Published on December 7th, 2017📅| 0
New Satori botnet: 280,000 different IP were infected on 12 hours
On the 5th of this month, Qihoo 360 Network Security Institute (Netlab) warned that a new Satori botnet, is rapidly being formed and has been activated on more than 280,000 unique IPs in less than 12 hours.
Researchers suspect that Satori is a new variant of Mirai. Because Satori shares the file name and static characteristics with the previous Mirai as well as some C2 protocols. However, there are two notable differences between Satori and the previous Mirai:
- Different ways of transmission – Prior to infecting IoT devices, Mirai downloaded a Telnet scanner component, attempted to scan for vulnerable devices and infected with the Mirai Trojan program, and Satori did not use the scanner component Instead, it utilizes two embedded vulnerabilities in an attempt to infect remote devices connected to ports 37215 and 52869. This makes Satori a worm for the Internet of Things and spreads itself without the need for additional components.
- Different target devices – Previous Mirai looked for vulnerable devices by scanning ports 2323 and 23; Satori’s goal was to connect to ports 37215 and 52869 with either of the two known vulnerabilities but did not fix it equipment.
According to data monitored by Netlab, there were 263,250 unique IP scans of 37,215 ports in 12 hours and 19,403 unique IP scans of 52,869 ports. As you can see from the data, devices connected to port 37215 are the main targets of attack.
Researchers at Netlab believe devices connected to port 37215 may have a zero-day vulnerability that has not yet been fully disclosed. Dale Drew, chief security strategist for US telecommunications operator CenturyLink, agrees with Netlab researchers in an interview with ArsTechnica, a leading technology blogger in the United States, saying the vulnerability comes from the Huawei HG532 router, a remote code execution vulnerability. It was discovered by Check Point, a cyber-security company, on November 27, but not many details were revealed.
Another security researcher uses Shodan to search for devices that may have this vulnerability, and search results show that there are more than 22.5 such vulnerable devices across the Internet.
As for another vulnerability, on port 52869, this is a known vulnerability for Realtek devices (CVE-2014-8361). Because this vulnerability was disclosed long ago, so many devices have been patched. This is why the number of scans for this port will be significantly less than the 37215 port.