This article is part of our Essential Guide: How the Mirai botnet changed IoT security and DDoS defense

Next-gen Mirai botnet sparks calls for more secure IoT design

News of a 100,000 device strong IoT botnet that could cripple the internet has sparked a fresh call for manufacturers of IoT devices to do more to ensure they cannot be hijacked for malicious purposes

Security researchers are warning that an advanced version of the Mirai malware code that was made public in October 2016 has been used to hijack around 100,000 home routers.

At the time the code was released, security experts warned organisations with an online presence to prepare for terabit-class internet of things (IoT) botnet-based distributed denial of service (DDoS) attacks that could knock almost any business offline or disable chunks of the internet.

Now researchers believe that the new IoT botnet, dubbed Satori, could unleash such internet-crippling attacks at any time. The Satori malware was reportedly able to infected more than 280,000 IP addresses in just 12 hours, to hijack thousands of home routers by exploiting a recently-discovered zero-day vulnerability.

According security researchers at Qihoo 360 Netlab, the Satori botnet can propagate rapidly by itself like an IoT worm, using two exploits to connect with devices on ports 37215 and 52869.

Dale Drew, chief security strategist at CenturyLink, told ArsTechnica that the Satori botnet is already infecting two types of widely used home and small office routers made by Huawei even if they were protected with strong passwords because, unlike Mirai, it exploits remote code execution vulnerabilities and does not rely on default passwords for access.

The Huawei EchoLife Home Gateway and the Huawei Home Gateway make up about 90,000 of the 100,000 newly infected devices, according to Drew. The Satori malware also reportedly has a dictionary of 65,000 username and password combinations to try against other types of devices.

“It’s a pretty sophisticated approach,” Drew told Ars. The unknown operator “has a pretty significant scanning army right now, where he’s adding more and more vectors to his IoT pool”.

Possible link to another botnet

Qihoo 360 Netlab security researcher Li Fengpei told Bleeping Computer that common filenames, command and control portocols, and other features indicate that Satori could be linked to another Mirai-based botnet discovered last month, which has also reached around 100,000 bots, mainly located in Argentina.

According to Drew, security professionals have few options other than to closely monitor the botnet and block any new control channels it may use. “The scary story is we have botnet operators desperately trying to get access to nodes numbered in the hundreds of thousands if not millions,” he said.

“We’ve always said it takes a village to protect the internet. When we find a bad guy, we’re getting that information sinkholed and blocked much more quickly.”

As the number of devices connected to the internet continues to rapidly expand, so do the mass of vulnerabilities associated with the IoT, states Rodney Joffe, senior vice-president and fellow at information services firm Neustar.

“The sheer volume and complexity of these devices has opened a large window for targeted attacks, compromising the security and safety of household items, such as home routers,” he said.

Joffe believes that to mitigate these botnets, there needs to be a greater understanding of how to safeguard the realm of the IoT and everything it encompasses.

“While consumers are busying themselves with a brand new wealth of connected devices, making their homes – and lives – more convenient, it’s up to the manufacturers of these products to prioritise security,” he said.

Read more about IoT security

With every element of the IoT being connected, Joffe said the knock-on effect of one device being hit by some form of cyber attack has the power to, almost instantly, cripple millions of others.

“To work towards stamping out the huge threat to the IoT landscape, more cohesive security strategies need to be considered, with consumers being made aware of the wider ecosystem they’re signing up to, the potential risks associated with this, and how best to isolate them.”

“While the hype and attraction around connected products continues to unravel, it’s essential enough time is being taken to know these devices inside out, to realistically stand a chance at keeping consumer information in the right hands.”

Read more on Hackers and cybercrime prevention