Satori Botnet Wakes Up And Enlists 263,000 Bots

A new version of the Satori botnet has suddenly become actively and is spreading outwards from South America.

This is the warning from Li Fengpei, a security researcher with Beijing-based Qihoo 360, who said that whilst they had been tracking Satori for months, a new version has been seen active on over 263,250 different IPs in the past 12 hours.

Satori is a new variant of the infamous Mirai botnet, which had infected around 2.5 million devices by the end of 2016, when it was used along with other botnets to attack DNS provider Dyn, generating enough junk traffic to overload the firm’s servers and disable websites including Spotify, Reddit and The New York Times.

New Botnet

But now security professionals are being warned that Satori has suddenly become active and is spreading in worm style on Port 37215 and 52869.

“In our last blog, we mentioned there were almost 100k unique scanner IPs from Argentina scanning port 2323 and port 23, and we concluded it was a new mirai variant,” said Fengpei. “For the last few days, the scanning behaviour has gotten more intense, and more countries started to show up on our ScanMon platform as scan source.”

“About 12 hours ago (2017-12-05 11:57 AM GMT+8), we noticed a new version of Satori, starting to propagate very quickly on port 37215 and 52869.”

It seems that this new variant has two significant differences from known mirai variants, in that the bot itself now does not rely on loader|scanner mechanism to perform remote planting. Instead the bot itself performs the scan activity.

The second difference is that there is now two new exploits, which work on port 37215 (not disclosed yet) and 52869 (derived from CVE-2014-8361).

“Due to the worm-like behaviour, we all should be on the lookout for the port 37215 and 52869 scan traffic,” wrote Fengpei. “This malware is the newest version of Satori. We have been tracking Satori for months, and have strong evidence this new wave of attack can be linked to previous attack on port 23 and 2323 scanning traffic upticks.”

“Actually, in the next few days, more countries such as Egypt, Tunisia, Columbia have been picked up by our monitoring system, as we mentioned in the beginning of this blog post, our investigation reveals the port scan is only part of the whole picture,” he added.

Gamarue Takedown

The sudden uptick in the Satori botnet comes just days after ESET and Microsoft, along with police around the world, successfully managed to disrupt many long-running botnets powered by a malware family dubbed as Gamarue (also known as Andromeda or Wauchos).

The fight against botnets continues however.

In October security researchers uncovered another botnet similar to the earlier Mirai called IOTroop or Reaper.

The new network had infected devices on more than one million organisations’ networks, according to Israeli security firm Check Point.

Do you know all about security in 2017? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Amazon Alexa Recovers After Morning Outage

Alexa wake up alarm didn't work this morning? Smart lights didn't turn on? Outage of…

3 days ago

UK, Australia Reach Cyber, Critical Tech Agreement

Australia says it will 'fight back' against nation state cyberattacks, after agreements with the UK…

3 days ago

Italian Regulator Recalculates Apple, Amazon Fines

Italian regulator admits it has redetermined the fines against Apple and Amazon, over the sale…

3 days ago

Red Cross ‘Appalled’ As Hackers Steal Humanitarian Data Of 515,000 People

A new low. International Committee of the Red Cross shuts down reunification system, after hackers…

3 days ago

Russia Proposes Ban On Cryptocurrencies, Crypto Mining

Russia's central bank has this week proposed the banning on the use and mining of…

4 days ago