What is Satori Botnet ?
The name Satori comes from a Japanese word for "awakening”, this malware is not new, but it is a variant of the more infamous Mirai IoT DDoS malware.
Li Fengpei, the security researcher with Qihoo 360 Netlab discovered this as per him Satori variant came to light suddenly and started to scans on ports (IP) 37215 and 52869.
Satori variant differs from previous Mirai versions
According to a report Li, the Mirai Satori variant is different from all previous Mirai variants.Earlier Mirai variants which corrupted IoT devices and then downloaded a Telnet scanner component that attempted to find other victims and infect them with the Mirai bot.
Satori variant avoids the scanner but instead uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.
This new technique makes Satori an IoT worm, which spread by itself without the help of separate components. Satori behaves like a worm, where compromised devices infect each other. This is instrumental for the botnet to spread very rapidly—the Qihoo researchers observed scans from 263,250 different IP addresses on port 37215 and 19,403 IPs on port 52869 over the course of 12 hours.
Also read -How to remove Sougoudool.exe Virus?
Extension triggered by mysterious Huawei exploit (zero-day?)
Li says that telemetry gathered by Netlab's infrastructure has observed 263,250 different IPs scanning port 37215, and 19,403 IPs scanning port 52869 in the last 12 hours.
Satori's victory is largely due to the exploit it delivers on port 37215. As per Li's description, this appears to be zero-day. Attacks on port 37215 have previously been associated with a 2015 path traversal vulnerability in Huawei routers, so it might either be a new Huawei exploit on the same port or an improved version of the 2015 attack.
Dale Drew, the chief security strategist at internet provider CenturyLink, told ArsTechnica this week that the majority of the devices enslaved by a new botnet that matches Satori’s description are one of two Huawei models: the Huawei Home Gateway and EchoLife Home Gateway.
Dale Drew, chief security strategist at broadband Internet provider CenturyLink, told ArsTechnica in an interview published earlier today that he believes this botnet abuses a zero-day in Huawei Home Gateway routers, a remote code execution bug noticed by Check Point at the end of November, about which very few details are available.
As for the other exploit, on port 52869, this is for a known and old vulnerability in Realtek devices (CVE-2014-8361), one that was most likely patched in some devices, this is the reason why scans for this exploit are less successful.
Satori has connections to a previous Mirai botnet
Li also mentioned that there are clues to link the botnet created with the Mirai Satori variant with another Mirai-based botnet Netlab has seen last month, and which reached around 100,000 bots, most located in Argentina.
It is not confirmed if the same person runs both botnets, but Li says the current Mirai Satori variant and the previous Mirai-based variation shared file names and static features, and some of the C2 protocols.
A security researcher believes that two botnets to be related, with Satori evolving from last month Mirai variant.
Right now, security researchers are still gathering information on this new threat, but public honeypot data confirms Netlab's report
Here’s some valuable advice for internet users:
Create a strong password– Make sure that you are not using default passwords on any of your IoT devices. Instead have a strong, unique password. If you think you’ll have trouble remembering them then use a good password manager to store all of your passwords securely. Changing a router’s password won’t protect you if the attack is exploiting a vulnerability, which leads us to the next piece of advice…
Update your device – Update your IoT devices with security patches as soon as they become available.
Remove the unnecessary router – Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.
Buy from a secure and reputed provider– Purchase IoT devices from companies with a reputation for providing secure devices.
Also read -How to remove Apusx.com Browser Redirect Virus?
Download Free Removal Tool
Tips to prevent Satori Botnet from entering your computer :
1. Enable your popup blocker: Pop-ups and ads in the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs. So, avoid clicking uncertain sites, software offers, pop-ups etc.
2. Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update. By doing this you can keep your device free from virus. According to the survey, outdated/older versions of Windows operating system are an easy target.
3. Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
4. Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection. Thus always backup important files regularly on a cloud drive or an external hard drive.
5. Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like McAfee or a good Malware Removal Tool like Download Free Virus RemovalTool
6. Install a powerful ad- blocker for Chrome, Mozilla,and IE.
