Attackers have used an advanced new strain of the Mirai Internet-of-things malware to quietly amass an army of 100,000 home routers that could be used at any moment to wage Internet-paralyzing attacks, a researcher warned Monday.
Botnet operators have been regularly releasing new versions of Mirai since the source code was openly published 14 months ago. Usually, the new versions contain minor tweaks, many of which contain amateur mistakes that prevent the new releases from having the punch of the original Mirai, which played a key role in a series of distributed denial-of-service attacks that debilitated or temporarily took down Twitter, GitHub, the PlayStation Network and other key Internet services.
What sets this latest variant apart is its ability to exploit a recently discovered zeroday vulnerability to infect two widely used lines of home and small-office routers even when they’re secured with strong passwords or have remote administration turned off altogether, Dale Drew, chief security strategist at broadband Internet provider CenturyLink, told Ars. One of the affected Huawei devices is the EchoLife Home Gateway, and the other is the Huawei Home Gateway. Roughly 90,000 of the 100,000 newly infected devices are one of the two Huawei router models. The new malware also has a dictionary of 65,000 username and password combinations to try against other types of devices.
“It’s a pretty sophisticated approach,” Drew told Ars on Monday. The unknown operator “has a pretty significant scanning army right now where he’s adding more and more vectors to his IoT pool.”