A Mirai-like botnet was behind the broadband outage affecting nearly one million customers of German carrier Deutsche Telekom, according to security company Kaspersky Lab.
Deutsche Telekom today revealed services to around 900,000 residential customers had been disrupted since Sunday afternoon, and confirmed it was the result of attempts to install malware on home routers rather than an attack on the carrier’s network itself.
Failed attempts to install the malware resulted in customers being unable to connect to the provider’s network or experience a degraded connection, affecting Internet, telephony and television services.
“Following the latest findings, routers of Deutsche Telekom costumers were affected by an attack from outside. Our network was not affected at any time. The attack attempted to infect routers with a malware but failed which caused crashes or restrictions for four to five percent of all routers,” the firm said in an update on Monday after resolving the issue.
Germany’s Office of Information Security has come to the same conclusion, according to Deutsche Telekom.
Despite the seriousness of such a widespread disruption, recovering a router a service was relatively simple, requiring only that subscribers reboot the device by unplugging and plugging it back in to a power outlet.
Deutsche Telekom had also begun rolling out a firmware update for affected routers on Monday. It’s also posted links to firmware updates for various its Speedport brand home router models, which are made by Deutsche Telekom’s subsidiary Congstar.
While Deutsche Telekom hasn’t identified what malware was used in the attack, Kaspersky Lab says it used technical reports from customers to piece together some details from the attacks. It says the malware is related to Mirai and appeared to be an effort to build up a botnet of hacked home routers.
Compromised home routers have been used by for-hire "stresser" DDoS services, such as the botnet used by Lizard Squad and other attackers.
Mirai code, which was recently published for anyone to use, has powered a string of powerful distributed denial of service (DDoS) attacks harnessing bandwidth from compromised DVRs and webcams. Variants of the malware played a role in the October attack on managed DNS provider, Dyn, which blocked millions of users from accessing to Spotify, Amazon, Twitter and other popular sites.
Kaspersky Lab researcher Stefan Ortloff said customers reported suspicious network traffic on TCP port 7457, which abused a remote management protocol. The reason a reboot removed the infection was because the Linux malware causing the suspicious traffic resides on the device’s memory and not the file system. Infected routers would scan the internet on that port seeking other devices to join the botnet.
“Since the malware is not able to write itself to the router’s persistent filesystem, the infection will not survive a reboot,” noted Ortloff.
Deutsche Telekom offered affected customers a free pass use to its mobile network before resolving the issue.