Mirai UK Botnet Consists Mostly Of TalkTalk Routers

ENISA botnet report, Mirai

The Mirai botnet has spread like wildfire and now infects 2,398 home routers across the UK, with 99 percent of them being Talk Talk routers.

The Mirai botnet has spread like wildfire and now infects 2,398 home routers across the UK, with 99 percent of them being TalkTalk routers.

According to research by cyber security firm Imperva, the Mirai botnet was used to launch distributed denial of service (DDoS) attacks, and has been responsible for taking down major services such as Amazon, Twitter, GitHub, Spotify and Reddit, as well as knocking out broadband services from Talk Talk and The Post Office offline.

The botnet was also used to launch a DDoS attack against Deutsche Telekom routers which saw the over 900,000 of its customers affected, however it is not known if this attack was caused by the same Mirai bot nets as the other ones.

Rise of Mirai

mirai-ukThe spread of Mirai appears to be down to the leaking of its source code on HackForum which placed it in the hands of hackers versed in using botnets to launch DDoS and other cyber attacks.

With the source code released the Mirai malware has evolved from its original guise, which makes it harder for security and technology companies to patch and protect against.  

Routers infected with Mirai enable hackers to exploit the TR-064 protocol widely used by many internet service providers (ISPs) to remotely manage network routers. By modifying the command, a hacker can use the router to remotely execute bash commands and use commands to synchronise a router with an external time source.

With this level of control, hackers can open port 80 access on routers, pinch Wi-Fi passwords, modify the iptable rules and inject malware into the device.

This vulnerability in the TR-064 was effectively the enabler of the Mirai attacks that cropped up in ISP distributed routers.

The amount of routers across the UK that have the Mirai infections was a surprise for Imperva, which noted that IP distribution of botnets as uncommon, but the data indicates a vulnerability in locally distributed devices, which has led to the rise of a Mirai botnet in Britain.

This indicated that the Post Office and Talk Talk attack were likely carried out in the UK rather than further afield.

“With variants of Mirai already leveraging the exploit for large-scale attacks, it’s time for ISPs to proactively assume responsibility and issue emergency patches,” said Imperva.

“Doing so would protect the privacy of their customers and prevent their routers from falling into the hands of botnet operators who would endanger the entire internet ecosystem.”

In a statment sent to Silicon UK, Talk Talk said it is looking into the attacks on its routers and the impact or Mirai. 

“Along with other ISPs in the UK and abroad, we continue to take steps to review the potential impacts of the Mirai worm. A small number of customer routers were affected by this issue. We have made good progress repairing these and continue to deploy additional network-level controls to further protect our customers,” a spokesperson from the company said. 

With the rise of smart and Internet-connected devices botnets are cropping up in all manner of devices, including a giant CCTV camera botnet.

Are you a security pro? Try our quiz!