As you will all know by now, people all over the UK are experiencing either complete loss of broadband, or intermittent faults such as emails failing to send, web sites not being found, calls from friends or colleagues saying they are unable to email you (often suggesting this is your fault - don't be angry with them, this just means they are unaware the UK is under attack by the "Mirai Worm Botnet" and it is highly likely their router is infected).
Instead, share the following information with them and encourage them to check their own ISP's outages map at http://downdetector.co.uk - I guarantee their ISP will be showing faults nationwide... (because they ALL are)
So, everyone needs to relax a bit - there is nothing you, or anyone else, can do about these issues at this time - although I will share some information later in this article that may help you mitigate the issues you are experiencing for a while at least...
None of the problems you may be experiencing have anything to do with the servers at any of:
- Your Internet Service Provider
- Your Web Hosting Provider
- Your Email Service Provider
- Your Online Banking Provider
- Your favourite online store/s
- Or any other online service you recently had, or are now having, problems with.
The problems we are ALL experiencing are far, far closer to home - scarily so...
If you want to know why you are having issues - and why the symptoms vary so widely for us all...
Take a long, hard look at...
That is likely the culprit, it has more than likely been infected by a Worm called "Mirai" during what has been, and still is, a massive botnet attack on the UK's ISP's customers home/office routers.
According to some contacts and clients, BT are apparently in the process of remotely factory resetting and/or upgrading the software on customers routers to get rid of the problem. Several contacts have reported theirs being reset remotely back to factory defaults today, so they had to go through the initial BT Setup Wizard just as they did when they first connected their routers. I can confirm that the CMS Wales office router was also remotely reset earlier today in the same manner. According to other contacts TalkTalk are going to replace those routers they can't remotely reset and update with new ones, I have several clients using TalkTalk who have been told they will be getting new routers early next week)
Before I explain how Mirai works, it is interesting to note that the word "Mirai" is Japanese for "Future"...
THE ONGOING MIRAI WORM ATTACK EXPLAINED:
You will all have heard of the term "botnet"
"A botnet (also known as a zombie army) is a number of Internet computers that, although their owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to other computers on the Internet"
A botnet can be made up of thousands, or even tens of thousands, of compromised computers, laptops, tablet, phones - and due to its nature, if malware infects your computer to make it part of the botnet, any other device in your home/office network will also be infected and become part of the botnet.
Unfortunately a lot of people use Laptops and move them between home and work - so they get infected at home, and blissfully unaware they go take their machine to work and instantly infect all the computers on that network too - then everyone else at work using a laptop take their laptops home and infect their home network - and so it spreads...
What's the Point?
A botnet is VERY valuable to the person or persons that control it - this gives them a "zombie army" willing to do anything they tell it to do, whenever they tell it to - which might include:
- Make all machines in the botnet visit the same URL at the same time, such as Amazon.com for example - this is called a DDoS (Distributed Denial of Service) attack aimed at overwhelming a server with the intention of trying to break into it during its reboot process after being crashed by the botnet.
- Run a DDos attack against a bank or financial institution with the aim of bringing it down or stealing funds.
- Run attacks against online stores or social networks with the intention of stealing user details
- Run attacks on any device it can connect to in order to spread itself and enlarge the "zombie army"
- Use the botnet to distribute a particular malware either worldwide or at a specific target.
the list goes on...
The whole idea for the bot-master is, because he knows that if he launches thousands of attacks from just his own IP address at any Data Centre server - the security there would lock him down in microseconds and his attempt would fail, but...
If he uses a botnet to do the same thing - the traffic to the server does not come from a single IP - instead it comes from the tens of thousands of IP's allocated to all the computers and devices in his botnet - hence looking more like legitimate traffic and so hides the location of the bot-master/s.
But the sheer power of a massive herd of computers under a bot-master's control is what makes botnets so "valuable" to criminals - they can hire the botnet by the hour or by the day, to attack whoever they wish - and this is what is happening right now with the Mirai attack on the UK...
So where does "Mirai" come into this?
Mirai is a piece of malware - but unlike many other malware creations, this one is not aimed at servers...
Instead it as aimed at IoT devices...
What is IoT?
