The Mirai Botnet is getting more problematic with each passing day. But this is not because the virus is becoming more sophisticated. The problem is with weak internet-of-things devices.
In October of this year, the Mirai botnet crippled the whole internet, sending it offline for a couple of hours. Some of the world’s most popular websites were helpless victims.
There was another large scale attack unleashed on over 900,000 users of broadband routers provided by Deutsche Telekom users in Germany. The routers were sent offline over the weekend after what is thought to have been a cyber-attack. The telephone, television and internet services in the county were all affected.
Deutsche Telekom, which offers different services to over 20 million people wrote on Facebook that over 900,000 of its users had their internet disrupted on Sunday and Monday.
There is a critical Remote code Execution flaw in routers made by Zyxel and Speedport. In these systems, internet port 7547 receives commands from ISPs to allow them to control devices remotely.
SANS Internet Storm Center has published an advisory where it said honeypot servers designed to pose as insecure routers were receiving attacks every 5 to 10 minutes.
One intercepted packet was studied to see how a remote code execution flaw in the <NewNTPServer> part of a SOAP request was used to infect insecure devices.
A study by security personnel at BadCyber revealed that the malicious payloads were originating from a familiar Mirai control centre.
“The use of TR-064 commands to execute code on routers was for the first time made public at the start of November. Just some days later, there appeared a relevant Metasploit module,” BadCyber said in a post. “ It’s like someone deliberately weaponised it and came up with an internet worm using the Mirai code.
The whole saga started in the early days of October. A cyber criminal released the source code for Mirai which is malicious malware designed to infect Internet of Things devices. It scans for vulnerable IoT devices such as DVRs, cameras, routers, etc, and makes them slaves of a botnet network and then uses them to launch DDos attacks.
The hacker pulled off the feat by coming up with 3 separate exploit files with a view to infect three different architectures. One is an ARM silicon and two are different forms of MIPS chips.
The malware accesses the administration interface and uses three default passwords to gain access. Once access has been gained, the port is closed to keep other attackers from getting to the devices.