Source Code of IoT Botnet Satori Publicly Released on Pastebin
The source code of the Satori internet-of-things (IoT) botnet was posted online on Pastebin, security researchers reported. In early December last year, Satori affected 280,000 IP addresses in just 12 hours, ensnaring numerous home routers to become part of its botnet.
Satori (also known as Mirai Okiru, and detected by Trend Micro as ELF_MIRAI.AUSR), which means “enlightenment” or “awakening” in Japanese (“okiru” means “to rise”), was pegged to be the successor of the infamous Mirai botnet, which similarly zombified routers and knocked high-profile sites offline. Like Satori, the original Mirai’s source code was also released publicly, and has since spawned iterations. Mirai-based attacks were recently spotted in Colombia, Ecuador, Panama, Egypt, Tunisia, and Argentina.
Satori exploits two vulnerabilities:
- CVE-2017–17215 — a vulnerability in Huawei Home Gateway routers (Huawei HG532), patched last November 2017. Attacks that use an exploit for this vulnerability targets port 37215.
- CVE-2014-8361 — a command injection vulnerability in Realtek SDK miniigd Universal Plug and Play (UPnP) SOAP interface (patched May 2015). Attacks that exploit this vulnerability target port 52869.
Initial feedback from Trend Micro’s telemetry revealed over 170,000 Satori-related detections in December 2017. The Satori-related attacks were prominent in Europe (Italy, France), North Africa and Middle East (Tunisia, Egypt), and South America (Colombia, Ecuador), as well as the U.S. and Japan.
Satori is a credible threat given the increasing popularity of IoT devices in homes and workplaces, and the adverse impact they can cause when compromised. Distributed denial-of-service (DDoS) attacks, Domain Name System (DNS)-changing malware, and cryptocurrency-mining malware are just some of the threats users and businesses can be exposed to. IoT devices can also suffer from significant performance slowdowns.
Here are some best practices for making routers and networks more resistant to attacks:
- Update and/or strengthen their credentials to deter hackers from hijacking them
- Keep the router or IoT device’s firmware and software updated to prevent attackers from exploiting security gaps
- Use encryption to thwart attackers from snooping in on their network traffic, especially if the device is used in the workplace
- Enable the built-in firewall
- Disable unnecessary or outdated components that can be abused by attackers and used as doorways into the device or systems that may be connected to it
- Deploy additional layers of security such as intrusion detection and prevention systems
Trend Micro Solutions
Trend Micro Smart Home Network (SHN) provides an embedded network security solution that protects all devices connected to a home network against cyberattacks. Based on Trend Micro’s rich threat research experience and industry-leading deep packet inspection (DPI) technology, SHN offers intelligent quality of service (iQoS), parental controls, network security and more.
Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect these kinds of attacks even without any engine or pattern update. These solutions are powered by XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
Trend Micro Deep Discovery Inspector protects customers from Satori-related threats through these DDI rules:
- 3215: Command Injection via UPnP SOAP Interface – HTTP (Request)
- 3772: GAFGYT - HTTP (Request)
- 2261: GAFGYT - HTTP (Request)
Trend Micro Smart Home Network protects customers from Satori-related threats through these detection rules:
- 1133480 EXPLOIT Remote Command Execution via Shell Script -2
- 1133148 MALWARE Suspicious IoT Worm TELNET Activity -1
- 1134286 WEB Realtek SDK Miniigd UPnP SOAP Command Execution (CVE-2014-8361)
- 1134287 WEB Huawei Home Gateway SOAP Command Execution
- 1133534 MALWARE Suspicious IoT Worm TELNET Activity -2
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: Trigona
- Steering Clear of Security Blind Spots: What SOCs Need to Know
- Understanding the Kubernetes Security Triad: Image Scanning, Admission Controllers, and Runtime Security
- Preempting Threats to Connected Cars: The Importance of Cybersecurity in a Data-Driven Automotive Ecosystem
- Your Stolen Data for Sale