Satori botnet: Mirai successor awakens with zero-day powers and over 280,000 bots in 12 hours
Security experts say that Satori botnet can propagate rapidly, essentially making it an IoT worm.
A new massive IoT (Internet of Things) botnet dubbed Satori has emerged, which security researchers fear, can launch crippling attacks at any time. The botnet has reportedly already infected over 280,000 IP addresses in just 12 hours, enslaving hundreds of thousands of home routers by exploiting a recently discovered zero-day vulnerability.
Satori, which reportedly means "awakening" in Japanese, is actually the infamous Mirai botnet's successor. Since Mirai's authors made the botnet's source code public last year, cybercriminals have been pushing out new variants of Mirai.
According to a new report by security researchers at Qihoo 360 Netlab, the Satori botnet can propagate rapidly by itself, which essentially makes it an IoT worm. Bleeping Computer reported that instead of using a scanner to search for vulnerable routers, the botnet uses two exploits that attempt to connect with devices on ports 37215 and 52869.
Dale Drew, chief security strategist at CenturyLink, told ArsTechnica that the Satori botnet has already infected two widely-used types of home routers by exploiting the recently-discovered zero-day flaw. By reportedly abusing the zero-day vulnerability in Huawei Home Gateway routers, Satori was able to infect even routers secured with strong passwords.
"It's a pretty sophisticated approach," Drew told ArsTechnica. The unknown hacker operating the Satori botnet "has a pretty significant scanning army right now where he's adding more and more vectors to his IoT pool."
Qihoo 360 Netlab security researcher Li Fengpei told Bleeping Computer that there are some clues that hint at the possibility of Satori being linked to yet another Mirai-based botnet discovered last month. This botnet reached around 100,000 bots, most of which were found to be primarily located in Argentina.
Although it is still unclear if the same hacker operates both botnets, Li reportedly said that both Satori and the other Mirai-based botnet share file names, some C2 protocols and other features.
Meanwhile, Drew reportedly warned that Satori botnet's operators could launch an Internet-crippling DDoS attack at any time. At the moment, security researchers appear to be still gathering more information about the botnet by tracking its activities, in efforts to block any new control channels it may leverage.
"The scary story is we have botnet operators desperately trying to get access to nodes numbered in the hundreds of thousands if not millions," Drew told ArsTechnica. "We've always said it takes a village to protect the Internet. When we find a bad guy we're getting that information sinkholed and blocked much more quickly."