Mirai botnet attacks 900,000 German broadband routers

By on
Mirai botnet attacks 900,000 German broadband routers

Malware attempts to infect routers via remote management feature.

Hundreds of thousands of Deutsche Telekom broadband customers in Germany have been attacked by the Mirai malware, crashing their routers and degrading internet connections.

The telco said as many as 900,000, or about 4.5 percent of its 20 million fixed-line customers, began to have problems connecting to its network on Sunday afternoon.

The outages affected certain models of customer broadband DSL and fibre routers, but not the network itself, the company said. 

"The attack attempted to infect routers with a malware but failed which caused crashes or restrictions for four to five percent of all routers," Deutsche Telekom said.

An automatic software update for the affected routers is being rolled out. Deutsche Telekom said the malware did not survive a reboot.

The telco today said its security measures appeared to be taking effect, with the number of customers affected declining to around 400,000 by 1200 GMT.

"There is a clear improvement in the current situation," a spokesman said.

Kaspersky researcher Stefan Ortloff gathered technical details from affected users as well as samples of the malware which he said was a variant of the Mirai botnet.

Analysing the malware-generated network traffic, Ortloff discovered it was directed at transmission control protocol (TCP) port 7547 on the routers.

That port is used for the TR-064 protocol that internet providers and telcos connect to over their networks to configure customer DSL routers remotely. Mirai attempted to infect broadband routers via the TR-064 port, Ortloff said.

Ortloff found that the command and control server domains for the attack were pointed to United States military networks in the 6.0.0.0/8 IP address range.

There is, however, no Mirai-related infrastructure on that network, Ortloff added, meaning any remaining bots will not receive further commands until the attackers change the domain name system records for the malware configuration.

The affected routers are three Speedport models, Deutsche Telekom said.

Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?