cancel
Showing results for 
Search instead for 
Did you mean: 

Mirai and Network Attack

Gazzl80
Tuning in

We have had 2 emails. The first saying we had something attached to our network infected with Mirai. I called in to VM and they couldn't tell me what time the attack was logged. It may have been my Dlink camera that has gone unsupported, and I have later found that Dlink had a flaw. So that camera has gone in the bin. Problem sorted? Perhaps not.

2nd email saying "a device using your internet connection may be infected with malware. We've been informed by a third party (not sure who that is!) that malicious traffic has been detected coming from a device using your internet connection. We don't know which device this is" it goes on to say "we need to let you know that if you don't get it fixed, to protect others, we may need to suspend or cancel your services in line with our acceptable use policy"

I have scanned our devices with Malware bytes, and it has found nothing. 

I have updated software.

Could it be our CCTV system causing a false positive?

I phoned in after the first letter and got zero help.

4 REPLIES 4

Kath_F
Forum Team
Forum Team

Hi Gazzl80, 

Thanks for taking the time to contact us via the Community. It's lovely having you on board with us in the Forums.

We're sorry to hear you've not had much help when raising your concerns previously. Whilst we wouldn't be able to tell you which device specifically it is, Mirai is a form of malware that targets Internet-connected appliances that are connected to your network. These include CCTV systems, smart TVs, smart plugs, NAS (Network Attatchd Storage) drives and other so-called ‘Internet of Things’ devices.
The Mirai malware targets devices that use the Telnet remote access protocol and still use the default username and password set by its manufacturer. These default credentials are often widely available on the Internet, which can allow third parties to remotely access the device and install malware on it.

We would 100% recommend following all the advice in the notification you've had to ensure you're protecting your self and you can find more helpful information on this here

Thanks, 

Kath_F
Forum Team

New around here? Check out the do's and don'ts, in our Community FAQs


Gazzl80
Tuning in

Hi,

You may not be able to tell me the device but you can tell me the IP address it came from on my network. It is worth noting that we have over 50 always-on IoT devices. These range from plugs, smart speakers, lights, Ring equipment etc

How would i clear a Smart TV? a CCTV System that doesn't even run on windows? a smart plug that didn't have a password, just a pairing mode? a smart light? etc etc etc when you have 50 odd Always-on devices you can start to see my problem.

I have no idea which plug or light has been hacked or how to clear the plugs, IoT of malware. As it turns out we did have an old D-Link 5030L camera. i have read an article saying that because it is an old camera and is unsupported it could well be the malware attack. But with no-one at VM willing to tell me what IP on my network it is coming from we are in the dark.

It is unfair to then send a letter saying that our connection may be disconnected. This is not something anyone has done purposefully. 

Last few questions. VM say they were "informed by a third party" who is the third party? are they trust worthy enough? can we know who it is please? 

Many thanks for you reply 🙂 have a good week.

 

Regards,

We understand this is very frustrating and we are sorry for this.

All we can really advise is to follow the guidance and instructions in the letter.

The letter should guide you for anything you need.

Matt - Forum Team


New around here?

ravenstar68
Very Insightful Person
Very Insightful Person

@Gazzl80 

With regards to your statement:

You may not be able to tell me the device but you can tell me the IP address it came from on my network.

The statement above may seem common sense, but sadly home networking isn't like that.  Your internal IP addresses are shielded from the outside world by NAT (Network Address Translation) so all anyone outside your home network sees is your public Virgin Media IP address (NAT was intended to preserve IP addresses, and it's effect on making security harder because of this effect was discussed in the RFC's)

With regard to third parties, there are a number of non profit organisations working on the web to bring vulnerabilities such as this to ISP's attention.  One example is Shadowserver, who I have dealt with personally after they detected a device on my network that left mDNS vulnerable to the outside world.

One technique I've used with people to detect devices being used to send spam to the outside world could be adapted to look for activity from Mirai.

https://community.virginmedia.com/t5/Security-matters/Searching-for-Spambots-on-your-network/td-p/40...

By using the above method but changing the port number to 23 instead of 25, it should be possible to pick up the traffic.  It does rely on you having a Windows device with an up to date wifi card that can be used as a temporary hotspot to connect up to 4 devices at a time, and it does require patience.

Note that the device on your network itself might not be infected with Mirai, but could be used as a conduit to send traffic through, in either event, you need to work to put a stop to it.

I will also add that I have seen devices such as Amazon Firesticks, which have been side loaded with third part software being used as conduits for spam traffic.  Once the device is found, a factory reset should do the trick.

ravenstar68

I

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks