An attack hit nearly one million home internet routers of Deutsche Telekom AG customers, knocking them offline, the latest in a string of similar events that have revealed vulnerabilities in home devices connected to the internet.

Deutsche Telekom, which has 20 million fixed line customers, said the attack started Sunday and attempted to infect the routers with malicious software. In about 5% of the routers, the company said, the virus caused the devices to malfunction, interrupting internet service.

Most of the affected routers were back online as of Tuesday evening, Deutsche Telekom spokesman Stephan Broszio said. The company instructed customers to reboot the machines to download a software patch. It hasn't yet found the culprit.

The malware used in the attack was a variant of the Mirai code that has been used in other attacks, according to the SANS Institute, a cybersecurity research group.

Security experts say the Mirai software has infected millions of network routers, digital video recorders and other connected devices around the world in recent months. The code works by exploiting factory-default passwords that most device owners never change. The software then uses its control of the gadgets to flood other websites with junk traffic, a tactic known as a distributed denial of service attack.

Most device owners never know their machines were enlisted in massive "bot" networks to launch online attacks. That suggests the disruption at Deutsche Telekom came from an infection campaign gone awry.

"The bot code apparently either triggered a malfunction, or it overloaded the Deutsche Telekom routers, causing them to lock up," said Johannes Ullrich, dean of research at the SANS Institute. "This wasn't the intention of the bot code, but an error in the way the bot was coded."

Network engineers who study Mirai have warned that attacks on high-profile websites are likely to continue since the code was released to the public earlier this year. That launched a feeding frenzy among hackers and less-skilled videogamers known to target high profile websites for fun or profit.

Dale Drew, chief security officer at network operator Level 3 Communications Inc., said the attack appeared to come from a novel Mirai strain designed to add new classes of devices into its network.

Flashpoint, another security research firm, estimated as many as five million devices spread across Brazil, Germany and the U.K., among other countries, carried the same weakness that disrupted Deutsche Telekom's routers.

Flashpoint research director Allison Nixon said the perpetrators assembling the new networks showed some skill. "Just the sheer amount of infrastructure that's involved is much more than we'd expect from a hobbyist," she said.

Write to Drew FitzGerald at andrew.fitzgerald@wsj.com

(END) Dow Jones Newswires

November 29, 2016 16:55 ET (21:55 GMT)

Copyright (c) 2016 Dow Jones & Company, Inc.
Level 3 Communications, Inc. (delisted) (NYSE:LVLT)
Historical Stock Chart
From Mar 2024 to Apr 2024 Click Here for more Level 3 Communications, Inc. (delisted) Charts.
Level 3 Communications, Inc. (delisted) (NYSE:LVLT)
Historical Stock Chart
From Apr 2023 to Apr 2024 Click Here for more Level 3 Communications, Inc. (delisted) Charts.