“Mirai” malware, attacks Home Routers

Published
December 14, 2016
Type
Info notes

Introduction

Mirai is a type of malware that originally targets IoT devices with the goal to enlist them into a large botnet and perform cyber-attacks. Mirai was recently used to orchestrate massive DDoS attacks against known Web sites, leveraging infected IoT devices. In November 2016, another incident related to a variant of the Mirai malware took place. An upgraded variant of the malware targeted customers' home routers of Germany's telecommunication company Deutsche Telekom. A large number of home routers were hit by outage as a result of the malware's attempt to hijack the routers. Following this incident, UK's TalkTalk and Post Office were also affected seemingly by the same malware.

This note provides an overview and some background information on the incidents. It also highlights the serious issue of open-sourcing malicious code, which can be later used by anyone and for any malicious purpose. In addition, the note provides recommendations regarding home router security.

The Vulnerability & Exploit

In early November a blog post, highlighted a bug in one of Eir's routers (Eir D1000) that allows an attacker to take full control of the router, remotely. The bug leaves the router's TCP port 7547 exposed to the internet. This port is used by two specific protocols (TR-069 and TR-064) for router management, but it is not meant to be accessible through the Internet, instead only through ISPs' specific administration servers. The flaw allows an attacker to manage the router remotely using TR-064 commands without authentication. Essentially, by sending certain TR-064 commands, an attacker can manipulate the router to open the port 80, which allows access to the web administration interface of the router from the Internet. If the default router login password is not changed, the router can be trivially hijacked. Proof of concept exploit code in the form of a Metasploit [1] module was also provided. Later on, more routers manufactured by Zyxel (Eir's router is a rebranded Zyxel router) were identified to be susceptible to that particular bug.

The Deutsche Telecom Outage

On the 27th of November in 2016, a large number (approximately 900,000) of Deutsche Telekom customers using certain models of routers (Speedport models manufactured by Arcadyan) reported connectivity issues. The outage was caused by a modified and upgraded version of the Mirai malware. The upgraded variant of Mirai scanned the Internet for home routers vulnerable to the aforementioned bug with the goal of hijacking them. According to a "Comsecuris" blog post, after testing one of the affected routers, it was pointed out that the malware's disruptive connections were most probably the reason that caused the routers to crash, and not the exploit itself. Similarly, Deutsche Telekom stated that the attack attempted to infect the routers with malware but failed, which resulted in crashing them. Still, evidence of what really happened is circumstantial. Deutsche Telekom has not disclosed details about the incident, albeit rolled-out firmware updates to the affected routers to rectify the issue. Although the attack did not manage to infect routers, denial of service is a very serious attack especially if performed on a wider scale.

The TalkTalk & Post Office Incidents

Later during the same week, some of the UK's TalkTalk and Post Office customers were also affected by an outage originating from another attack by seemingly the same malware, which allegedly led to Wi-Fi passwords being stolen - something that TalkTalk denies. Researchers from Imperva Incapsula reported that on the 5th of December, a UK-based bitcoin company was hit by a DDoS attack from malware-infected home routers located in the UK, over 99% of which were traced back to TalkTalk. Despite the fact that TalkTalk issued a patch for the affected routers, no details of the incident or its extensions are officially available and evidence is sparse. Moreover, a security firm criticized both TalkTalk's stance on the issue and the effectiveness of the issued patch, urging the company to replace the vulnerable routers or provide evidence that customers' routers were not compromised.

The Issue of Open-Sourcing Malicious Code

The root cause behind the emergence of Mirai variants and the continuous development of the malware is traced back to the fact that the source code of Mirai was publicly released in a hacking forum on the 30th of September. This is not the first time that malware is publicly released. In 2015, the "Hidden Tear" ransomware was made available in GitHub with the intention to be used for educational and not for malicious purposes. Of course, it is not possible to control how a particular piece of code will be used when it is publicly released on the Internet and can be accessed by everyone. Therefore, publishing malicious and weaponised source code of any kind, poses a serious and imminent risk to information security. This means that any kind of attacker, from a script kiddie to a state sponsored attacker, is able to fetch this source code, use it as it is, or adapt its capabilities according to their own malicious intentions. Consequently, attackers can use the malware against any target, and/or sell it in the black market as a product or service to be used by a wider non-technical audience too. Active variations of Mirai suggest that this claim is not just speculation, but fact. Unfortunately, when such malicious code is publicly released or leaked it is virtually impossible to contain it and avoid its diffusion on a larger scale. On the positive side, security researchers are able to analyse malicious code when it becomes available, and use their findings to warn the community as well as build defences accordingly. In short, open-sourcing malware is the equivalent of opening Pandora's box in cyber-space and security professionals need to be ready to "run a marathon" and not a "sprint" to keep up with such developments.

Recommendations

A previous ENISA Info Note highlighted some of the security problems in regards to home routers and provided various recommendations in that respect. In addition to those recommendations, the following points should be considered:

For users

When a router is infected by the new Mirai variant it closes port 7547 and disables telnet as well, making it very difficult for ISPs to apply patches remotely. After rebooting the router, the malware is wiped from the device's memory. For that reason, Deutsche Telekom advised its affected users to unplug their routers, wait 30 seconds and plug them back in, in order to automatically retrieve a firmware update that rectifies the issue upon reboot, before the device is attacked and compromised again.

Users are also advised to consult their router's documentation in order to change default credentials related to their router, e.g. administration interface login password, Wi-Fi password and disable functionality that is either not used or poses security risks, e.g. remote Web administration and UPnP respectively. Upon infection, such malware usually affects the router's DNS server settings, which can lead to hijacking a user's internet connection. Therefore, tech savvy users are also advised to check that their DNS settings are properly configured. Less tech savvy users can use online tools, e.g. F-Secure's Router Checker, to check whether their DNS settings have been hijacked.

For ISPs

ISPs should restrict access to ports 7547 (and 5555) accordingly in order to protect routers from exploits against unpatched vulnerabilities. Routers should only accept connections to these ports from specific configuration servers and should not be accessible through the Internet. ISPs also need to closely monitor their networks for restricting malicious traffic that targets those ports. In general, ISPs need to have an actionable and practiced incident response plan in place, in order to be proactive and issue emergency patches in the event of security incidents.

For Vendors

In those cases where there is no possible fix for vulnerable routers and users find themselves in the unfortunate position of having to either replace their devices or remain vulnerable while continuing to use them, vendors should be in a position to follow certain procedures to recall affected devices and either patch them or replace them with non-vulnerable devices. Recalling affected and vulnerable devices has taken place before, in the aftermath of the recent Mirai DDoS attacks.

 

[1] Metasploit is a known penetration testing software.

About "Info Notes" from ENISA

With the "Info Notes" series ENISA aims to give interested readers some background information and recommendations about NIS related topics. The background information and recommendations derived from past experiences and common sense, and should be taken as starting points for discussions on possible courses of action by relevant stakeholders. Feel free to get in touch with ENISA to discuss or inquire more about the "Info Notes" series (cert-relations@enisa.europa.eu).

We use cookies to ensure we give you the best browsing experience on our website. Find out more on how we use cookies and how you can change your settings.

Ok, I understand No, tell me more