The hacker’s attack, has placed since Sunday, hundreds of thousands of routers in the network of Telekom lame, is probably a bust. Apparently, only a programming error in the malicious software, which should be introduced to the devices to the default.
rather than, as apparently intended, just on the devices to implant, crashed the malicious software or causing the software problems on the affected routers. For the concerned Telecom customer that was annoying, because her power was lame access suddenly from no apparent reasons or failed.
The Alternative, however, could have been worse. The attack would have succeeded, would have put the attacker at a stroke, almost a Million Router under your control. Enough, anyway, to weave a powerful Botnet, which would, in turn, can be used for attacks on the Internet used to be.
the following three router models:
- speedport W 921V
- speedport W 723V type B
- speedport W 921 Fiber
are Affected, according to Telekom, The devices can be manufactured by the Taiwanese router manufacturer Arcadyan for the Telekom. The company produces Internet router also for other German and international providers. Apparently, all three models have in common that their remote maintenance function was protected by a default password.
attack on Port 7547
Exactly the tried, the attackers seem to take advantage of. You search the web specifically for routers, where the so-called remote maintenance sports 7547 is accessible. Normally, this virtual connection is used for example by Internet service providers to configure the Router of the customer from the distance. The Internet Storm Center, according to the special search engine Shodan, around 41 million of the devices in the network to find where the Port 7547 is open.
among these millions of devices in question three of the router models in the Telecom – and not only since yesterday. A Telecom had a customer pointed out already in 2014, the Telekom Forum on the weak point, you as a “relevant vulnerability” and asked to plug the gap through an Update.
the IT security company Kaspersky Lab reports the attack on the Telekom-Router way of the typical characteristics that indicate the Mirai Botnet. Botnets are used, for example, to overload sites by a large number of simultaneous requests to the Server, and to throw out of the network. The technical term is called Distributed Denial of Service, DDoS.
Traditionally compiled such Botnets from computers which have been infected by Criminals with malicious software, the a home allows for remote control of the computer. The Mirai Botnet, however, is not compiled from traditional PC, but from devices that are associated with the Internet of things. It can controls, to surveillance cameras, baby monitors, networked light or a Router to act.
In the attack on the weekend was copied from the Mirai on the Telekom Router injected malicious software into the RAM and then the executable file, so to speak, your own program code, the memory deleted, Kaspersky Lab. This probably happened to the traces.
that’s Why it helps to have a restart
this function can also explain why the Router worked first, and again, if you separated them briefly from the power supply and the memory cleared. Since the attack during the meantime, however, more likely to have been infected many devices again.
Was the pest in the memory is active, he closed the Port 7547, he had gained entry and searched the net then to the other devices on this Port was open. Once the search was successful, copy the malicious software to the new device. Somewhere in this process it seems to have a Problem in the programming. Instead of waiting in the Background to the new commands, the malware is blocked, apparently, router functions, which led to the failure or the network connection at least slowed down.
the Telekom provides The described possibility of malicious software implants itself and continues to spread, is to be prevented by an Update for the Router wide. A tutorial on how to make the Update automatically install or to manually install can download, provided by the Telekom on their help pages. Telecom users who use one of the above Router, it should commit immediately.