New IoT malware picks up where Mirai left off

Satori, derived from Mirai, exploits zero-day home router vulnerability

Tags: Cyber crimePalo Alto Networks (www.paloaltonetworks.com)
  • E-Mail
New IoT malware picks up where Mirai left off Hackers used Mirai widely-available capabilities to launch a brute password force attack.
By  David Ndichu Published  January 23, 2018

Researchers at Palo Alto Networks’ Unit 42 have unmasked a new malware family, dubbed Satori, which exploits vulnerabilities in Realtek SDK chipsets and in Huawei’s HG532e home gateway.

Huawei patched the HG532e router in early December 2017.

Satori is a derivative of Mirai, an IoT malware that caused widespread chaos two years ago by hijacking vulnerable surveillance cameras and home routers. These were turned into a massive botnet that that brought down several websites all over the world through DDoS attacks.   

Satori is a classic zero-day attack, researchers say: an attack against a previously unknown vulnerability for which no patch was then available.

Satori, as a derivative of Mirai, reuses some of Mirai’s source code to achieve the telnet scanning and password brute force attempting functionalities. Satori also identifies the type of IoT device and shows different behaviours in different device types. Palo Alto sleuths believe that the Satori’s author has started to reverse engineer the firmware of many IoT devices to collect device’s typical information and discover new vulnerabilities. If this is correct, it may lead to future versions of Satori attacking other unknown vulnerabilities in other devices, the researchers conclude.

As Mirai’s source code is open sourced in Github, attackers could easily reuse Mirai’s code to implement the network scanner and the password brute force login modules for launching a telnet brute password force attack or other attacks. The Satori family reuses some Mirai code, including the network scanner, telnet password attempting and watchdog disabling.

Palo Alto Networks has released the IPS signature (37896) for the zero-day vulnerability exploited by Satori.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code