internet connected devices, including DVRs and surveillance cameras.
However, this new strain of Mirai has been upgraded, said Johannes Ullrich, a security researcher with the SANS Technology Institute. He’s been observing the infections and said they’ve been specifically designed to exploit a vulnerability in internet routers from the company Zyxel.
Originally, Mirai was designed to infect devices built with
(Simple Object Access Protocol) service embedded in the Zyxel router products, allowing the malware to take over the devices, Ullrich said.
It’s unclear how many devices may have been affected, but Deutsche Telekom said the disruption, which began on Sunday afternoon, caused 900,000 out of its 20 million customers to experience connection problems.
“The attack attempted to infect routers with a malware, but failed, which caused crashes or restrictions for 4 to 5 percent of all routers,” the company said in an email.
However, Ullrich’s findings suggest that the new strain of Mirai succeeded in ensnaring at least some devices. To track the malware’s spread, he established a web server on Monday designed to act as a honeypot that can lure in the attack.
“Once Mirai infects a system, it goes off looking for more victims,” he said.
As of Monday morning, he’d found 100,000 unique IP addresses attempting to infect his honeypot.
But the goal of Mirai isn’t simply to infect. By taking control of thousands of devices, the malware can form a botnet—or an army of enslaved computers that can be used to launch massive distributed denial-of-service attacks.
when Mirai-infected devices were used to cause internet outages for dozens of top U.S. websites. The DDoS attack worked by flooding a DNS service provider with an overwhelming amount of internet traffic.
Ullrich said he hasn’t observed this new strain of Mirai launching any DDoS attacks. But the connection problems for the Deutsche Telekom customers were probably caused by the malware infecting the device, and then using the computing power on the router to infect other devices, he said.
, instructing customers how to remove the infection.
But Ullrich said the new Mirai strain has probably infected routers used by other companies or internet service providers; they just aren’t aware. He estimates 1 million to 2 million router products will be easily infected.
Zyxel didn’t immediately respond to a request for comment.
Note: When you purchase something after clicking links in our articles, we may earn a small commission. Read ouraffiliate link policyfor more details.