Mirai malware and its many variants which have targeted CPU architectures in the past, is now targeting the second most popular type of CPU core – ARC processors.
Meet Mirai Okiru, the Mirai variant targeting ARC processors, which are embedded processors used in IoT, auto, mobile, TVs, cameras and a nearly endless list of products – CPUs reportedly shipped in over a billion products per year. Brace yourself for the botnet targeting ARC-based IoT devices.
According to security researcher Odisseus:
From this day, the landscape of #Linux #IoT infection will change. #ARC cpu has produced #IoT dervices more than 1 billion per year. So these devices are what the hackers want to aim to infect #ELF #malware with their #DDoS cannons.
It's a serious threat will be.#MalwareMustDie!— Odisseus (@_odisseus) January 14, 2018
Odisseus noted that @unixfreaxjp, from the Malware Must Die team, first spotted the Okiru sample. At the time of writing, the detection rate was 13 of 58 on Virus Total; it was only 5 of 60 when Odisseus tweeted:
This is the FIRST TIME ever in the history of computer engineering that there is a malware for ARC CPU, & it is #MIRAI OKIRU!!
Pls be noted of this fact, & be ready for the bigger impact on infection Mirai (specially #Okiru) to devices hasn't been infected yet.#MalwareMustDie pic.twitter.com/y8CRwwkenA— Odisseus (@_odisseus) January 14, 2018
The detection rate for the Okiru downloader was only 1 of 59; it is a mere 4 of 59 at the time of writing.
The news was picked up by Pierluigi Paganini on Security Affairs; Italy’s CERT (Computer Emergency Response Team) noted that 20 minutes after Security Affairs published a piece about Mirai Okiru, the “domain was subject to a massive DDoS attack that inhibited access for about an hour.”
You may remember hearing about the Mirai malware variant Satori (pdf) back in December; it was sometimes also called Okiru. Satori was used to attack “hundreds of thousands” of Huawei routers. The exploit was released for “free” on Christmas by what NewSky Security dubbed a blackhat Santa.
Despite the similarities of the two type of Linux IoT DDoS malware, Mirai Okiru is “very different” from the Mirai Satori variant. The differences were pointed out on the subreddit LinuxMalware.
According to the translated version of CERT-PA’s post:
“The MMD researchers who have already proceeded to release the Yara rules to identify this new variant of Mirai, have compared Okiru with the previous Mirai botnet called Satori. According to the observations of the researchers, the Okiru configuration is encrypted in two parts and the attack via Telnet is much more incisive as it uses a list of over 100 credentials (114 are the credentials counted by MMD).”
Odisseus noted that it is important to understand the differences and have different signatures to detect both.
Very important to understand how #Mirai #Satori variant is DIFFERENT from #Okiru: quick notes with screenshots by @malwaremustdie.
And why it is needed different sigs to DETECT BOTH and how each has different effects in #IoT infection.https://t.co/Wdh52u1wBL#MalwareMustDie pic.twitter.com/AEtxqmsqiFadvertisement
— Odisseus (@_odisseus) January 14, 2018
We all know that the majority of IoT devices have particularly poor security – if there was security even bolted on at all. None of us will forget what 100,000 Mirai-infected devices were capable of doing, of taking down the DynDNS service. A piece written in 2014 claimed, “Synopsys’ ARC processor IP cores have been licensed by more than 190 companies and are used in more than 1.5 billion products a year.” Since that post is four years old, how many more products now have ARC cores? How many of those are “secure?”
If you think back on the havoc wreaked by 100,000 devices taken over by the Mirai botnet in 2016, what hell can be unleashed in 2018 if attackers gain control of millions of ARC-based IoT devices for the Mirai Okiru DDoS botnet?
IDG News Service
Subscribers 0
Fans 0
Followers 0
Followers