Several months ago, Americans on the East Coast awoke to discover that large swathes of the Internet, including major sites like Twitter, were totally inaccessible. The problems continued for hours; the cause was eventually revealed to be a huge DDoS attack launched against Dyn, a major DNS provider in America. The attack, leveraging an army of compromised devices like DVRs and webcams called the Mirai botnet, did no lasting damage but did draw further attention to the growing problem that botnets such as these represent.
Now, Mirai has struck again — this time in Germany and the United Kingdom. Two distinctive features separate this attack from other previous assaults: the attack knocked home Internet users offline, and the botnet seems to have been modified. Rather than targeting the servers of a major DNS provider, the botnet was this time directed to attack specific router models. These included units by manufacturers Zyxel and D-Link.
Many ISPs were affected, including TalkTalk, Post Office, and Deutsche Telekom. In Germany alone, nearly one million customers lost their access to the web after the botnet attempted to infect vulnerable routers with its malware. Some hundred thousand more in the UK experienced the same problem.
In an effort to fix the issue, firmware updates were immediately released to guard against the threat; customers needed only to power cycle their router to receive the update. Overall, there was no long-term effect and customers were quickly brought back online. So, what happened?
There is a fundamental difference between this version of Mirai and the botnet that attacked Dyn. First, the type of hardware attacked was different, meaning the worm itself required modifications to attack the framework running on the routers. Its goal was to take over these routers, eventually creating a new form of the botnet that could then be directed via a remote command and control server.
However, perhaps due to an error in the modifications, the hijacking attempts failed, causing the hardware to crash instead. This repeated crashing was the root cause of the outage customers experienced. While whoever directed the attack was unsuccessful, it’s anyone’s guess as to whether they will redevelop their version of Mirai and attempt to deploy it again. As researchers have more time to understand how it works, though, the better the protections that will be put into place. It’s clear that Mirai is still here to stay.