A new version of Mirai—a malware that’s been enslaving poorly secured IoT devices—has found a new victim: vulnerable internet routers from Germany’s Deutsche Telekom.
The spread of the new strain of Mirai has caused internet connection problems for close to a million Deutsche Telekom customers, the company reported on Monday.
Deutsche Telekom blamed the disruption on the notorious malware, which has already been found infecting more than 500,000 internet connected devices, including DVRs and surveillance cameras.
However, this new strain of Mirai has been upgraded, said Johannes Ullrich, a security researcher with the SANS Technology Institute. He’s been observing the infections and said they’ve been specifically designed to exploit a vulnerability in internet routers from the company Zyxel.
Originally, Mirai was designed to infect devices built with weak default logins and passwords by scanning the internet for them and then trying a list of more than 60 password combinations. But this new strain also targets a flaw in the SOAP (Simple Object Access Protocol) service embedded in the Zyxel router products, allowing the malware to take over the devices, Ullrich said.
It’s unclear how many devices may have been affected, but Deutsche Telekom said the disruption, which began on Sunday afternoon, caused 900,000 out of its 20 million customers to experience connection problems.
“The attack attempted to infect routers with a malware, but failed, which caused crashes or restrictions for 4 to 5 percent of all routers,” the company said in an email.
However, Ullrich’s findings suggest that the new strain of Mirai succeeded in ensnaring at least some devices. To track the malware’s spread, he established a web server on Monday designed to act as a honeypot that can lure in the attack.
“Once Mirai infects a system, it goes off looking for more victims,” he said.
As of Monday morning, he’d found 100,000 unique IP addresses attempting to infect his honeypot.
But the goal of Mirai isn’t simply to infect. By taking control of thousands of devices, the malware can form a botnet—or an army of enslaved computers that can be used to launch massive distributed denial-of-service attacks.
That’s what happened last month when Mirai-infected devices were used to cause internet outages for dozens of top U.S. websites. The DDoS attack worked by flooding a DNS service provider with an overwhelming amount of internet traffic.
Ullrich said he hasn’t observed this new strain of Mirai launching any DDoS attacks. But the connection problems for the Deutsche Telekom customers were probably caused by the malware infecting the device, and then using the computing power on the router to infect other devices, he said.
Fortunately, Deutsche Telekom has issued an advisory, instructing customers how to remove the infection.
But Ullrich said the new Mirai strain has probably infected routers used by other companies or internet service providers; they just aren’t aware. He estimates 1 million to 2 million router products will be easily infected.
Zyxel didn’t immediately respond to a request for comment.