The Mirai botnet continues to cause serious damage to computer users worldwide, the latest attack has taken offline 900 000 routers of a German ISP.
The Mirai Botnet Hits Again
Many Internet users in Germany reported connection issues which were caused by a large Mirai botnet attack against one of the biggest providers in the country Deutsche Telekom. According to the released information about 900 000 of their DSL router customers have been targeted by the dangerous botnet.
The impacted customers were unable to connect to the Internet or used any services (phone and video) that relied on an active Internet connection. The ISP has taken quick action and has stated that the issue will be resolved by Tuesday via an emergency patch in the router however millions of other DSL modems could be vulnerable to the threat.
The hackers have used a security flaw in the implementation of the router diagnosis and maintenance features which are used by two of the major device manufacturers – Zyxel and Arcadyan Technology. The attackers have accessed and abused a special port on the devices (TCP NTP 7547) to execute a dangerous remote code execution attack. The same problem was discovered last week when security researchers discovered that these flaws also affect routers used by the Irish ISP company Eir.
Previous Mirai attacks used a built-in dictionary of default username and password credentials to hack into insecured IoT (Internet of Things) devices such as webcams and DVR equipment. The latest Mirai code has added the new exploit to cause even further damage.
Infected devices exhibit worm-like behavior by deleting their payload carriers from the file systems which turns them into memory-resident. This makes it harder to detect by anti-spyware tools however at the same time makes them quite easy to remove just by rebooting the hosts.
At the moment the remote malicious C&C servers point to US military-related IPs in the 6.0.0/8 range in the beginning of the attacks. Later on the attackers have used different servers to server the malware binaries. New variants of the code have used legitimate request to a set of specific IP’s that act as NTP servers.
The Mirai Botnet Has Made Another International Attack
Other countries that have reported large-scale Mirai botnet attacks in similar manner include Iran, the United Kingdom, Brazil and Thailand. It is estimated that at least 5 million devices are vulnerable.
The newer strains of the botnet are even more dangerous, they do not just have updated infection vectors, but they are also able to recruit much more devices in less time. This can potentially create an even larger botnet network that can seriously cripple the targets.
The reported vulnerability was explained by a member of the Kaspersky Lab’s Global Research and Analysis Team as the following:
“A vulnerability in affected routers causes the device to download the binary with file name ‘1’ from http://l.ocalhost[.]host to the /tmp/-directory and executes it. The IP addresses of this host changed a few times during the day. Starting from 28th November 2016, 16:36 CET the domains cannot be resolved to domains anymore (‘NXDOMAIN’).”
The Mirai Botnet For Hire
The Mirai botnet has been used by computer criminals as a paid service. For the price of 7500 US Dollars anyone can rent out a small botnet network of 100 000 bots to launch a consolidated DDOS attack against a single host. The operators of the scheme state that such an attack can cause a concurrent stream of 1 Terabit per second or even more.
The customers can also rent out a custom number of bots, set the duration of the attack and the length of the pauses between the attempts. The prices are adjusted to the wishes of the customers and the payments are done in the BitCoin crypto currency via the TOR network.
To learn more about Mirai click here for our in-depth guide.
