Mirai UK Botnet Consists Mostly Of TalkTalk Routers

The Mirai botnet has spread like wildfire and now infects 2,398 home routers across the UK, with 99 percent of them being TalkTalk routers.

According to research by cyber security firm Imperva, the Mirai botnet was used to launch distributed denial of service (DDoS) attacks, and has been responsible for taking down major services such as Amazon, Twitter, GitHub, Spotify and Reddit, as well as knocking out broadband services from Talk Talk and The Post Office offline.

The botnet was also used to launch a DDoS attack against Deutsche Telekom routers which saw the over 900,000 of its customers affected, however it is not known if this attack was caused by the same Mirai bot nets as the other ones.

Rise of Mirai

The spread of Mirai appears to be down to the leaking of its source code on HackForum which placed it in the hands of hackers versed in using botnets to launch DDoS and other cyber attacks.

With the source code released the Mirai malware has evolved from its original guise, which makes it harder for security and technology companies to patch and protect against.

Routers infected with Mirai enable hackers to exploit the TR-064 protocol widely used by many internet service providers (ISPs) to remotely manage network routers. By modifying the command, a hacker can use the router to remotely execute bash commands and use commands to synchronise a router with an external time source.

With this level of control, hackers can open port 80 access on routers, pinch Wi-Fi passwords, modify the iptable rules and inject malware into the device.

This vulnerability in the TR-064 was effectively the enabler of the Mirai attacks that cropped up in ISP distributed routers.

The amount of routers across the UK that have the Mirai infections was a surprise for Imperva, which noted that IP distribution of botnets as uncommon, but the data indicates a vulnerability in locally distributed devices, which has led to the rise of a Mirai botnet in Britain.

This indicated that the Post Office and Talk Talk attack were likely carried out in the UK rather than further afield.

“With variants of Mirai already leveraging the exploit for large-scale attacks, it’s time for ISPs to proactively assume responsibility and issue emergency patches,” said Imperva.

“Doing so would protect the privacy of their customers and prevent their routers from falling into the hands of botnet operators who would endanger the entire internet ecosystem.”

In a statment sent to Silicon UK, Talk Talk said it is looking into the attacks on its routers and the impact or Mirai.

“Along with other ISPs in the UK and abroad, we continue to take steps to review the potential impacts of the Mirai worm. A small number of customer routers were affected by this issue. We have made good progress repairing these and continue to deploy additional network-level controls to further protect our customers,” a spokesperson from the company said.

With the rise of smart and Internet-connected devices botnets are cropping up in all manner of devices, including a giant CCTV camera botnet.

Are you a security pro? Try our quiz!

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

View Comments

  • Some points of clarification:

    "Routers infected with Mirai enable hackers to exploit the TR-064 protocol widely used by many internet service providers (ISPs) to remotely manage network routers. "

    TR-064 is not used for remote management, nor is it widely deployed. TR-064 is an older LAN-side protocol used for initial basic provisioning using a LAN-side application (as would come on a router installation disc).

    "This vulnerability in the TR-064 was effectively the enabler of the Mirai attacks that cropped up in ISP distributed routers."

    This was not a vulnerability in TR-064. It was a vulnerability in these vendors' implementations of TR-64, which allowed the attackers to run code that downloaded Mirai. Secondly, it was exploitable remotely only because they were piggy-backing TR-064 on another port used by a totally different protocol that is exposed to the WAN, which TR-064 never should have been.

Recent Posts

Marriott Agrees To Pay $52 Million To Settle Data Breaches

To settle US federal and state claims over multiple data breaches, Marriott International agrees $52…

1 day ago

Tesla Shares Drop After Cybercab Unveiling

Mixed reactions as Elon Musk hypes $30,000 'self driving' robotaxi called Cybercab, as well as…

1 day ago

AMD Launches New AI, Server Chips To Expand Nvidia Challenge

AMD unveils new AI and data centre chips as it seeks to improve challenge to…

2 days ago

Chinese Hackers Breach US Wiretap Systems – Report

AT&T and Verizon among US broadband providers reportedly hacked to target American government wiretapping platform

2 days ago