Satori Botnet Has Sudden Awakening With Over 280,000 Active Bots

[Solarquest]

Security researchers are raising the alarm in regards to a new botnet named Satori that has been seen active on over 280,000 different IPs in the past 12 hours.

Satori —Japanese word for "awakening"— is not new, but a variant of the more infamous Mirai IoT DDoS malware.

Li Fengpei, a security researcher with Qihoo 360 Netlab, says the Satori variant came to life out of the blue today and started scans on ports 37215 and 52869.

Satori variant differs from previous Mirai versions
According to a report Li shared with Bleeping Computer today, the Mirai Satori variant is quite different from all previous pure Mirai variants.

Previous Mirai versions infected IoT devices and then downloaded a Telnet scanner component that attempted to find other victims and infect them with the Mirai bot.

The Satori variant does not use a scanner but uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.

Effectively, this makes Satori an IoT worm, being able to spread by itself without the need for separate components.

Growth fueled by mysterious Huawei exploit (zero-day?)
....

 

[upnorth]

Quote : " The unknown operator " has a pretty significant scanning army right now where he's adding more and more vectors to his IoT pool." Up until now, Mirai has preyed on routers that are configured to be administered over the Internet using default passwords. In October, researchers documented a new IoT botnet dubbed Reaper. It was novel because it infected devices by exploiting remote code-execution vulnerabilities. The new Mirai strain takes the same approach.

In the almost two weeks since the new botnet came to light, the operator has done little more than use the infected devices to scan the Internet for more vulnerable devices and then infect them. Drew warned that the operator could use the compromised devices at any time to wage crippling DDoS attacks, possibly as a fee-based service aimed at people who want to settle personal scores or extort money from online services. The botnet is the same one researchers from China-based Netlab 360 documented last week.

Security professionals were able to seize the two domain names used to control the botnet, but Drew said the operator has since managed to regain control of the infected devices using new command and control channels. While Level 3, the backbone provider that was recently purchased by CenturyLink, is using its network to block control server communications with infected devices, there are plenty of networks that still allow the botnet to operate freely. Drew said for the time being, security professionals have few options other than to closely monitor the botnet and block any new control channels it may use.

" The scary story is we have botnet operators desperately trying to get access to nodes numbered in the hundreds of thousands if not millions, " "

Source : 100,000-strong botnet built on router 0-day could strike at any time