Fast-Spreading Mirai Worm Disrupts UK Broadband ProvidersTalkTalk and Post Office Have Developed Fixes
Mirai, a fast-spreading worm that knocked 900,000 Deutsche Telekom customers offline earlier this week, has also caused hiccups for broadband customers in the U.K.
See Also: Autonomous Response: Threat Report
TalkTalk says a small number of D-Link 3780 routers used by customers were infected with Mirai, which was recently re-engineered to attack large numbers of DSL routers with software vulnerabilities and insecure remote administration settings.
Broadband provider Post Office says its systems were disrupted by a third party on Nov. 27 but did not specify Mirai. The BBC reported 100,000 customers were affected.
Mirai has been blamed for distributed denial-of-service attacks that prevented access to Twitter, PayPal and Spotify. The attacks have been launched from hacked internet-of-things devices, such as digital video recorders, routers and IP cameras, which often have poor security defenses.
The latest version of Mirai, however, has caused routers to stop working, an apparent coding mistake that fortunately means the devices can't be harnessed for DDoS attacks. The widescale outages have triggered quick action by network operators to fix the routers.
Internet-wide scans have indicated as many as 40 million routers, largely clustered in South America and Europe, could be affected by the latest version of Mirai, according to the SANS Internet Storm Center.
Part of the problem is that the consumer routers have been incorrectly configured, says Johannes Ullrich, dean of research at the SANS Institute of Technology. The attacks exploited a software vulnerability via a remote administration setting usually restricted to ISPs.
"These remote admin protocols are supposed to use authentication and access restrictions," Ullrich says. "But it appears they are not implemented correctly."
Ullrich says he hopes the attacks will serve as a wake-up call for ISPs, but "there are likely many so far unknown vulnerabilities left in the various implementations of these remote admin protocols."
An IoT Attack Platform
Mirai represents a new escalation by hackers seeking to create large botnets, or networks of compromised devices.
The original version of Mirai was coded with the default authentication credentials of IoT devices such as digital video recorders and IP cameras. The passwords are often rarely changed or can't be changed (see Mirai Botnet Pummels Internet DNS in Unprecedented Attack).
Once Mirai infects a device, it scans for other vulnerable devices, quickly creating a large army. In September and October, infected Mirai devices launched DDoS attacks against computer security journalist Brian Krebs, French hosting provider OVH and the network services provider Dyn.
The Dyn attacks focused on the company's DNS infrastructure, which allows computers to receive the right IP address for a domain name. The attacks hampered access to the websites of Dyn's customers, including Twitter, Spotify and PayPal, bringing the scale of the security problems to mainstream attention (see Botnet Army of 'Up to 100,000' IoT Devices Disrupted Dyn).
Deutsche Telekom was the first network operator to say it had been struck by the latest version of Mirai. The revised malware incorporates a recently discovered vulnerability found by a security researcher in D1000 routers that were distributed by Irish ISP Eir. The router is made by the Taiwanese manufacturer Zyxel, which has not responded to repeated queries.
On Nov. 9, the researcher publicly published proof-of-concept exploit code. Less than three weeks later, it had been wrapped into Mirai.
The development showed a remarkably quick adaptation of Mirai; its source code had been public for more than two months, says Tod Beardsley, senior security research manager at Rapid7.
"While we have been warning about crummy routers and switches at home for years and years, I wasn't expecting to see the Mirai botnet become this IoT attack platform," Beardsley says. "It turns out it's a pretty decent platform for subbing in new attacks for old ones."
So, Who's Responsible?
Security researchers complain router manufacturers are slow to respond to reports of vulnerabilities and sometimes don't bother patching. Compounding the problem, routers aren't upgraded frequently, and they're often connected to the internet long after a manufacturer has halted technical support.
Slow or inadequate responses to security issues by manufacturers puts ISPs in tough positions since they don't make the hardware or write most of the software. The low-level code that runs on the routers, or firmware, is also shared between manufacturers.
"You're dealing with a multivendor process," Beardsley says. "A lot of these modems are rebranded by ISPs. It can be difficult to tell who owns the bug."
Deutsche Telekom quickly created a fix, likely due to the fact that it required just a line of code, for example, to shut off an exposed port. TalkTalk and Post Office also say they've developed fixes.
But some router flaws aren't going to be easy to fix. Some ISPs, such as Deutsche Telekom, can make some changes to a router's firmware, as proven in this incident, says Ronnie Tokazowski, senior malware analyst with Flashpoint. But in other cases, routers are just black boxes to ISPs, requiring intervention by the manufacturer to make deeper changes.
"The responsibility would ultimately fall on the party who has access to make the change happen," he says.
After its operating system and applications came under repeated, large-scale assault in the early 2000s, Microsoft launched its Trustworthy Computing program, which focused on better defenses and faster patching. But IoT manufacturers are "just starting to open their eyes and realize that they have to take certain security measures," Tokazowski says.