output of information. Nevertheless, two Argentine specialists Alfredo Ortega and Anibal Sacco from Core Security Technologies Company have revealed at a conference on information security CanSecWest the successful insertion into the BIOS of a special program for remote control, or rootkit. In particular, they managed to infect the computers under Windows and OpenBSD operating systems, and also a virtual machine OpenBSD under VMware Player platform about the audienceâ€™s ears.
Although for infection of BIOS by Ortega and Saccoâ€™s method it is necessary previously to compromise the machine, or to have physical access to the machine, the consequences of such infection were just terrible - even after the complete removal of data from the hard disk and reinstallation of operating system, at the next reboot the machine is again infected. Further information about the attack on the BIOS can be read in ThreatPost blog.
Another serious danger was found by administrators of DroneBL site, which monitors IP-addresses that are the source of various network attacks. About two weeks ago DDoS attack was carried out against the site (Distributed Denial of Service attack). In investigating the incident they revealed that attack was produced by the infected routers and DSL-modems. The further analysis showed that in the Internet the first botnet has appeared which is based not on the PC and servers but on the home network equipment. This malicious network together with the worm, distributing the infection, has been named â€œpsyb0tâ€. The mechanism of infection by â€œpsyb0tâ€ has proved to be quite unusual. To infection those devices are exposed which have routing packs based on Linux Mipsel OS, equipped with the administrative interface or those which open the access through sshd or telnetd services for secure DMZ, if they have weak combinations of user name and password (including openwrt/dd-wrt devices). Worm â€œpsyb0tâ€ uses a special algorithm of selecting user names and passwords, and also several strategies for the interception of device control.
After the infection â€œpsyb0tâ€ builds a fragment of the malicious code into the operating system of the device â€“ the worm consists of code variants for several versions of Mipsel, they are loaded from the central server of intruders. Then the worm closes to the end user the access to the device by telnet, sshd, and through the web interface, and begins to explore all the packages passing through the device, fishing out different names and passwords. Also, the worm sends its owners information about the presence in the local network of servers with vulnerable configurations of phpMyAdmin server and DBMS MySQL. According to DroneBL, now botnet has more than 100 thousand active infected devices used for the theft of private information and carrying out large DDoS attacks. According to pioneers the particular danger is that the most home users, most likely, wonâ€™t be able to notice the presence of â€œpsyb0tâ€ in their network.
A detailed description of botnet and worm â€œpsyb0tâ€ can be found in the DroneBL blog.