Satori botnet about to cause a whole lot of trouble worldwide

The Mirai botnet was (and is) incredibly powerful. As is the case with any powerful cyberattack method, there will always be variations and expansions to capitalize on its strength. Mirai is no different, as variants have been reported within months of the worst attacks involving the botnet. Another botnet derived from Mirai, which has been on the radar for some time, has suddenly become much more active much to researchers’ alarm. Entitled Satori, which perhaps alludes to the Zen Buddhist concept of Enlightenment, the botnet has been studied ever since it popped up a month ago. The primary research term monitoring Satori is from the Chinese security company Qihoo 360 Netlab. In a report published in early December, 360 Netlab researchers noted how a new version of Satori started to "awaken" across 280,000+ IP addresses over the course of 12 hours.

The new version of Satori seemingly activated without any warning, and once active, it began scanning ports 37215 and 52869 in various locations. What makes Satori so concerning to InfoSec professionals is that there are numerous functions that make it different from other botnet variants. Take for instance the scanning of ports. According to 360 Netlab, the bot performs this in a unique manner:

The bot itself now does NOT rely on loader|scanner mechanism to perform remote planting, instead, bot itself performs the scan activity. This worm-like behavior is quite significant.

The worm behavior is significant because as Catalin Cimpanu noted in his report on Satori, the IoT botnet is “able to spread by itself without the need for separate components.” Much of the botnet’s growth is due to exploits in the previously mentioned ports (37215 and 52869). The first exploit is a zero-day that exists in Huawei Home Gateway routers. As stated in the threat report by Checkpoint, this zero-day allows for remote arbitrary code execution.

The second exploit that Satori leverages is a rather old one (CVE-2014-8361). This particular exploit from 2014 affects Realtek devices. It was patched a while back, so Satori scans on port 52869 are less successful, but, of course, there is no doubt unpatched devices still out there.

What has security researchers worried is that there is no real understanding of how this botnet will be used. Is it gearing up for an attack in the near future, or perhaps will it unload at a later unexpected date when initial fervor dies down? The countries where Satori is scanning devices keeps growing at an alarming rate, and one has to wonder when the attacks will truly begin.

For now, cybersecurity researchers can only study Satori and prepare defenses against it.

Photo credit: Pixabay

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Office 365 is now Microsoft 365: Everything you need to know

Microsoft has rebranded various products in its Office 365 lineup as Microsoft 365. Here is…

2 hours ago

Ansible Automation Engine: Complete getting started guide

In this second article in our series, we will work on the Ansible Automation Engine…

19 hours ago

Microsoft Build 2020: All major announcements for developers

Microsoft Build 2020 included several announcements aimed at developers and the IT community. Here are…

23 hours ago

Dell unveils new PCs optimized for remote work

With remote work here to stay, companies are looking to supply employees with devices to…

1 day ago

Using Azure Active Directory Identity Protection to boost your security

Using Azure Active Directory Identity Protection will boost your security. This step-by-step guide shows you…

2 days ago

Review: Kemp Virtual LoadMaster load balancer

With many businesses requiring employees to work remotely, Kemp’s Virtual LoadMaster can help relieve many…

2 days ago