It stands for the "Internet of Things" -
"Simply put, this is the concept of basically connecting any device with an on and off switch to the Internet (and/or to each other). This includes everything from cellphones, coffee makers, washing machines, headphones, lamps, wearable devices and almost anything else you can think of. This also applies to components of machines, for example a jet engine of an airplane or the drill of an oil rig. As I mentioned, if it has an on and off switch then chances are it can be a part of the IoT. The analyst firm Gartner says that by 2020 there will be over 26 billion connected devices... That’s a lot of connections (some even estimate this number to be much higher, over 100 billion). The IoT is a giant network of connected “things” (which also includes people). The relationship will be between people-people, people-things, and things-things."
Mirai - is attacking several different types of IoT devices, in particular hubs/routers (home and office), ethernet switches (common in offices and "smart homes"), Smart TV's, CCTV devices, games consoles, and who knows what else...
So what does Mirai Do?
The creators of Mirai have the default port numbers and admin passwords for almost every type of router that uses certain chipsets - so the current attack utilises the vast botnet (zombie army) to force each computer in the botnet to scan the network it is connected to for its router, when it finds the router it will then try every entry point it knows of until it gets into the router. Once in, it installs Mirai malware into the router and closes off some of the ports that your ISP might use to try and shut it down. (Interestingly it will also kill any competing botnet malware it finds in order to maximise the potential of the Mirai botnet).
Like most malware in this category, Mirai is built for two core purposes:
- Locate and compromise IoT devices (such as routers) to further grow the botnet.
- Launch DDoS attacks based on instructions received from a remote Control and Command Centre (i.e. the control server/s the hackers, or the people they have hired the botnet to, are using to control the botnet).
To fulfill its recruitment function, Mirai performs wide-ranging scans of IP addresses. The purpose of these scans is to locate under-secured IoT devices that could be remotely accessed via easily guessable login credentials—usually factory default usernames and passwords (e.g., admin/admin).
So once in your router it will scan your home/office network for devices it can also control, and take them over.
If any of these devices are "movable" - such as laptops, then it will spread into any other network you connect to and so can spread at an alarming rate.
And this, of course is why we are all experiencing problems...
You may be online ok, you may have just sent a few emails ok and surfed a few sites ok, then all of a sudden you get an error - with email or with web pages...
This is NOT because there is any problem with your email provider, or with the hosts of the website you suddenly can't see - this is actually because the Mirai worm in your router was busy working for its commander and taking part in a DDoS attack on some other network, so it basically "ignored" you for a while... and it only takes a micro-second drop in your router listening for YOUR commands for your email or web surfing to fail because the router was too busy to do a DNS lookup to route your email or web page request.
This is why we are all being affected in one way or another...
Your router may not be infected by Mirai - your router may be one that is not vulnerable to Mirai, but even so, while you are online it will be getting attacked by Mirai frequently, and during the attack your router may lose connection briefly (i.e. the router is, momentarily, too busy defending itself to look up that website address or send that email for you) - making the symptoms of your network being attacked, rather similar to the symptoms of your network being the attacker...
Hence - it affects us ALL at some point.
ISP's are obviously aware of what is going on - they cannot ignore it since TalkTalk went public with the fact that all their users routers had been hacked by Mirai, they were quickly followed by The Post Office and KCOM who also admitted their users routers had also been hacked by Mirai...
Over the next few days the bigger ISPs are sure to go public - but not before they have things back under control, otherwise they know their share prices would suffer... (putting shareholders' interests before the safety of customers is pretty much the norm in big business these days, sadly).
So - now you know - whether your router is infected or not, you will be affected by this attack, even if only in some small way such as someone else not being able to email you because their router was too busy DDoS'ing for its new masters at the time they sent the message...
Any email you send, any web page you request - has to go through dozens of routers to get to you. If you send the same email to the same person over and over again each can take a different route to the last - and if any one router in the route is infected, or too busy defending itself, then your email or your web search can fail.
Here are a few links direct to the outage maps of the most common UK ISPs and Email Providers in the UK (even GMail is suffering)
Check yours now:
- BT: http://downdetector.co.uk/problems/bt-british-telecom/map/
- TalkTalk: http://downdetector.co.uk/problems/talktalk/map/
- Sky: http://downdetector.co.uk/problems/sky/map/
- Yahoo Mail: http://downdetector.co.uk/problems/yahoo-mail/map/
- EE: http://downdetector.co.uk/problems/ee-everything-everywhere/map/
- 3: http://downdetector.co.uk/problems/3/map/
- Post Office: http://downdetector.co.uk/problems/post-office/map/
- Outlook.com: http://downdetector.co.uk/problems/outlook/map/
- PlusNet: http://downdetector.co.uk/problems/plusnet/map/
- O2: http://downdetector.co.uk/problems/o2/map/
- GMail: http://downdetector.co.uk/problems/gmail/map/
- T-Mobile: http://downdetector.co.uk/problems/t-mobile/map/
- iCloud: http://downdetector.co.uk/problems/icloud/map/
- AOL: http://downdetector.co.uk/problems/aol-broadband/map/
Try opening ALL of the above links - you will see their outage maps all match up almost exactly - i.e. the "hot spots" on the map (basically "not-spots" now) all align... coincidence? No! the maps show the concentration of user compaints, and those user complaints are coming from people using now infected routers, because a Mirai infected router can either take you offline completely - or just show intermittent faults when sending email or visiting a website. So those are the people complaining, and most of their ISPs are giving them NO helpful information, which was why I decided that I had better try to keep all my clients informed during this nationwide internet chaos - hence gathering the information I have used for this blog post.
