• Help
  • Mirai Malware Alert

Mirai malware alert

You may have recently received a letter and/or email from Virgin Media explaining we have been notified that an online device on your network contains malware named Mirai. If you have received such a communication from us, please follow the advice given on this page to resolve the issue.

Overview

Mirai is a form of malware that specifically targets Internet-connect appliances that are connected to your network. These are often called ‘Internet of Things’ devices. These devices can be CCTV systems, smart TVs, smart plugs, NAS (Network Attatchd Storage) drives etc.

What has happened?

We work with a number of not-for-profit organisations across the banking industry and security sectors that collate information on devices across the Internet that are infected with malware. They have notified us that a device on your home Internet connection (or one connected to your home network) is infected with malware.

We are unable to specify exactly what device in your home is infected, but it is likely to be a ‘smart’ device such as a CCTV camera or Network Attached Storage (NAS) drive rather than a traditional computer or laptop.

If the malware is not removed, the device can be exploited to unwittingly participate in malicious activities, for example a Distributed Denial of Service (DDoS) attack.

It is therefore important that you follow the advice in this article*.

How can the issue be fixed?

We’re here to help and if you have a basic knowledge of computers and connected devices there are a number of steps you can take to secure your home network. Make sure you follow these steps in order.

The Mirai malware targets devices that use the Telnet remote access protocol and still use the default username and password set by its manufacturer. These default credentials are often widely available on the Internet, which can allow 3rd parties to remotely access the device and install malware on it.

To secure Telnet access on your devices, please follow one of the below steps:

Change default passwords

Internet-connected appliances often utilise a default username and password that the manufacturer has set for the Telnet service. These are often the same across hundreds if not thousands of devices from that manufacturer.

Changing the password to your own custom password will protect you against your device from being targeted by Mirai in the future, as the malware uses a list of common device passwords to connect to your device through Telnet.

Make sure to disconnect the device from the Internet before changing the passwords.

Steps on how to change the Telnet password used by any Internet-connected appliances on your home network vary between devices and manufacturers. Consult the documentation that came with your device for details on how to do this.

Disable Telnet access if it isn’t required

If you do not need the Telnet service to be used by systems outside of your home network, it is highly recommended that you block it so only devices within your home can use it.

The Telnet service does not use encryption, meaning any passwords you send between devices using Telnet are sent across in plain text – this poses a security risk.

Only action this step if you are certain you do not need the Telnet service to be accessible from outside your home network.

Hub 3.0

To close the port used by Telnet on the Virgin Media Hub 3.0:

  • Access your Hub's configuration page - default web address: 192.168.0.1
  • Login with your username and password, default will be shown on the Hub itself
  • Select Security on the left side of the page
  • Select the Port Forwarding option
  • Remove any rules that will keep port 23 open
  • Select the Port Triggering option
  • Remove any rules that will keep port 23 open
Super Hub 1, 2 or 2ac

To close the port used by Telnet on Super Hub 1 or 2’s firewall:

  • Access your Hub's configuration page - default web address: 192.168.0.1
  • Login with your username and password, default will be shown on the Hub itself
  • Select Advanced Settings and accept the prompt
  • Scroll down to the Security section
  • Select the Port Forwarding option
  • Tick the Delete box next to any rules that will keep port 23 open
  • Click the Apply option
  • Select the Port Triggering option
  • Tick the Delete box next to any rules that will keep port 23 open
  • Click the Apply option
3rd party routers

If you use a 3rd party router in conjunction with the Hub 3.0 or Super Hub 1, 2 or 2ac, your router's firewall will need to be configured to ensure port 23 is not accessible outside of your local network - this can be performed by blocking the port or removing any Port Forwarding rules for that port. In order to identify how to do this with your particular router, refer to the documentation for your device or refer to the manufacturer's website.

Once the Telnet service has been secured using one of the solutions above, the next step is to remove the Mirai infection from your device(s).

To do this follow the below steps in order:

  • Disconnect the device from the network
  • While disconnected from the network, perform a reboot. The Mirai malware exists in dynamic memory so rebooting the device will clear the malware
  • You should reconnect to the network only after rebooting and changing the password. If you reconnect before changing the password, the device could be quickly re-infected with the Mirai malware

If you have followed the steps above but continue to get notifications regarding this security issue, please follow the below steps:

Firewall - It is important to check all your devices sit behind a firewall. In most cases your firewall is configured as a part of your router, this is the case with the Hub 3.0 or Virgin Media Super Hub. If you have specifically disabled the Firewall in your router, it is crucial that you configure your devices to sit behind a firewall that is blocking port 23. If this does not apply to you, please proceed to the next step.

Modem Mode - If you are using your Hub 3.0 or Super Hub 1, 2 or 2ac in Modem Only mode, it is essential that you are using a firewall on any device or router that is plugged directly into the Hub. When in Modem Only mode, your Hub does not operate with a firewall. If this does not apply to you, please proceed to the next step.

DMZ - Most firewalls, including the one provided with the Hub 3.0 and Super Hub 1, 2 or 2ac include a DMZ option. This feature allows for a device using a specific local IP address on your home network (e.g. 192.168.0.2) to bypass your Firewall settings. This is occasionally necessary if you are using a device that has its own firewall configured. If you have a device configured in your firewall's DMZ that does not use its own firewall, it is crucial that you disable this option immediately. Computers operating without a firewall are extremely vulnerable to attack as all ports are essentially exposed to the wider Internet.

To check if a device is configured in the DMZ on your Hub 3.0:
  • Access your Hub's configuration page - default web address: 192.168.0.1
  • Login with your username and password, default will be shown on the Hub itself
  • Select Security on the left side of the page
  • Select the DMZ option
  • To remove a device from the DMZ, tick the Disable box
To check if a device is configured in the DMZ on your Virgin Media Super Hub 1, 2 or 2ac:
  • Access your Hub's configuration page - default web address: 192.168.0.1
  • Login with your username and password, default will be shown on the Hub itself
  • Select Advanced Settings
  • Select DMZ
  • To remove a device from the DMZ, uncheck the tick box at the top of the page

 

How do I know I’m now safe?

If you have followed the above advice you can be confident that you have resolved the issue.

If you would like further advice or to verify that this is a genuine Virgin Media communication then our community will be happy to help. Just visit virginmedia.com/community, select 'Help forum' and join in the conversation on the Security matters board.

Where can I find further information and advice?

If you’d like further advice then our forum community will be happy to help. Just visit virginmedia.com/community and join the conversation on our Security Matters board.

You can find general security advice and articles on other vulnerabilities by checking Security Hub at virginmedia.com/securityhub

Internet Matters

Virgin Media supports Internet Matters: a not-for-profit organisation working with online safety experts to bring you all the information you need to help keep your children safe online.

For more information about Internet Matters, please click here 

* These links to external sites are provided as a courtesy and we are not responsible for the content of these sites or any problems encountered whilst applying these steps and we are not able to provide any technical support for such problems.


Need more help


    Ask our community

  • Helpful, friendly forums
  • Packed with tips and advice
  • Staffed by Virgin Media

   


    Contact us

  • Get in touch with our friendly team
  • Waiting times may vary
  • Free from Virgin Media phones or mobile