This content is part of the Essential Guide: How the Mirai botnet changed IoT security and DDoS defense
News Stay informed about the latest enterprise technology news and product updates.

Modified Mirai botnet could infect five million routers

Researchers said a modified version of the Mirai botnet code has been attacking routers by exploiting a specific vulnerability and may leave millions at risk.

The open source Mirai botnet code has evolved beyond attacking IoT devices and the new variant of Mirai has been used to attack vulnerable routers around the world.

The upgraded Mirai code was first blamed for causing service disruptions for nearly one million Deutsche Telekom customers in Germany, but researchers have found the worm spreading to vulnerable routers around the world, with Brazil and the U.K. being the most heavily impacted countries.

"Flashpoint confirms that this malware is a new Mirai variant and its involvement in the recent Deutsche Telekom outage. Flashpoint also assesses with high confidence that this variant is an attempt by one of the existing Mirai botmasters to expand the number of infected devices in their botnet," Flashpoint researchers wrote in a blog post. "This new Mirai variant is using some of the same [command and control servers] used by existing Mirai infrastructure, strongly suggesting that the infected devices are controlled by the same group."

The original Mirai botnet code propagated over Telnet in IoT devices that used insecure or default administrator login credentials. According to security researchers from Flashpoint, the new version of Mirai has the added ability to scan for a flaw in the Simple Object Access Protocol (SOAP) service embedded in various routers, many of which are made by Zyxel.

"The new Mirai variant utilizes the TR-064 and TR-069 protocols over port 7547 and exploits a known vulnerability to gain control of the device. The protocol TR-069 runs the 'provisioning networks' used by ISPs and telecoms to remotely manage modems and routers in their consumer networks," Flashpoint wrote. "The new Mirai variant exploits these provisioning networks further to freely spread within the modem or router's network 'segment,' which can vary wildly and amount to the size of street, municipality, or entire country."

Experts said this is especially worrying because of the previous DDoS attacks performed using Mirai. These botnets were linked to a DDoS attack on the website of security reporter Brian Krebs clocked at 620 Gbps, and another attack with rates up to 1.2 Tbps that took down Dyn DNS servers and impacted websites including PayPal, Twitter, Reddit, GitHub, Amazon, Netflix and Spotify.

The attack on Dyn reportedly leveraged a Mirai botnet of just 100,000 devices, and Flashpoint said there could be as many as five million routers vulnerable to the modified version of Mirai.

"Some estimates put the total number of devices with port 7547 open at around 41 million, and devices that allow non-ISPs access to provisioning networks number up to five million," Flashpoint wrote. "If even a fraction of these vulnerable devices were compromised they would add considerable power to an existing botnet."

Deutsche Telekom has pushed a firmware update for the affected routers in Germany.

Craig Young, computer security researcher for Tripwire's Vulnerability and Exposures Research Team, told SearchSecurity the scale of attacks possible with a Mirai botnet is the real threat.

"The danger isn't coming from Mirai, but rather from the fact that Mirai offers an easy platform to infect embedded devices. Since embedded devices are generally not running any security software and there is such an abundance of vulnerable devices connected to the internet, the threat comes from scale of attack," Young said. "In the past when botnets were limited to using traditional computing devices as their zombies, it was much easier to recognize and remediate the threat. With embedded devices, most people would never know that there was any problem and would certainly have little idea as to how to remove a virus if they did notice it."

However, Chris Carlson, vice president of product management at Qualys, said the scale of attacks from Mirai botnet is made worse because of how easy it is to infect devices.

"Traditional DDoS attacks require enslaving PCs, which requires a lot of expertise and work. This slows down the rate at which botnet owners are infected systems under their control," Carlson told SearchSecurity via email. "With Mirai targeting internet-connected and unprotected IoT devices, the botnet owners can add hundreds of thousands or millions of infected devices into their networks at a much faster rate. This scale and speed completely changes the tenor of DDoS attacks against targets -- larger volume attacks for longer periods from larger number of devices -- making it very difficult to stop or mitigate active attacks."

Young said he expects Mirai to be a growing problem and although he wouldn't call the situation hopeless, he has "not seen any feasible or realistic plans to get ahead of this threat in the short-term future."

"Minimizing external attack surface is a first step. So far, the Mirai variants have utilized worm-like behavior in which only devices attached directly to the internet are affected and therefore systems behind NAT or appropriate firewalls with no ports exposed to the internet are insulated from attack. This is not guaranteed to be true forever, however," Young said. "The full solution to this problem will require action from many parties and most likely both consumers and device makers."

Carlson said the open source nature of Mirai means the problems will likely "get worse before it gets better."

"We'll see more types of systems being infected from a larger number of threat actors. Additionally, I expect that we'll start to see different forks of Mirai created and extended to target specific systems since the Mirai source code has been published on the internet," Carlson said. "What's interesting about the Mirai botnet compared to other malware attacks, like ransomware, is that users of the infected IoT systems are not significantly impacted (and are not the intended end-victim of the DDoS attack), so there isn't a clear driver for them to patch or update their IoT devices."

Dilip Pillaipakkam, vice president and general manager of service provider business at Infoblox, said situational awareness and application of patches, blocking, filtering and other traditional methods are some of the best ways to beat these threats.

"The nature of security is defense, and you're always playing from behind. In this arena, until IoT and other internet devices are more securely built, updated, protected by users and ISPs and retired appropriately, we'll never 'catch up' as there will always be more holes to find and exploit," Pillaipakkam told SearchSecurity. "Situational awareness and application of patches, blocking/filtering and other traditional methods are some of the best ways to beat these threats. Further, understanding what is on your network, locking down communications to only those things necessary, knowing where attackers are coming from and how they operate to deploy effective countermeasures, and ensuring you have all your best practices for weathering DDoS deployed, and response plans not only drawn up, but tested."

Next Steps

Learn more about IoT botnets connected to DDoS attacks.

Find out how a nematode worm could potentially dismantle a Mirai botnet.

Get info on why the global internet infrastructure is in danger of attacks like the Dyn DDoS.

Dig Deeper on Malware, virus, Trojan and spyware protection and removal