Australian routers are being recruited by huge DDoS botnet effort

  • Liam Tung (CSO Online)
  • 30 November, 2016 10:43

A new attack aimed at building a massive botnet to launch paid-for traffic attacks is very likely to have recruited vulnerable routers based in Australia, according to security firm Flashpoint.

The broadband outage affecting 900,000 customers of German carrier Deutsch Telekom this week has brought into focus a new vulnerability common to potentially five million home routers that could be recruited by cyber criminals as a weapon-for-hire to flood any site that a paying customer wants offline.

BleepingComputer reported last week that two hackers claimed to have a botnet of around 400,000 internet connected devices which are controlled using code from malware known as Mirai. Motherboard reported today that the same two hackers, using the pseudonyms BestBuy and Popopret, claim to have inadvertently knocked Deutsche Telekom’s customers offline.

The original Mirai botnet, which used compromised webcams and digital video recorders for bandwidth, struck security website Krebs on Security and French ISP OVH with attacks of an unprecedented scale. Earlier this month it also knocked out access to Twitter, Spotify and other major sites by attacking managed DNS provider Dyn.

The source code was recently open-sourced, available to any would-be criminal entrepreneur keen creating or enhancing a ‘stresser' business, where botnets are rented out to take down any website so long as the customer pay the required fee.

The Deutsche Telekom incident this week was not a distributed denial of service (DDoS) attack against the carrier but rather an apparent failed effort to infect its customers’ home routers.

Several researchers have confirmed the attack is not limited to Deutsche Telekom customer routers and that the malware — an updated version of Mirai — is using a recently disclosed router flaw to exploit a messaging standard called TR-069. This standard, which is used by some member ISPs to service home router equipment, is published by the Broadband Forum. It counts dozens of the world’s largest ISPs, including Telstra, as members.

According to the SANS Internet Storm Center, vulnerable routers including some models of Deutsche Telekom’s Speedport routers, as well as Zyxel-made routers distributed by Irish ISP Eir. Several other brands are also affected.

Security firm Flashpoint, which has been tracking Mirai for the past month, on Tuesday said that a “turf war” had been taking place among rival gangs using the open-sourced Mirai code that first appeared on the hacking den, Hackforums.

“After the source code for Mirai and its exploitation vector were released on hackforums[.]net, the situation changed dramatically and the number of independent Mirai operators attempting to exploit the same IoT device pool subsequently increased,” the firm wrote.

“A turf war has ensued, and the overall size of most attacks launched by Mirai botnets has been much smaller than the original record-breaking attacks. A natural next step in the evolution of this malware is for criminal actors to decouple the Mirai payload from its spreading mechanism, and use a different spreading mechanism.”

That “decoupling” manifested in the attack on Deutsche Telekom customer routers and, it seems, routers from other ISPs. While the original Mirai exploited default passwords on internet-connected devices, the version of Mirai observed this week is exploits a vulnerability.

One question researchers are asking now is how many devices have been hacked and how many could be. The attacks on Krebs’ site, which peaked at over 600 gigabits per second, were estimated to rely on hundreds of thousand of hacked devices. By contrast, the number of routers potentially exposed to the new variant of Mirai ranges up to 40 million.

Johannes Ullrich of the SAN Institute notes that not all 40 million would harbor the vulnerability, however the attack on routers across the globe this week could have added one to two million new bots to the specific Mirai botnet, he said.

Ullrich also pointed to research showing that modems used by UK ISP TalkTalk were vulnerable, as well as some D-Link modems, and modems made by MitraStar, Digicom and Aztech. Roughly 40 vulnerable router models have been identified so far.

Flashpoint also says it is confident that routers in Australia, Argentina, Brazil, Chile, Germany, Iran, Italy, Turkey, Thailand, and the United Kingdom have been compromised by Mirai.