New Mirai Variant Found Spreading like Wildfire

A security researcher reportedly discovered a new variant of Mirai (identified by Trend Micro as ELF_MIRAI family) that is quickly spreading. A notable increase in traffic on port 2323 and 23 was observed over the weekend, with around 100 thousand unique scanner IPs coming from Argentina. 

The release of the Proof-of-Concept (PoC) exploit code in a public vulnerabilities database was believed to have triggered the increase of activity associated with the Mirai botnet. Scans used the PoC on November 22 after the publication of the exploit code on October 31. The PoC triggers CVE-2016-10401 in old ZyXEL PK5001Z routers, which was made public early this year.

Attackers have discovered a large amount of ZyXEL devices using admin/CenturyL1nk and admin/QwestM0dem as default Telnet credentials. These ZyXEL devices are a combination of a DSL modem and router supplied by US-based internet service providers (ISPs) CenturyLink and Qwest. ZyXEL PK5001Z routers possess a hardcoded superuser password (zyad5001) that could be used to elevate a user’s access to root level and install the DDoS malware. According to the researcher, the abuse of admin/CenturyL1nk and admin/QwestM0dem began at around 2017-11-22 11:00 and peaked the following day. About 60 hours ago, big upticks on port 2323 and 23 scan traffic were noticed, and a subsequent investigation points to the new Mirai variant as the cause for the activity. Scanner IPs reportedly came from the network of local ISP Telefonica de Argentina.

In 2016, Mirai gained notoriety after it launched massive and widespread attacks by turning vulnerable connected devices (including routers, CCTV cameras, DVRs, etc.) into weaponized zombies. It made headlines again in February this year after a Windows Trojan was found helping it find potential victims and amplifying its distribution. Variants were used in attacks that affected major sites like Netflix, Reddit, Twitter, and Airbnb, as well as 900,000 home routers from Deutsche Telekom.

Solution and Mitigation

Enterprises that could be affected by Mirai will have to deal with business disruptions, possible monetary loss, and even damaged brand reputations if the threat is not averted. Router providers should make sure that their products are secure enough to withstand attacks. These best practices can mitigate the risks posed by this threat.

In addition, Trend Micro™ Security and Trend Micro Internet Security offer effective protection for this threat, with security features that can detect malware at the endpoint level. To protect IoT devices like home routers, security solutions like Trend Micro™ Home Network Security can check internet traffic between the router and all connected devices. Enterprises can use Trend Micro™ Deep Discovery™ Inspector which is a network appliance that monitors all ports and over 105 different network protocols to discover advanced threats and targeted attacks.

Trend Micro Smart Home Network™ customers are protected from this threat via these rules:

  • 1134267 TELNET Default Password Login -21
  • 1134268 TELNET Default Password Login -22
  • 1133148 MALWARE Suspicious IoT Worm TELNET Activity -1
  • 1133480 EXPLOIT Remote Command Execution via Shell Script -2
  • 1133796 TELNET Default Credential Login Attempt -1

Updated: November 29, 2017 10:58 AM

We changed admin/CentryL1nk to admin/CenturyL1nk to reflect the source’s correction of the typographical error.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Posted in Internet of Things