Satori botnet about to cause a whole lot of trouble worldwide

The Mirai botnet was (and is) incredibly powerful. As is the case with any powerful cyberattack method, there will always be variations and expansions to capitalize on its strength. Mirai is no different, as variants have been reported within months of the worst attacks involving the botnet. Another botnet derived from Mirai, which has been on the radar for some time, has suddenly become much more active much to researchers’ alarm. Entitled Satori, which perhaps alludes to the Zen Buddhist concept of Enlightenment, the botnet has been studied ever since it popped up a month ago. The primary research term monitoring Satori is from the Chinese security company Qihoo 360 Netlab. In a report published in early December, 360 Netlab researchers noted how a new version of Satori started to "awaken" across 280,000+ IP addresses over the course of 12 hours.

The new version of Satori seemingly activated without any warning, and once active, it began scanning ports 37215 and 52869 in various locations. What makes Satori so concerning to InfoSec professionals is that there are numerous functions that make it different from other botnet variants. Take for instance the scanning of ports. According to 360 Netlab, the bot performs this in a unique manner:

The bot itself now does NOT rely on loader|scanner mechanism to perform remote planting, instead, bot itself performs the scan activity. This worm-like behavior is quite significant.

The worm behavior is significant because as Catalin Cimpanu noted in his report on Satori, the IoT botnet is “able to spread by itself without the need for separate components.” Much of the botnet’s growth is due to exploits in the previously mentioned ports (37215 and 52869). The first exploit is a zero-day that exists in Huawei Home Gateway routers. As stated in the threat report by Checkpoint, this zero-day allows for remote arbitrary code execution.

The second exploit that Satori leverages is a rather old one (CVE-2014-8361). This particular exploit from 2014 affects Realtek devices. It was patched a while back, so Satori scans on port 52869 are less successful, but, of course, there is no doubt unpatched devices still out there.

What has security researchers worried is that there is no real understanding of how this botnet will be used. Is it gearing up for an attack in the near future, or perhaps will it unload at a later unexpected date when initial fervor dies down? The countries where Satori is scanning devices keeps growing at an alarming rate, and one has to wonder when the attacks will truly begin.

For now, cybersecurity researchers can only study Satori and prepare defenses against it.

Photo credit: Pixabay

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Exchange Server log files growth and inadequate disk space allocation

When it comes to Exchange, if you build it, it will grow. Exchange Server log file growth can fill up…

3 hours ago

Hold the phone! Voice communication is becoming cool again

Business telephone conversations have largely been supplanted by email. But voice communication is far from dead — and it may…

6 hours ago

What are the potential disadvantages of SSL/TLS?

There’s wide consensus on the benefits of SSL/TLS. However, not as much attention has been given to SSL/TLS disadvantages.

3 days ago

Exploring native software inventory logging in Windows Server

Windows Server has built-software inventory logging that can be very useful. Here’s how to use this little-known feature.

3 days ago

Passwordless authentication: Safer, better, and about time

Passwordless authentication has quickly become one of the primary means by which users access their laptops, phones, and tablets because…

3 days ago

Automated Incident Response in Office 365 ATP simplifies cybersecurity

Microsoft has pumped up Office 365 Advanced Threat Protection with a new feature, Automated Incident Response. Here’s what you need…

4 days ago