-4

I need some help with removing the mirai worm on my rounter. Few days ago my ISP was on cyberattacks which it have affected over 100,000 customers who couldn't be able to get access to the internet that got shutdown.

Now it show that my local ISP are CloudMosa in Satatoga, California which is not. My ISP are postoffice in the UK.

I have tried to upgraded the latest firmware version from the manufacturer site which it is 2.00(AAJC.15)C0, I have also set the firewall to a high level to avoid the cyperattack and disabled the upnp but the virus will remove the latest firmware version and it will switch back to the old version V2.00(AAJC.15)O0. The name of the rounter I got is called ZyXEL AMG1302-T10B.

I don't know what i'm supposed to do and how to remove it as the virus keep coming back. I'm scary to use the internet as it could steals my information especially my bank details, username and password.

Do you know how to remove those nasty virus on the router?

David
  • 1
  • 1
  • 1
    This doesn't sound like mirai. and mirai doesn't steal your account information. Your confusing different things! – Marcus Müller Dec 04 '16 at 14:30
  • 5
    Mirai will not stick once a reboot is done - what you have sounds a little more sophisticated and we will need more details... – Bubble Hacker Dec 04 '16 at 14:31
  • @MarcusMüller yes it is a mirai. You should google it and it will tell you what they will do when you get access to the internet. – David Dec 04 '16 at 14:44
  • @BubbleHacker I have tried to reboot but it still there. I dont know what to do after all I have tried everything. I'm so frustrated. – David Dec 04 '16 at 14:45
  • @David come on. You're on a forum to ask for expert opinions. Two experts tell you it's not mirai. Do your googling, or at least read the wikipedia article. – Marcus Müller Dec 04 '16 at 14:46
  • 3
    In any case, **edit** your question to include all info how you came to the conclusion it's mirai, instead of contradicting @BubbleHacker and me without any facts. – Marcus Müller Dec 04 '16 at 14:49
  • @MarcusMüller yeah i know that i am on a forum. I find it strange why my router reset to a default version when I have upgraded and why it have changed the default password when I changed the password. Do you know what it is the cause of the issue? do the router got a virus or what? – David Dec 04 '16 at 15:41
  • "I find it strange" and "I am sure enough that it's Mirai to tell people that tell me it's not mirai after asking for advice that it's really mirai" are two completely different statements. – Marcus Müller Dec 04 '16 at 15:43
  • Even if the malware has characteristics of Mirai, which you have not clearly established in your question (you should at the very least tell us exactly how you reached the conclusion that your router has been infected by Mirai specifically), remember that the Mirai source code has been published. That means that Mirai may very well have been adapted or incorporated into other malware (and in fact, Wikipedia makes the claim that techniques have been adapted into other malware). Also, quite frankly, what you describe sounds more like a prank or user error than any half-way competent malware. – user Dec 04 '16 at 17:32
  • 2
    Despite all the debate on whether this is mirai or not (it's not), the question is off-topic. "How do I get rid of malware on a device with permanent storage that persists after a firmware re-write?" You throw it out. – schroeder Dec 04 '16 at 17:35

2 Answers2

3

I agree that this does not seem to be Mirai, but it doesn't really matter what it is. The solution is the same no matter what.

If a firmware rewrite does not kill it, then just throw the router in the trash and get a new one. I know, it might cost you some money, but it is the only way you can be sure it has not somehow persisted on the device. Just consider the router as broken beyond repair.

Anders
  • 64,406
  • 24
  • 178
  • 215
  • Upvote. Short and to the point. Routers are surprisingly inexpensive these days. And if it came from an ISP, take it back to them. – SDsolar May 16 '17 at 21:58
0

I had a similar problem with my AMG1303-T10B. I upgraded the firmware but then got locked out - neither my password, not the default (after complete reset) would work. This happened twice (once on the original router and then again on a fresh OOTB backup). So went out and bought a TP-Link N600 and I am now back in business.

But my ISP who was also working on the problem has now found the answer (it seems - I haven't tried this yet). Full details are here: http://www.comley.name/2016/12/02/fixing-your-amg-1302-t10b-if-its-been-hacked/

Richard Collings
  • 1