Mirai, the Internet-of-things malware that turns cameras, routers, and other household devices into potent distributed denial-of-service platforms, may be lying low, but it's certainly not dead. Last week, researchers identified a new outbreak that infected almost 100,000 devices in a matter of days.

In September of last year, Mirai emerged as a force to be reckoned with when it played a key role in silencing one of the most intrepid sources of security news in then-record-setting DDoS attacks topping 620 gigabits per second. Within a few weeks, Mirai's developer published the source code , a feat that allowed relatively unsophisticated people to wage the same types of extraordinarily big assaults. The release almost immediately helped touch off a series of large-scale attacks. The most serious one degraded or completely took down Twitter, GitHub, the PlayStation network, and hundreds of other sites by targeting Dyn, a service that provided domain name services to the affected sites.

Last week, researchers from China-based Netlab 360 say they spotted a new, publicly available Mirai variant. The changes allowed the malware to spread to networking devices made by ZyXEL Communications that could be remotely accessed over telnet using default passwords. One of the exploits was published on October 31. Over a span of 60 hours starting on November 22, the new Mirai strain was able to commandeer almost 100,000 devices. Virtually all of the infected devices used IP addresses local to Argentina, a possible indication the outbreak targeted customers of a regional service provider who were assigned unsecured modems.

As the underlying CVE-2016-10401 vulnerability description explains, affected ZyXEL devices by default use the same su, or superuser, password that makes it easier for remote attackers to obtain root access when a non-root account password is known. The exploit published on October 31 first logs in as a telnet user and then escalates privileges using the superuser password.

Sleeping giant

Fortunately, the two domains the attackers used to control the newly infected devices were seized in a process security professionals call sink-holing. The move had the effect of stopping the infection from spreading further and preventing the attackers from using the hijacked devices to cause Internet outages. But there's hardly reason for optimism for at least two reasons. First, until those devices are properly secured, they remain susceptible to the same newly discovered variant and could be, or possibly already have been, hijacked again.

A second and more important cause for concern: the incident underscores the huge untapped destructive potential of Mirai and other IoT botnets. The recently discovered Reaper botnet is significant because it doesn't rely on passwords at all to spread. That raises the specter of outbreaks that infect devices even when owners or service providers have taken the time to change default credentials. If the addition of two default credentials can recruit almost 100,000 new devices in less than three days, attackers likely have plenty of other ways to take over IoT devices in mass quantities.

In February, security researcher Bruce Schneier published a sobering article that analyzed the growing threat the lack of IoT security poses to our lives and the perverse lack of incentive that both device sellers and buyers have in fixing the mess. The lack of any market solution led Schneier to draw the conclusion that only governmental regulation can solve the problem. Given the inaction in the 14 months since Mirai emerged, the essay should be required reading for politicians everywhere.