Satori Botnet Wakes Up And Enlists 263,000 Bots

Variant of the more infamous Mirai malware starting to propagate very quickly, researchers warn

A new version of the Satori botnet has suddenly become actively and is spreading outwards from South America.

This is the warning from Li Fengpei, a security researcher with Beijing-based Qihoo 360, who said that whilst they had been tracking Satori for months, a new version has been seen active on over 263,250 different IPs in the past 12 hours.

Satori is a new variant of the infamous Mirai botnet, which had infected around 2.5 million devices by the end of 2016, when it was used along with other botnets to attack DNS provider Dyn, generating enough junk traffic to overload the firm’s servers and disable websites including Spotify, Reddit and The New York Times.

ENISA botnet report, Mirai

New Botnet

But now security professionals are being warned that Satori has suddenly become active and is spreading in worm style on Port 37215 and 52869.

“In our last blog, we mentioned there were almost 100k unique scanner IPs from Argentina scanning port 2323 and port 23, and we concluded it was a new mirai variant,” said Fengpei. “For the last few days, the scanning behaviour has gotten more intense, and more countries started to show up on our ScanMon platform as scan source.”

“About 12 hours ago (2017-12-05 11:57 AM GMT+8), we noticed a new version of Satori, starting to propagate very quickly on port 37215 and 52869.”

It seems that this new variant has two significant differences from known mirai variants, in that the bot itself now does not rely on loader|scanner mechanism to perform remote planting. Instead the bot itself performs the scan activity.

The second difference is that there is now two new exploits, which work on port 37215 (not disclosed yet) and 52869 (derived from CVE-2014-8361).

“Due to the worm-like behaviour, we all should be on the lookout for the port 37215 and 52869 scan traffic,” wrote Fengpei. “This malware is the newest version of Satori. We have been tracking Satori for months, and have strong evidence this new wave of attack can be linked to previous attack on port 23 and 2323 scanning traffic upticks.”

“Actually, in the next few days, more countries such as Egypt, Tunisia, Columbia have been picked up by our monitoring system, as we mentioned in the beginning of this blog post, our investigation reveals the port scan is only part of the whole picture,” he added.

Gamarue Takedown

The sudden uptick in the Satori botnet comes just days after ESET and Microsoft, along with police around the world, successfully managed to disrupt many long-running botnets powered by a malware family dubbed as Gamarue (also known as Andromeda or Wauchos).

The fight against botnets continues however.

In October security researchers uncovered another botnet similar to the earlier Mirai called IOTroop or Reaper.

The new network had infected devices on more than one million organisations’ networks, according to Israeli security firm Check Point.

Do you know all about security in 2017? Try our quiz!