Mirai Again: DT Outage a Precursor to Larger DDoS Attack

Written by

The Mirai botnet strikes again: Researchers say that the internet of things (IoT) specialist network is behind the outage that affected 900,000 Deutsche Telekom customers this week.

According to analysis from cybersecurity company Tripwire, that outage was just the tip of the iceberg: It was caused by an attempt to hijack customers’ router devices for a wider Internet attack, one that would be similar to the huge Internet outage in October that wreaked havoc across the web.

For now, the downtime at DT has affected businesses and private users all over Germany as well as telephony and television services.

Craig Young, security researcher at Tripwire, has carried out research into the outage by analyzing strings from the attack binaries. He has been able to confirm the attack was definitely carried out by the Mirai malware. He also said that one of the main servers used in the attack infrastructure is registered out of Kiev, under the name Peter Parker (famously, Spider-Man’s real name). 

“After a system is infected, Mirai deletes the original malicious binary and relocates itself to blend in with normal system items,” Young said, via email. “Mirai also attempts to block access to the vulnerable remote management protocol, thereby preventing subsequent attack/infection and also making it that much harder for ISPs to forcibly reset devices.”

Young was also able to look at the general topology of the botnet.

“The attackers have built the payload for multiple architectures,” he said. “As of this morning however, the malware available on the C&C server is instead downloading and running a script which attempts to run a payload from each of seven architectures until one succeeds.”

Previously infected systems are not running the new variant, which Young said would imply that the controller has not (or cannot) update the malware on already deployed systems. 

This week’s router hijackings offered no geographic pattern (other than being confined to DT’s German terrestrial network) and had the effect of slowing and hampering customers’ broadband service in varying degrees.

Mirai’s source code is open, so any bad actor out there can download it and get to work. This has led to a range of attackers with varying ability levels carrying out attacks. One particular group, operating what MalwareTech.com dubbed Botnet 14, has taken on significantly bigger targets than most of the Mirai dabblers out there, and is believed to be responsible for the Dyn attack in October. Mirai typically carries out DDoS attacks, but other types of offensives—like this week’s attempts to hijack the DT routers to pave the way for a large DDoS campaign—are obviously in its wheelhouse.

Photo © Profit_Image 

What’s hot on Infosecurity Magazine?