Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Mirai and Network Attack

Gazzl80
Tuning in

on ‎01-03-2024 20:01

We have had 2 emails. The first saying we had something attached to our network infected with Mirai. I called in to VM and they couldn't tell me what time the attack was logged. It may have been my Dlink camera that has gone unsupported, and I have later found that Dlink had a flaw. So that camera has gone in the bin. Problem sorted? Perhaps not.

2nd email saying "a device using your internet connection may be infected with malware. We've been informed by a third party (not sure who that is!) that malicious traffic has been detected coming from a device using your internet connection. We don't know which device this is" it goes on to say "we need to let you know that if you don't get it fixed, to protect others, we may need to suspend or cancel your services in line with our acceptable use policy"

I have scanned our devices with Malware bytes, and it has found nothing. 

I have updated software.

Could it be our CCTV system causing a false positive?

I phoned in after the first letter and got zero help.

0 Kudos
6 REPLIES 6

Kath_F
Forum Team
Forum Team

on ‎03-03-2024 09:33

Hi Gazzl80, 

Thanks for taking the time to contact us via the Community. It's lovely having you on board with us in the Forums.

We're sorry to hear you've not had much help when raising your concerns previously. Whilst we wouldn't be able to tell you which device specifically it is, Mirai is a form of malware that targets Internet-connected appliances that are connected to your network. These include CCTV systems, smart TVs, smart plugs, NAS (Network Attatchd Storage) drives and other so-called ‘Internet of Things’ devices.
The Mirai malware targets devices that use the Telnet remote access protocol and still use the default username and password set by its manufacturer. These default credentials are often widely available on the Internet, which can allow third parties to remotely access the device and install malware on it.

We would 100% recommend following all the advice in the notification you've had to ensure you're protecting your self and you can find more helpful information on this here

Thanks, 

Kath_F
Forum Team

New around here? Check out the do's and don'ts, in our Community FAQs
0 Kudos

Gazzl80
Tuning in

on ‎04-03-2024 04:44

Hi,

You may not be able to tell me the device but you can tell me the IP address it came from on my network. It is worth noting that we have over 50 always-on IoT devices. These range from plugs, smart speakers, lights, Ring equipment etc

How would i clear a Smart TV? a CCTV System that doesn't even run on windows? a smart plug that didn't have a password, just a pairing mode? a smart light? etc etc etc when you have 50 odd Always-on devices you can start to see my problem.

I have no idea which plug or light has been hacked or how to clear the plugs, IoT of malware. As it turns out we did have an old D-Link 5030L camera. i have read an article saying that because it is an old camera and is unsupported it could well be the malware attack. But with no-one at VM willing to tell me what IP on my network it is coming from we are in the dark.

It is unfair to then send a letter saying that our connection may be disconnected. This is not something anyone has done purposefully. 

Last few questions. VM say they were "informed by a third party" who is the third party? are they trust worthy enough? can we know who it is please? 

Many thanks for you reply 🙂 have a good week.

 

Regards,

0 Kudos

Matthew_ML
Forum Team
Forum Team
In response to Gazzl80

on ‎05-03-2024 08:23

We understand this is very frustrating and we are sorry for this.

All we can really advise is to follow the guidance and instructions in the letter.

The letter should guide you for anything you need.

Matt - Forum Team


New around here?

0 Kudos

ravenstar68
Very Insightful Person
Very Insightful Person
In response to Gazzl80

on ‎07-03-2024 06:12

@Gazzl80 

With regards to your statement:

You may not be able to tell me the device but you can tell me the IP address it came from on my network.

The statement above may seem common sense, but sadly home networking isn't like that.  Your internal IP addresses are shielded from the outside world by NAT (Network Address Translation) so all anyone outside your home network sees is your public Virgin Media IP address (NAT was intended to preserve IP addresses, and it's effect on making security harder because of this effect was discussed in the RFC's)

With regard to third parties, there are a number of non profit organisations working on the web to bring vulnerabilities such as this to ISP's attention.  One example is Shadowserver, who I have dealt with personally after they detected a device on my network that left mDNS vulnerable to the outside world.

One technique I've used with people to detect devices being used to send spam to the outside world could be adapted to look for activity from Mirai.

https://community.virginmedia.com/t5/Security-matters/Searching-for-Spambots-on-your-network/td-p/40...

By using the above method but changing the port number to 23 instead of 25, it should be possible to pick up the traffic.  It does rely on you having a Windows device with an up to date wifi card that can be used as a temporary hotspot to connect up to 4 devices at a time, and it does require patience.

Note that the device on your network itself might not be infected with Mirai, but could be used as a conduit to send traffic through, in either event, you need to work to put a stop to it.

I will also add that I have seen devices such as Amazon Firesticks, which have been side loaded with third part software being used as conduits for spam traffic.  Once the device is found, a factory reset should do the trick.

ravenstar68

I

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos

westindieman
On our wavelength

on ‎12-06-2024 08:37

I had this issue back in 2022-2023 and had several letters. I was wondering wether it was one of the wifi security cameras I was using, I also was using 2 of the cheap android TV boxes that originate from China. Around that time one of the boxes started acting strangely so I stopped using it. I also stopped receiving the letters. I later saw youtube vidoes and read about malware built into the firmware in China on a lot of these boxes (mine was a Rockchip box which is one of the companies listed to have done this). I have just revisited the box and flashed a new firmware, while I was flashing the firmware I read that its unlikely there is any clean firmware for these boxes so have disconnected it possibly for the last time. I presume my other box (a different make) is OK as I havent been receiving anymore messages (or did Virgin just get tired of writing to me about the mirai?).

0 Kudos

Major_Snags
Joining in

‎18-06-2024 09:21 - edited ‎18-06-2024 09:23

I have also had this email and the advice given did not highlight any issues.

I have, however, managed to identify and rectify what I think was the problem using the following steps:

  • Run Sniffnet sniffnet(dot)net: This identified a lot of Telnet traffic from an address on my network to random IP adresses. The IP address listed was not on my list of connected devices but by interrogating the traffic on SniffNet I was able to get the MAC address of the offending device which actually referred to a completely different IP address
  • The offending device was my DLink ShareCentre which, if you Google DLink and Mirai will give lots of results stating that hackers are now using a backdoor into old DLink devices to run DDoS botnets. The only advice given was to remove any old DLink devices from the network with no workaround to remedy the problem so it looks like I'll be forking out for a new NFS

Hopefully this may help a few people as the advice given by Virgin does not identify or resolve the issue and merely states that they may terminate your service if you don't get it sorted.

0 Kudos
Top