back to article Mirai variant turns TalkTalk routers into zombie botnet agents

Hundreds of Mirai-infected home routers across the UK are currently acting as DDoS bots. The vast majority (99 per cent) of these 2,398 Mirai-infected devices are TalkTalk routers, according to security researchers at DDoS mitigation firm Imperva Incapsula. “The botnet devices’ geolocation is very uncommon for DDoS botnets …

  1. Captain Badmouth

    "TalkTalk routers, zombie botnet agents"

    Much like the management, then.

    Dido was the first queen of Carthage, her modern counterpart is rapidly becoming the first queen of carnage.

    1. Rich 11

      How long before she too falls on her sword?

      1. Captain Badmouth

        How long before she too falls on her sword?

        Burn the witch.

        1. DJV Silver badge

          Re: Burn the witch.

          She turned me into a newt!

        2. Doctor_Wibble

          Re: How long before she too falls on her sword?

          > Burn the witch.

          Only if she weighs the same as a duck!

    2. Andy Non

      Winter is coming for Dido.

  2. John H Woods Silver badge

    Talk talk said ...

    ... can't these statements be scored for quality? I'll kick off, we can refine the criteria later:

    "Along with other ISPs" ---- minus 10 points for trying to say that it isn't mainly your organisation's problem

    "in the UK and abroad" --- minus 5 points for making it look like an international issue

    "we continue to take steps" --- minus 20 points for meaningless, unquantified cliché

    "a small number of customers" --- minus 30 points for calling >2000 small

    "we have made good progress" --- minus 10 points for referring to unquantified progress

    "we continue to deploy additional network-level controls" --- minus 20 again as per 'continue to take steps" and another 10 for repetition.

    "to further protect our customers" --- minus 50 points for pretending that's a priority.

    And another -40 for not even hazarding a guess at the date when the issue will be closed.

    That's -195 by my count. Improvements to the scoring system welcome, just dashed this off whilst scoffing a sandwich.

    1. Rich 11

      Re: Talk talk said ...

      In all fairness, you should award them +1 point for not using the execrable cliché 'working hard'.

      1. Anonymous Coward
        Anonymous Coward

        Re: Talk talk said ...

        +1 for also not rolling out that other much used phrase "lessons will be learnt"

        1. DJV Silver badge

          Re: Talk talk said ...

          Mainly because they aren't working hard and definitely won't learn any lessons!

        2. VinceH

          Re: Talk talk said ...

          The overall score should also be doubled for no other reason than it's TalkTalk - so even if we count those two +1s, that's -386.

    2. Anonymous Coward
      Anonymous Coward

      Re: Talk talk said ...

      If I may...

      '"a small number of customers" --- minus 30 points for calling >2000 small'

      I think what they mean is "a number of small customers" as in little, unimportant nodes that keep paying us for the privilege of being on such a well-known botnet.

      "Hello, Talk Talk customer support"

      Yes, me old router is acting up

      "One moment, sir... Ah, here we go then... and you're all setup on the botnot now! Have a nice day!"

      Wait, that's not good for me, I don't want to be on the botnet.

      "I'm sorry, we are experiencing a large number of calls today, your call is important to us, so please stay on the line to prove what a fucking tosser you are. Thank you!"

      Oh bugger.

  3. alain williams Silver badge

    Talk talk still got customers then ?

    Surprising. Even the most slothful should now be prodded to move.

    1. tr1ck5t3r

      Re: Talk talk still got customers then ?

      Just about. For an experiment I plugged in an old adsl modem into a Windows XP machine using ppoe on XP to handle the net connection. I dont get any incoming hack attacks even though XP firewall is up and logging everything , but I can only access the, Google websites or sites with google search on. I cant connect to any ubuntu archives when using the minimal iso's (30-60MB), I cant connect to any websites not even GCHQ. If I use an old Belkin which gets its time from a belkin server I can surf unrestricted and if I use a Dlink DSL3780 I can surf unrestricted, but take note, the dsl-3780 CFG file is an unencrypted XML file and it uses IPv6 for the TalkTalk tv & film service, and provides 3 unsecured wifi access points, ideal for bonding with your neighbours wifi to boost your download speed or for any old Tom Dick or Harry, to gain access to your network! Yet noone seem's interested, not GCHQ (yes I even called GCHQ), not the police not TalkTalk.

      Why is this? Trying to set people up who upset the order perhaps?

    2. VinceH

      Re: Talk talk still got customers then ?

      "Even the most slothful should now be prodded to move."

      A part of the problem is that they also have new customers who have signed up with them since (and despite) the big breach. I know a small (but not small enough) number - and, sadly, I think it would be a waste of time bringing things like this and the router password issue to their attention; it'll just go in one ear, sent through the £££ filter (i.e. their main reason for signing up with TalkTalk was the price) and straight back out the other ear.

  4. Locky

    Only 2,398?

    With 57,000 TalkTalk modem details available, this could well be the tip of the iceberg

    1. MR J

      Re: Only 2,398?

      I have checked a couple and they were not touched by this, so I can only guess that specific IP ranges were hit before blocks were put into place. Of course, it could also be that the network was so poor in some areas that this hack attempt flooded the network and protected the equipment. In the area I live in their basic DSL service can fall over a few times a day, so it is a possibility.

      My InLaw has the "Fibre" DSL through them now but we use the equipment in a modem only configuration and the passwords are changed from default.

