Attackers have used an advanced new strain of the Mirai Internet-of-things malware to quietly amass an army of 100,000 home routers that could be used at any moment to wage Internet-paralyzing attacks, a researcher warned Monday.

Botnet operators have been regularly releasing new versions of Mirai since the source code was openly published 14 months ago. Usually, the new versions contain minor tweaks, many of which contain amateur mistakes that prevent the new releases from having the punch of the original Mirai, which played a key role in a series of distributed denial-of-service attacks that debilitated or temporarily took down Twitter, GitHub, the PlayStation Network and other key Internet services.

Sophisticated approach

What sets this latest variant apart is its ability to exploit a recently discovered zeroday vulnerability to infect two widely used lines of home and small-office routers even when they're secured with strong passwords or have remote administration turned off altogether, Dale Drew, chief security strategist at broadband Internet provider CenturyLink, told Ars. One of the affected Huawei devices is the EchoLife Home Gateway, and the other is the Huawei Home Gateway. Roughly 90,000 of the 100,000 newly infected devices are one of the two Huawei router models. The new malware also has a dictionary of 65,000 username and password combinations to try against other types of devices.

"It's a pretty sophisticated approach," Drew told Ars on Monday. The unknown operator "has a pretty significant scanning army right now where he's adding more and more vectors to his IoT pool."

Up until now, Mirai has preyed on routers that are configured to be administered over the Internet using default passwords. In October, researchers documented a new IoT botnet dubbed Reaper. It was novel because it infected devices by exploiting remote code-execution vulnerabilities. The new Mirai strain takes the same approach.

In the almost two weeks since the new botnet came to light, the operator has done little more than use the infected devices to scan the Internet for more vulnerable devices and then infect them. Drew warned that the operator could use the compromised devices at any time to wage crippling DDoS attacks, possibly as a fee-based service aimed at people who want to settle personal scores or extort money from online services. The botnet is the same one researchers from China-based Netlab 360 documented last week

Security professionals were able to seize the two domain names used to control the botnet, but Drew said the operator has since managed to regain control of the infected devices using new command and control channels. While Level 3, the backbone provider that was recently purchased by CenturyLink, is using its network to block control server communications with infected devices, there are plenty of networks that still allow the botnet to operate freely. Drew said for the time being, security professionals have few options other than to closely monitor the botnet and block any new control channels it may use.

"The scary story is we have botnet operators desperately trying to get access to nodes numbered in the hundreds of thousands if not millions," he said. "We've always said it takes a village to protect the Internet. When we find a bad guy we're getting that information sinkholed and blocked much more quickly."