HKCert
HKCERT logo Hong Kong Computer Emergency Response Team Coordination Centre

HKCERT logo Hong Kong Computer Emergency Response Team Coordination Centre

Security Guideline

Mirai Malware Cleanup and Prevention

Release Date: 24 / 01 / 2017
Last Update: 24 / 01 / 2017

1. What is Mirai?

 

Mirai, believed to originate from Japanese mirai (未来) which means ‘future’, is a Linux based malware, which targets devices connected to the Internet (or ‘Internet of Things’ also known as ‘IoT devices’) such as home router, IP camera, video recorder etc.

 

The malware was first uncovered in September 2016 upon large scale DDoS attacks targeting KrebsOnSecurity.com and OVH hosting service, and later DNS provider Dyn which resulted in many large websites in US and EU inaccessible.

 

The attack was launched by infected vulnerable IoT devices such as router and IP cameras with Mirai malware which formed a botnet. These devices are vulnerable because many of them are not patched, and equipped only with weak credentials, i.e. many of these devices use well known default username and password.

 

2. Handling Mirai-infected devices

Mirai malware is memory-resident (volatile) only. You can remove it from the infected device simply by rebooting it. However, the device can be scanned and be re-infected over the network again. Therefore, an effective approach is suggested as follows:

  1. If you suspect that your device is infected, unplug it from the network immediately, and shut down the device for a while.
  2. Check if your home router or firewall opens TCP port 23 of the device to the Internet. If so, close this port.
  3. Restart the infected device.
  4. Restore the infected device to factory settings (factory reset).
  5. Change the default password of the devices (through administration user interface) to a strong password.
  6. Keep the Telnet service and TCP port 23 of the device closed. If access from the Internet to the device is required, use SSH or other VPN services instead, and apply strong password and authentication.

Note: Refer to device manual or consult with device manufacturer when necessary.

 

3. Prevention of Mirai infection

  1. Researchers have revealed that the attackers compromised the devices through its Telnet service (TCP port 23) to infect them with Mirai malware. From your home router or firewall, close the said service and related port if you do not need it.
    You can check whether the said service is open by the following webpage:
    http://www.yougetsignal.com/tools/open-ports/
  2. If there is no need for your device to connect to the Internet directly, place it inside protected internal network, otherwise use SSH or other VPN services.
  3. If you plan to acquire new device, ensure that the device firmware can be patched. Check with the manufacturer their practice and history of product firmware patching.

 

4. Remarks on devices for surveillance and monitoring purpose

Many people or companies install the Internet enabled cameras and DVR at home or corporate facilities for physical security or safety purpose. Though Mirai malware may not affect the surveillance or monitoring functions of your devices, the malware infection creates a ‘backdoor’, which makes your devices vulnerable to other attacks, e.g. allowing other criminals to control and even ‘see through’ your home or facilities. So Mirai-infected cameras and DVR actually create risks to your physical security.