Skip to content

Trending tags

What’s a Mirai Botnet Doing With My Router?

Adam Pilkey

30.11.16 4 min. read

Mirai – malware designed to infect internet of things devices – is behind some of the biggest DDoS attacks in history. It knocked Twitter, Netflix, and other popular websites offline in October. And now, it looks like a variant of Mirai has been modified (or upgraded) to infect routers. Nearly a million people in Germany have lost their internet access over the past few days due to infected routers.

News reports say that over 900,000 routers from Deutsche Telekom (DT), Germany’s largest telecommunications provider, were knocked off the internet over the past few days. The attack(s) are being attributed to Mirai based on their use of infrastructure seen in previous Mirai attacks.

“Mirai was designed to infect IoT devices. And since IoT devices and routers have many of the same security issues, adapting Mirai to target routers seems worthwhile for attackers,” says F-Secure Security Advisor Sean Sullivan. “It takes a bit of work to adapt the malware, but since the code has been dumped online, it’s doable.”

The Mirai variant hitting routers in Germany exploits a vulnerability in the firmware of particular models of Speedport and Zyxel routers. Previous Mirai variants have been more focused on IoT devices (most notably webcams), and brute forcing passwords to infect devices with malware.

You can find a list of affected router models here. DT has apparently already developed a fix for this, which is impressive given the general industry-wide neglect of vulnerable firmware.

But reports say that there may be as many as five million devices connected to the internet that are susceptible to the same attack used against DT routers. And this estimate doesn’t include devices with other security problems leveraged by Mirai, such as the use of weak default passwords set by manufacturers.

How to Troubleshoot Bots

Attackers infect devices with Mirai, and then connect tens or maybe even hundreds of thousands of infected devices together to create a network of bots (hence the term, botnet). Using botnets, attackers can do things like issue commands to infected devices, launch devastating DDoS attacks, install additional malware, or spread the infection through more networks (thereby increasing the size of their botnet).

But fighting botnets isn’t a huge priority for anyone but ISPs. A phone, laptop, or webcam can be part of a botnet without really inconveniencing the device owner. However, that doesn’t mean bot infections should be ignored. Many bots, including Mirai, receive instructions from attackers. New instructions can give bots new capabilities, including having them attack device owners in more direct ways.

And because Mirai (and bots like it) can infect non-traditional PCs, it’s more difficult to get rid of.

Here are a few things you can do to get rid of bot infections on devices that can’t run antivirus software.

Reset your device

Resetting routers and IoT devices infected by Mirai is enough to remove the infection. It’s a good first step. But this doesn’t fix the underlying problem, so you’ll remain vulnerable to future infections unless you take additional actions. And because Mirai spreads aggressively, you may only have a matter of minutes until you’re infected again.

Change default passwords (if possible)

Most people don’t change default passwords on their routers or IoT devices. This is a HUGE problem, since many of these devices use common passwords for the same model or line of products. And to make things worse, lists of default passwords are often available online.

Many attackers know people don’t change passwords on their devices, and use that to help them plan attacks. Mirai is programmed to try logging in using popular passwords like “123456” and “password”, as well as passwords that have proven effective against specific devices (such as “admin” and “xc3511”). So change default passwords whenever possible.

Contact device vendors/ISPs

Some devices cannot be fixed easily. Sometimes passwords cannot be updated by users. Firmware often ships with vulnerabilities, requiring vendors to create and distribute patches. In these cases, ISPs or device manufacturers need to get involved.

So make an effort to check their websites, and if needed, contact them. They may or may not help. DT is making an effort to restore service to customers affected by the recent outbreak. And after the massive Mirai attack on Dyn in October, a Chinese webcam manufacturer recalled some of its products that used passwords that could not be changed by users.

In the worst case scenarios, people may be forced to actually throw out an infected device.

“Like any new technology, it’s buyer beware,” says Sean. “Security researchers and even hackers have been talking about insecure IoT devices for years. Now the problems are starting to arrive, and they’ll most likely get worse before they get better.”

There are multitude of other security measures you can take to protect things like routers and IoT devices. Some of the best ones include making sure Universal Plug n Play is disabled, checking that your DNS settings are configured correctly, and that you log out of devices’ admin portals after changing any settings.

[ Image by Sascha Pohflepp | Flickr ]

Adam Pilkey

30.11.16 4 min. read


Highlighted article

Related posts


Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.