From Russia with Love?
It’s worth noting that Mirai code holds traces of Russian-language strings despite its English C&C interface. Here, for instance, Russian is used to describe the “username” and “password” login fields:
// Get username
this.conn.SetDeadline(time.Now().Add(60 * time.Second))
// Get password
this.conn.SetDeadline(time.Now().Add(60 * time.Second))
This opens the door for speculation about the code’s origin, serving as a clue that Mirai was developed by Russian hackers or, at least, a group of hackers, some of whom were of Russian origin.
Other bits of code, which contain Rick Rolls’ jokes next to Russian strings saying “я люблю куриные наггетсы” which translates to “I love chicken nuggets” provide yet more evidence of the Russian heritage of the code authors, as well as their age demographic.
(Authors note: Having a few Russian strings inserted into its code does NOT mean Mirai is of Russian origin - that could simply be an attempt by the hackers controlling Mirai to place the blame elsewhere, which is far more likely than a scenario where hackers would deliberately give such obvious clues to their own country of origin - but only time will tell)
What Can You Do to Prevent IoT Botnet from Spreading?
While DDoS attacks from Mirai botnets can be mitigated, there’s no way to avoid being targeted. However, as a device owner, there are things you can do to make the digital space safer for your fellow Internet citizens:
- Stop using default/generic passwords on your hub/router.
- Disable all remote (WAN) access to your devices. To verify that your device is not open to remote access, you can use this tool to scan the following ports: SSH (22), Telnet (23) and HTTP/HTTPS (80/443).
Those 3 ports, 22, 23 and 80, should NOT be open...!
With over a quarter billion CCTV cameras around the world alone, as well as the continued growth of other IoT devices, basic security practices like these should become the new norm for home and office users. Make no mistake; Mirai is neither the first nor the last malware to take advantage of lackluster security practices on home and office routers and other IoT devices.
Meanwhile, don't try and blame anyone for the problems you may be having - this is nationwide so there is no one to blame, and if people call you and try and blame you for not being able to email you, calm them down and point them to the links above or send them to this page.
PS - We may never find out WHO hired the botnet to try to infect the routers in every home and office in the UK... which is patently the intention of the Mirai Botnet operator/s...
But, and I am not making any allegations here - it does seem a coincidence that this started as soon as our beloved UK government announced their new Snooper's Charter a few days ago... giving themselves the power to directly snoop on everything we do online...
Now, I am not saying our beloved government would even think of such a thing, bless their little cotton socks and their bags full of our money - and that it is surely just an amazing coincidence that, since the best way to ensure you could snoop on everyone's web habits, would be... well... would actually be to install "extra" software on all their routers... this is what has actually happened...
No, surely that could not be true...?
Can't be true because the BBC haven't said so... and we pay the BBC to tell us the truth...
Anyway good luck to you all, and let's hope the main players amongst the UK ISPs pull together soon to combat this attack.
Ironically, the Mirai Worm could not survive at all if we all switched off every router at the same time then forcibly reset them to factory settings (and changed the admin passwords immediately afterwards) - but this is not likely to happen because no one wants to disconnect themselves from the internet for even a moment these days...
But a nationwide powercut would do it...
Followed immediately by all ISP's, the moment the power came back on, forcibly factory resetting all their customers routers and changing the default passwords...
We cannot expect things to return to normal until the UK shows up in green on this map:
Within 2 minutes of auto-publishing this article out to Twitter our website was hit by attempted DoS attacks from:
- Germany (Hetzner Online Gmbh) - Ip: 220.127.116.11
- America / Boardman (Amazon Web Services) - IPs: 18.104.22.168 & 22.214.171.124