Satori Botnet Turns IoT Devices Into Zombies By Borrowing Code from Mirai

By on

Like a zombie rising from the dead, a new botnet is reemerging from the remains of Mirai malware. Specifically, modern-day threat actors are breathing life into a fast-evolving botnet called Satori by repurposing some of the source code from Mirai. And now, Satori is creating zombies of its own, as its been found hijacking internet-connected devices and turning them into an obedient botnet army that can be remotely controlled in unison.

Satori, as of now, is a work in progress. But that also means it’s evolving rapidly. Satori knows that agility equates to survival — we’ve seen it adapt to security measures and transcend its former self time and time again. Researchers have even taken down the main Satori C&C server, only to find the botnet remerge shortly after.

So it’s no surprise that it recently reemerged stronger than ever before. The current version has been found targeting software associated with ARC processors, which are used in a variety of IoT devices. Once it finds a weakness in an IoT device, Satori checks to see if default settings have been changed, and gains control of any machine that still has them. From there, it connects to the larger network and gains control of other devices that may be on it. So far, Satori has only managed to enslave a small number of devices. But once its army becomes large enough, it can be summoned to pump out masses of e-mail spam, incapacitate corporate websites, or even bring down large chunks of the internet itself.

Apparently, Satori doesn’t just take code from Mirai, it takes cues too – as these efforts are reminiscent of the infamous Mirai DDoS attack. But we can take cues from Mirai too in order to prepare for a potential Satori attack. First and foremost, every owner of an IoT device must change the default settings immediately – a necessary security precaution that many don’t take, which gave Mirai the firepower it needed in the first place. From there, users should disable telnet access from the outside and use SSH for remote administration if needed. However, this responsibility falls on the shoulders of manufacturers too, as they should enforce these settings by default. If both users and vendors follow these simple security steps, we can stunt Satori’s growth and stifle its Mirai-inspired ambitions entirely.

To learn more about the Satori botnet, and others like it, be sure to follow @McAfee and @McAfee_Labs on Twitter.

Categories: Business
Tags: , , ,

Leave a Comment

Similar articles

As ransomware threats become more sophisticated, the tactics cybercriminals use to coerce payments from users become more targeted as well. And now, a stealthy strain is using deceptive techniques to mask its malicious identity. Meet CryptoMix ransomware, a strain that disguises itself as a children’s charity in order to trick users into thinking they’re making ...
Read Blog
Think about it: In the course of your everyday activities — like grocery shopping or riding public transportation — the human body comes in contact with an infinite number of germs. In much the same way, as we go about our digital routines — like shopping, browsing, or watching videos — our devices can also pick ...
Read Blog
Microsoft recently patched a critical flaw in Internet Explorer’s scripting engine that could lead to remote code execution. The vulnerability is being exploited in the wild and was originally reported by a researcher from Google’s Threat Analysis Group. Microsoft released an out-of-band patch to fix the vulnerability before the normal patch cycle. McAfee products received ...
Read Blog