IoT Botnet Satori Grows Rapidly Thanks to Zero-Day Flaw

An internet of things (IoT) botnet that recently hijacked more than 100,000 DSL modems in Argentina has extended to other countries and doubled in size over the past week, possibly due to a zero-day vulnerability.

The botnet has been dubbed “Satori” by security researchers from Qihoo 360 Netlab, who have been monitoring it for a few months. The malware is partially based on Mirai, an IoT botnet responsible for some of the largest DDoS attacks in the internet’s history and whose source code was leaked online a year ago.

This week, the Qihoo researchers observed an unusual spike of scans on ports 37215 and 52869 and tracked the activity to a new variant of Satori that appears to use two exploits for router services running on those ports.

The port 52869 attacks use an exploit targeting a remote command execution vulnerability in the Miniigd UPnP SOAP service from a Realtek SDK. That vulnerability was disclosed in 2014 and affects networking devices from multiple vendors that use Realtek RTL81xx chipsets.

However, the second exploit, on port 37215, is not fully disclosed yet, the Qihoo researchers said in a blog post. “Our team has been tracking this in the last few days and got quite some insight, but we will not discuss it here right now.”

Attacks on port 37215 have previously been associated with a 2015 path traversal vulnerability in Huawei routers, so it might either be a new Huawei exploit on the same port or an improved version of the 2015 attack. Dale Drew, the chief security strategist at internet provider CenturyLink, told ArsTechnica this week that the majority of the devices enslaved by a new botnet that matches Satori’s description are one of two Huawei models: the Huawei Home Gateway and EchoLife Home Gateway.

Satori behaves like a worm, where compromised devices infect each other. This helped the botnet grow very rapidly—the Qihoo researchers observed scans from 263,250 different IP addresses on port 37215 and 19,403 IPs on port 52869 over the course of 12 hours.

While this Satori variant appears to be different than the one observed last week in Argentina, there is evidence that connects the two attacks, which means they likely are part of a larger operation. After infecting 100,000 DSL modems in Argentina with leaked SSH credentials, the previous variant also spread to Egypt, Tunisia, Columbia and other countries, the Qihoo researchers said.

After Mirai died off, its leaked code was used to create tens of smaller botnets that competed with each other for devices and never really managed to reach the size of their predecessor. That’s because most routers and home networking devices use volatile flash storage that reverts to its original state when the device is rebooted. This means malware installed on them is not persistent and devices need to be reinfected all the time.

But Mirai had one limiting factor: It mainly spread via default or weak SSH credentials and there are a limited number of devices out there that are configured for remote SSH access. When IoT worms such as Satori start using exploits that impact entire families of routers, they become a more serious threat because they can grow large enough to take down major internet services.

Andromeda Suspect Was Longstanding Member of Hacking Community

Analysts from threat intelligence firm Recorded Future believe the person arrested in Belarus recently in connection with the Andromeda botnet is a longstanding member of the hacking and cybercriminal community who went by the nickname of Ar3s, or Арес in Russian.

Europol announced this week that an international law enforcement effort led to the neutralization of Andromeda, a large botnet that has been used as a distribution platform for more than 80 malware families over the years. As part of the operation, a suspect was arrested in Belarus, the agency said.

Belarusian authorities confirmed in their own press release that a man was arrested in the country’s Gomel region in relation to Andromeda, but did not name him.

Recorded Future believes “with a high degree of confidence” that the arrested person was Ar3s, the creator of Andromeda and an expert in malware development and reverse engineering who has been operating from the Russian-speaking underground since at least 2004. Ar3s often served as “a highly reputable guarantor of deals” between different parties, Recorded Future’s analysts said.

Aside from Andromeda, Ar3s, who also frequented white-hat and technology forums, is known for creating the Win32/Gamarue HTTP bot, the Windows SMTP Bruter and the Swf-Inj Service, which hijacks web traffic by embedding iFrame malware into SWF (small web format) files.

Recorded Future has been tracking Ar3s for a while and, based on information he left online including an ICQ number, they already determined that his real name was Sergey Jarets or Jaretz, he was 33 years old and he lived in Rechitsa, in the Gomel region of Belarus.

According to open source intelligence, Jaretz worked as the technical director for local television and radio company OJSC Televid and was responsible for the procurement and maintenance of the company’s computer network, among other things, the Recorded Future researchers said in their analysis.

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor’s degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key’s fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 58 posts and counting.See all posts by lucian-constantin