Attackers have used an advanced new strain of Mirai Internet-of-things malware to quietly assemble an army of 100,000 home routers that can be used at any time to launch paralyzing attacks on the Internet, a researcher warned today. Monday.
Botnet operators have been releasing new versions of Mirai regularly since the source code was made public 14 months ago. Often, the new versions contain minor tweaks, many of which contain supported errors that prevent new releases from having the punch of the original Mirai, which played a major role in the series of distributed denial-of-service attacks that damaged or temporarily damaged. down Twitter, GitHub, PlayStation Network and other key Internet services.
What sets this new variant apart is its ability to exploit a recently discovered unexpected vulnerability to infect home multi-use lines and small office routers even when they are protected with strong passwords or was remotely controlled in a total shutdown, Dale Drew, chief. security strategist at broadband Internet provider CenturyLink, told Ars. One of the affected Huawei devices EchoLife Home Gateway, and others are Huawei Home Gateway. About 90,000 of the 100,000 newly infected devices are one of the two Huawei router models. The new malware also has a dictionary of 65,000 username and password combinations to try against other platforms.
“It’s a pretty sophisticated approach,” Drew told Ars on Monday. The unknown operator “has a very attractive special forces army now where it is adding more and more professionals to its IoT pool.”
Until now, Mirai has relied on routers configured to monitor the Internet using default passwords. In October, researchers documented a new IoT botnet called Reaper. It is novel because it contains infected machines by exploiting remote code execution vulnerabilities. The new Mirai strain takes the same approach.
In almost two weeks since the new botnet came to light, the operator has done little more than using the infected devices to search the Internet for more vulnerable devices and then infect them. Drew warned that the operator could use compromised devices at any time to receive flexible DDoS attacks, possibly as a fee-based service aimed at people who want to settle personal scores or collect money online services. The botnet is the same researchers from China-based Netlab 360 documented last week.
Security experts were able to obtain two domain names used to control the botnet, but Drew said the operator has managed to regain control of the infected machines using new command and control channels. While Level 3, a backbone provider that was recently purchased by CenturyLink, uses its network to block control server communications with infected devices, many networks still allow the botnet to operate freely. Drew said for the time being, security professionals have few options other than to closely monitor the botnet and block any new control channels it may use.
“The horror story is that we have botnet operators trying to gain access to nodes that number in the hundreds of thousands if not millions,” he said. “We’ve always said that it takes a village to protect the Internet. When we see a bad guy, he gets that information blocked and blocked quickly.”