The bane of the internet of things’ existence Mirai has been modified and is now targeting routers.
The malware is reportedly targeting a flaw in routers which leave the Internet port 7547 open. Through this hole the malware is able to deploy its payload using the TR-069 and TR-064 protocols which ISPs can use to remotely manage a router.
At time of writing the exploit only appears to have affected routers provided by German ISP Deutsche Telekom (which has already sent a security patch out to customers) but in a report by Ars Technica, as many as 41 million devices connected to the internet leave port 7547 open and 5 million allow outside sources to access the TR-064 protocol as indexed by Shodan.
Researchers at Kaspersky Lab found that the command and control servers that Mirai was communicating with were pointed at US military related IP addresses.
“Since there is no Mirai related infrastructure behind this network range, the bots will not receive any further commands until the criminals behind this attack will change the DNS records again. For sure, this is some kind of trolling from the criminals who conducted the attack,” wrote the researchers.
What is of concern to us is that in the months since Mirai’s source code was made public the malware has graduated from capturing IOT devices to capturing routers. The potential exists then that the next time we see a Mirai attack – like the one that was executed against Dyn in October – it could be much larger and more devastating.
Mirai usually infects the volatile memory that is common in internet of things devices so if you suspect your router has been compromised a reset should clear the memory but you would need to lock these devices down with an incredibly secure password and disable remote access through the aforementioned protocols.[Via – Ars Technica]