      People stay with them for the price. £26 a month for Phone (unlimited anytime) + Fibre + Mobile (basic freebie, but it's probably worth £4-£5 as a stand-alone package) is not bad. The best package that we could get close to that without jumping through tons of hoops was SSE, and for some reason they refused to do a install at his address.

  5. Rob Crawford


    Not that Talk Talk are being crap, I'm simply surprised that so many Talk Talk users had an internet connection good enough to even get infected

  6. simmondp

    When are they going to learn?

    If you learnt nothing from the first four breaches it is "be open with your customers and tell them early" unfortunately the advice is still "if you have a connectivity problem simply reset your router".

    As before, no proactive advice whatsoever - Yes I'm a customer - no I have not received any proactive communication.

    Dido, your customers are reading about the severity in the papers and on the BBC, an email - if only to say "you do not have an affected router" would not go amiss. for those with affected routers then what you are actually doing.

  7. Andy Non

    TalkTalk, the company that keeps on ...

    Giving your personal details away.

    Giving access to your router away.

    But doesn't give a sh*t.

  8. wolfetone Silver badge

    TalkTalk, putting the "sham" in to "omnishambles"

    "From bean to cup, you fuck up" - Malcolm Tucker

  9. Anonymous Coward
    Anonymous Coward

    Bit slow on the uptake Reg, this story has been going around a while now.

    J. Jonah Jameson would be kicking jurno's asses and demanding action.

    More like news bunnies than news hounds.


  10. Anonymous South African Coward

    IoT stuff, routers, cameras...

    ...what's next? Cars doing wardriving and spreading the Mirai worm all over the place?

  11. anthonyhegedus

    I hate that dildo woman

    1. gypsythief

      Re: I hate that dildo woman

      'Ell hath no fury like a woman porned...

  12. Peter X

    Dark Mesh

    How long before such a thing exists... it seems like there are enough vulnerable wifi connected devices to make this technically possible? And at that point, aren't TalkTalk, etc all guilty of subverting the governments attempt to monitor all communications? Dido could be facing terrorism charges!! ;)

    But more realistically, if you _were_ a would be terrorist, wouldn't you make sure you had TalkTalk provided internet & router in order to have plausible deniability if you ever got questioned over visiting (say) beheading/bomb-making websites?

    1. wolfetone Silver badge

      Re: Dark Mesh

      You would need access to the evidence against you, and unfortunately under the IPA that's not going to happen.

  13. TheBully

    Is there a hard and fast way to know if your router is pwned

    I have talktalk router at home, tried a port scan on mxtoolbox to my public IP and its not showing anything open. Really I should change from TalkTalk but I think my contract restarted when I upgraded my fibre to the faster option last year (before the data leak). I originally got it for the youview box and having a few included sky channels but the thing drives me and any guests at my house up the wall as its so slow.

    Press the channel you want and 5 seconds later it goes to the channel only to hop back because all the impatient button presses on the remote are cached in the buffer. ;) Also I think the box has a dodgy dry joint in the HDMI socket as its keeps going all pixelated like I have bad reception and I have found that wiggling the HDMI lead in the socket fixes it for a while. Being able to scroll back in the guide for catchup is useful though or is if you have the patience.

    Internet is alright otherwise, good and fast.


  14. Anonymous Coward

    At last, someone has found a use for TT routers!!

    1. Captain Badmouth

      At last, someone has found a use for TT routers!!

      Tie a rope on it and use as a plumb line.

  15. Anonymous Coward
    Anonymous Coward

    Could also be the Chinese routers

    They also have a backdoor always open. And TT are happy to oblige. 4 hacks in a row and she is still CEO. Oh wait, she is part of the establishment.

    That makes TT even more shittier and repugnant when they always say " a small number of customers". And of course the oft repeated " We are working hard to,,,,," whatever. And still insisting the routers are safe !

    Cant anyone bring in a public interest litigation or class action against such arrogant CEOs who always get away scott free? Falling on the sword? That is so last century.

    1. Captain Badmouth

      Re: Could also be the Chinese routers

      "Falling on the sword? That is so last century."

      Actually, more likely 968 BC, the reference being to how Queen Dido died on her funeral pyre, hence , also, my "burn the witch".

  16. adam payne

    "Along with other ISPs in the UK and abroad, we continue to take steps to review the potential impacts of the Mirai worm. A small number of customer routers are affected by this issue. We have made good progress repairing these, and replacing them when necessary, and we continue to deploy additional network-level controls to further protect our customers."

    Smells of PR bull stuff to me.

    You continue to take steps to review the impacts, what steps are you taking?

    2000 customers certainly isn't a huge amount but it's still quite big. How many of these 2000 have been resolved?

    What additional network-level controls are to implementing and why weren't they already in place?

    Talk Talk the company that just keeps on giving.

  17. anthonyhegedus

    I'm just with a customer who has a red power light and we rang talk talk customer service who immediatrly said they'd replace the router (there's even an option on the menu "have you had the red light on your router for more than 30 seconds?". The Philippines tech wouldn't tell me what was wrong until pushed, when he admitted it was 'a virus'

    1. Chloe Cresswell

      Have a client with a bricked talktalk router.

      Talktalk have spent 5 days trying to talk them through fixing the windows update stops dhcp bug, and say they now need a BTo engineer to look at the line at ~£56, when the fault is the talktalk router is dead.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like