According to estimations, the worm has already managed to infect over 100,000 hosts.

Researchers from Dronebl stress out that the new malware uses multiple strategies for exploitation, including bruteforce username and password combinations and is able to harvest usernames and passwords through deep packet inspection. In addition, it can also scan for exploitable phpMyAdmin and MySQL servers.

Users are vulnerable to this attack if they have a mipsel device, the device has telnet, SSH or web-based interfaces available to the WAN and the username and password combinations are weak (or the daemons that your firmware uses are exploitable).

Users can check if they have been infected: the ports 22, 23 and 80 are blocked as part of the infection process. Should the ports be blocked, the user should perform a hard reset on your device, change the administrative passwords, and update to the latest firmware.