Menu
Reply
  • 17
  • 1
  • 5
nmparmar
On our wavelength
1,891 Views
Message 1 of 4
Flag for a moderator

Virgin Media Alert: Your device may have a virus - IoT Mirai

So today I received an email from Virginmedia stating the below.

"On 07 December 2016, [one of these organisations] detected that iotmirai, a piece of malware, was present on a device using your internet connection."

I could paste the rest of the email but it's just a template with usual blurb about scanning my pc's etc.

Anyway, I'm reasonably tech savvy so looked into this further. The particular malware they identified "Mirai" is known to attack CCTV DVR's using telnet and rtsp and known default username / passwords, which are generally not manageable (i.e. not possible to change). I am running an older (3years old) CCTV DVR, but this is internal to the router.  Initial scans using GRC suggest no unexpected open ports on my firewall. However Shodan.io lists my IP address and ports 37777 and 554 are published online. Great!  Anyway, device disconnected and quarantined to investigate further, but the thing that's really confusing me is that surely neither of these ports should be accessible from the internet, right? I mean I have a VPN service running so only a single port is forwarded for that service and I only ever access any internal resources over that VPN. So the question remains, how on earth are these resources ever accessible from the net to have been scanned through Shodan?

The only thing that I can think of is the last and most recent change to my home setup, the new Virginmedia Superhub. I've recently been 'upgraded' to the Superhub 3.0 and experienced the pain of that 'upgrade'. In all the time I have had the 2ac prior to this, I've had no such issues. I'm wondering if the firewall on the superhub 3.0 is lacking or perhaps not 'fit for purpse', or am I missing something obvious?

Any thoughts or comments welcome.

0 Kudos
Reply

Helpful Answers
  • 17
  • 1
  • 5
nmparmar
On our wavelength
3,637 Views
Message 4 of 4
Flag for a moderator
Helpful Answer

Re: Virgin Media Alert: Your device may have a virus - IoT Mirai

Hey Matthew,

Did you get the same email from Virgin?

If it's the original Mirai, it should be possible to just restart your DVR and that should clear the Malware. This was only memory resident and couldn't install itself anywhere.

The way I checked that the malware was gone post reboot, was using telnet. The original Mirai malware would shut down processes running SSH, Telnet and HTTP whilst running. Before you restart the DVR, use an SSH / Telnet client and attempt to connect to the DVR on SSH, Telnet etc, whichever process normally runs on your DVR. With Mirai running your connection should time out. If you then restart the DVR, you should be able to test that the malware is gone, by confirming that the DVR does accept your Telnet connection.

If you'be done this, and the malware is gone, You should change the passwords on all accounts on the DVR immediately, otherwise it's only a matter of hours before you will be infected again, especially if your DVR is accessible from the internet.

Since the source code for Mirai was published on the 'net, it's possible there are versions that are variations to the original and behave differently. In my case I found that beside having a Mirai variant running, it had removed various bespoke user accounts created on the DVR and changed the passwords on others that remained. I could only recover by reflashing the firmware.

I also found an internet tools to scan your local network for evidence of the Mirai malware. I found this once I had cleared the malware so haven't used it, but would be interested to know how you find it. Check out the incapsula Mirai Scanner below:

https://www.incapsula.com/mirai-scanner/


Also worth checking out the bull guard IoT scanner at

http://iotscanner.bullguard.com

This will also search Shodan.io to check if your devices are published as vulnerable to the broader 'hacker' community.

I also used an old favourite, Shields Up! from GRC.Com to check the firewall on my router for any unexpectedly open ports.

https://www.grc.com/shieldsup

It's possible there are other variations to the original version that behave differently but this has worked for me.

Anyway, hope this helps.
0 Kudos
Reply

All Replies
  • 17
  • 1
  • 5
nmparmar
On our wavelength
1,868 Views
Message 2 of 4
Flag for a moderator

Re: Virgin Media Alert: Your device may have a virus - IoT Mirai

Following up on this, I've reached the conclusion that the likely cause is down to uPNP, which I did not disable on the new router. Strangely though, I've never previously seen the DVR register itself via uPNP on the older routers including the BT home hub, nor the earlier superhub 2ac. I haven't tested this yet, but will try and go from there. Any other thoughts or suggestions most welcome.
0 Kudos
Reply
  • 1
  • 0
  • 0
ollywolf
Joining in
1,841 Views
Message 3 of 4
Flag for a moderator

Re: Virgin Media Alert: Your device may have a virus - IoT Mirai

I believe i have the same issue as this, i believe its to do with the cctv dvr, does anyone know how to remove it....?

 

 

Thanks inadvance.

 

 

Mathew.

0 Kudos
Reply
  • 17
  • 1
  • 5
nmparmar
On our wavelength
3,638 Views
Message 4 of 4
Flag for a moderator
Helpful Answer

Re: Virgin Media Alert: Your device may have a virus - IoT Mirai

Hey Matthew,

Did you get the same email from Virgin?

If it's the original Mirai, it should be possible to just restart your DVR and that should clear the Malware. This was only memory resident and couldn't install itself anywhere.

The way I checked that the malware was gone post reboot, was using telnet. The original Mirai malware would shut down processes running SSH, Telnet and HTTP whilst running. Before you restart the DVR, use an SSH / Telnet client and attempt to connect to the DVR on SSH, Telnet etc, whichever process normally runs on your DVR. With Mirai running your connection should time out. If you then restart the DVR, you should be able to test that the malware is gone, by confirming that the DVR does accept your Telnet connection.

If you'be done this, and the malware is gone, You should change the passwords on all accounts on the DVR immediately, otherwise it's only a matter of hours before you will be infected again, especially if your DVR is accessible from the internet.

Since the source code for Mirai was published on the 'net, it's possible there are versions that are variations to the original and behave differently. In my case I found that beside having a Mirai variant running, it had removed various bespoke user accounts created on the DVR and changed the passwords on others that remained. I could only recover by reflashing the firmware.

I also found an internet tools to scan your local network for evidence of the Mirai malware. I found this once I had cleared the malware so haven't used it, but would be interested to know how you find it. Check out the incapsula Mirai Scanner below:

https://www.incapsula.com/mirai-scanner/


Also worth checking out the bull guard IoT scanner at

http://iotscanner.bullguard.com

This will also search Shodan.io to check if your devices are published as vulnerable to the broader 'hacker' community.

I also used an old favourite, Shields Up! from GRC.Com to check the firewall on my router for any unexpectedly open ports.

https://www.grc.com/shieldsup

It's possible there are other variations to the original version that behave differently but this has worked for me.

Anyway, hope this helps.
0 Kudos
Reply