![]() bin/busybox wget /bin/busybox tftp /bin/busybox echo bin/busybox wget /bin/busybox tftp /bin/busybox NBVZA ![]() > DIR/.file & cd DIR & /bin/busybox rm –rf. bin/busybox SATORI (or /bin/busybox OKIRU) ![]() bin/busybox satori (or /bin/busybox SATORI) Some of the 2nd variant samples share the same embedded commands (in Figure 3) with the 3rd variant. The 3rd variant uses exploits for two remote code execution vulnerabilities, including one zero-day vulnerability ( CVE-2017-17215). It indicates that the attacker intentionally started to harvest bots in South America. “aquario” is the default password for a popular wireless router in South America countries. In the meanwhile, the attacker adds the “aquario” password in the password dictionary (in Figure 2), and it always uses “aquario” to login at its first attempt. The 2nd variant added a packer, likely to evade static detection. Once it successfully logs in, it first enables shell access, and then only executes the commands “/bin/busybox satori” or “/bin/busybox SATORI”. The 1st variant only scans the Internet and checks which IP address is vulnerable in the telnet login by attempting different passwords. Our analysis shows that these three variants execute different commands, listed in Table 1.įigure 1 Evolution timeline of Satori family By analyzing our captured attack logs and sample analysis results, we identify that the Satori family has three main variants, showed in Figure 1. Since April 2017, we have captured attacks launched by Satori malware. If this is correct, we may see future versions of Satori attacking other unknown vulnerabilities in other devices. We believe that the Satori’s author has started to reverse engineer the firmware of many IoT devices to collect device’s typical information and discover new vulnerabilities. Satori also identifies the type of IoT device and shows different behaviors in different device types. We show how Satori, as a derivative of Mirai, reuses some of Mirai’s source code to achieve the telnet scanning and password brute force attempting functionalities. ![]() In this blog, we outline how Satori has evolved to become an IoT malware family targeting zero-day vulnerabilities. The move to a classic zero-day attack against unknown, unpatched vulnerabilities is a logical next step on the part of attackers. Naturally, IoT vendors responded by patching vulnerabilities. In response to that, some IoT malware authors, like those behind families like Amnesia and the IoT_Reaper family changed tactics to exploit known vulnerabilities for specific IoT devices. In response, users and manufacturers began changing default passwords, and hardening passwords to thwart these attacks. Our analysis of how Satori evolved proves our theory that more IoT malware will evolve to exploit either a known vulnerability or even a zero-day vulnerability.Įarly IoT malware families like Gafgyt and the original Mirai family leveraged default or weak passwords to attack devices. This means that this version of Satori was a classic zero-day attack: an attack against a previously unknown vulnerability for which no patch was then available. We also found evidence indicating that the version of Satori exploiting CVE 2017-17215 was active in late November 2017, before Huawei patched the vulnerability. The first of these variants appeared in April 2017, eight months before these most recent attacks. Palo Alto Networks Unit 42 investigated Satori, and from our intelligence data, we have found there are three Satori variants. Satori is a derivative of Mirai and exploits two vulnerabilities: CVE-2014-8361 a code execution vulnerability in the miniigd SOAP service in Realtek SDK, and CVE 2017-17215 a newly discovered vulnerability in Huawei’s HG532e home gateway patched in early December 2017. In early December 2017, 360 Netlab discovered a new malware family which they named Satori.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |