about 11 million routers and cameras are still exposed on the public network after mirai

Posted by tzul at 2020-04-02

Event review:

In the early morning of October 22, dyn, a US provider of domain name server management services, said that his company had been attacked by DDoS (distributed denial of service), including twitter, Tumblr, Netflix, Amazon, etc.

On October 24, US local time, the security blog security affairs released a log content, saying that hackers had publicized a botnet composed of a large number of IOT devices controlled by them in the black market, with the approximate price of 50000 at $4600 and 100000 at $7500.

On October 24, the relevant contents disclosed by domestic electronic product manufacturers coincided with the findings of security researchers: the botnet virus of the Internet of things called Mirai has been taking advantage of the defects in xiongmai products, injecting malicious code into them, and using them to launch large-scale distributed denial of service attacks, including last Friday's attacks.

Mirai function introduction

This is an elf type Trojan based on Linux, mainly for IOT devices, including but not limited to webcam, router, etc. It can effectively scan the IOT system equipment and infect the fragile IOT equipment with factory password settings or weak password encryption. After being infected by the virus, the device becomes a botnet robot and can launch a high-intensity botnet attack under the command of a hacker. Mirai is mainly composed of loader, CNC controller and BOT server. Loader is mainly used to create the server program and monitor the status; the server program includes the function of connection control terminal, DDoS attack, downloading and running files. In addition, the server implements the function of anti debugging, short-range hiding, killing the system process, and establishing the corresponding port.

Its DDoS attacks support UDP, VSE (valve source engine specific flood), DNS, syn, ACK, stomp, GRE IP flood, GRE Ethernet flood, HTTP and other flood attacks. Propagation mode mainly depends on blasting SSH and telnet weak password. Among them, the dictionary contains more than 60 groups of user names and passwords, and the scanning ports are mainly 23 and 2323.

(Mirai Dictionary)

Potential impact area - latest data at noon on October 25

At present, according to the fofa retrieval rules contributed by the security lab and the vast white hat users, white hat has calculated that there are about 11 million cameras and routers in the public network at present (of course, this does not include all, and it does not exclude that other brands of equipment also purchase and integrate the same modules). Among the equipment affected this time, there are many xiongmai and Dahua in China and ZTE (in the top 10 statistics, there are xiongmai and Dahua).

The following figure shows the top ten equipment ranking (red indicates the affected equipment)

The following is the top five website geographical location distribution (top 5)

Huawei router

Mexico: 2048911

Germany: 1309970

Egypt: 569840

Saudi Arabia: 530268

UK: 503197


China: 169022

Us: 88948

India: 64570

Mexico: 48319

Colombia: 38045

DVR Streamer

United States: 185244

Taiwan Province: 133011

Vietnam: 45445

India: 45173

South Korea: 27513


Brazil: 77529

Italy: 49563

Poland: 48320

USA: 44559

Indonesia: 40666

Male and female

Vietnam: 68439

Turkey: 53611

China: 32042

Taiwan: 22988

India: 19186

Mirai's protection methods

1. If the telnet service is turned on, please turn off the telnet service;

2. Disable if TCP / 48101 port is not used. This will prevent further damage;

3. Modify the initial password and weak password to enhance password security;

Mirai clearance

If you find a process with the following string after entering the system, please end and delete it:

. / {long letter string} alphabet


White hat will continue to follow this incident. Please pay attention.


Appendix: reference source 

Focus on

Security big data

Enterprise Threat Intelligence