Security researchers have found a new variant of the infamous Mirai botnet that targets web-connected devices with ARC processors. The botnet named “Okiru”, which means “wake up” in Japanese, was discovered by Japan-based Malware Must Die researcher @unixfreaxjp and has been deemed the first ever malware developed for ARC systems.
ARC-embedded processors are found in a wide range of internet-connected devices including cars, mobiles, TVs and cameras and are reportedly shipped in more than a billion products every year.
In 2016, the devastating original Mirai botnet was used to hijack hundreds of thousands of IoT devices across the globe. The botnet was then used to hit DNS provider Dyn with a powerful distributed denial-of-service (DDoS) attack, knocking off a large portion of the internet.
After the developers behind Mirai publicly released the malware’s source code later in 2016, numerous hackers have tweaked its code to create their own malicious scripts and launch crippling DDoS attacks.
According to a security researcher going by the name “Odisseus”, the new Mirai botnet variant will change the “landscape of Linux IoT infection”.
“This is the FIRST TIME ever in the history of computer engineering that there is a malware for ARC CPU & it is MIRAI OKIRU,” Odisseus tweeted. “Pls be noted of this fact, & be ready for the bigger impact on infection Mirai (specially #Okiru) to devices hasn’t been infected yet.”
The finding also comes a month after hackers posted the malware code behind the Satori botnet for free on PasteBin during Christmas last year. Satori was used to attack hundreds of thousands of Huawei routers and over 280,000 different IP addresses worldwide.
However, researchers noted that Okiru is quite different from the Satori botnet. According to a Reddit thread on the subreddit LinuxMalware, the configuration differs between the two.
“Okiru variant’s config is encrypted in two parts w/ telnet bombardment password encrypted, Satori does not split it in 2 parts and doesn’t encrypt brute default passwords,” the post reads. “Also Okiru’s telnet attack login information is a bit longer (can be up to 114 credentials, max counted), while Satori is having different and shorter database.
“Satori seems to have ‘TSource Engine Query’ common Distributed ‘Reflective’ (DRDoS) attack function via random UDP, while Okiru does not seem to have this function… Four types of router attack exploit code has only being spotted hard coded in Okiru variant, yet Satori does not use these exploits at all.”
At the time of writing, 20 out of 58 antivirus tools can detect the Okiru threat, according to test service VirusTotal.
Malware Must Die researchers told The Register that samples have been observed in multiple places from numerous sources. However, they have not specified how many devices have been infected by the threat so far.
“The samples have been spotted in multiple places from several sources, some were spotted after infection, some are sitting in C2. For sure, ARC Linux devices are being targeted,” researchers said. “The analysis of the code after decompilation shows the herders were preparing ARC binary specifically to target one particular Linux environment.”
Researchers at Italy’s Computer Emergency Response Team (CERT) reported that Security Affairs was hit with a massive DDoS attack that knocked the site offline for about an hour just 20 minutes after publishing an article about Mirai Okiru.