• United States



Mirai Okiru: New DDoS botnet targets ARC-based IoT devices

Jan 15, 20184 mins
Internet of ThingsMalwareSecurity

Meet Mirai Okiru and brace for the DDoS botnet targeting 'billions' of ARC-based IoT devices.

world threat disaster detection doomsday
Credit: Thinkstock

Well, this is bad…very bad. Mirai malware and its many variants which have targeted CPU architectures in the past, is now targeting the second most popular type of CPU core – ARC processors.

Meet Mirai Okiru, the Mirai variant targeting ARC processors, which are embedded processors used in IoT, auto, mobile, TVs, cameras and a nearly endless list of products – CPUs reportedly shipped in over a billion products per year. Brace yourself for the botnet targeting ARC-based IoT devices.

According to security researcher Odisseus:

Odisseus noted that @unixfreaxjp, from the Malware Must Die team, first spotted the Okiru sample. At the time of writing, the detection rate was 13 of 58 on Virus Total; it was only 5 of 60 when Odisseus tweeted:

The detection rate for the Okiru downloader was only 1 of 59; it is a mere 4 of 59 at the time of writing.

The news was picked up by Pierluigi Paganini on Security Affairs; Italy’s CERT (Computer Emergency Response Team) noted that 20 minutes after Security Affairs published a piece about Mirai Okiru, the “domain was subject to a massive DDoS attack that inhibited access for about an hour.”

You may remember hearing about the Mirai malware variant Satori (pdf) back in December; it was sometimes also called Okiru. Satori was used to attack “hundreds of thousands” of Huawei routers. The exploit was released for “free” on Christmas by what NewSky Security dubbed a blackhat Santa.

Despite the similarities of the two type of Linux IoT DDoS malware, Mirai Okiru is “very different” from the Mirai Satori variant. The differences were pointed out on the subreddit LinuxMalware.

According to the translated version of CERT-PA’s post:

The MMD researchers who have already proceeded to release the Yara rules to identify this new variant of Mirai, have compared Okiru with the previous Mirai botnet called Satori. According to the observations of the researchers, the Okiru configuration is encrypted in two parts and the attack via Telnet is much more incisive as it uses a list of over 100 credentials (114 are the credentials counted by MMD).

Odisseus noted that it is important to understand the differences and have different signatures to detect both.

We all know that the majority of IoT devices have super sucky security – if there was security even bolted on at all. None of us will forget what 100,000 Mirai-infected devices were capable of doing, of taking down the DynDNS service. A piece written in 2014 claimed, “Synopsys’ ARC processor IP cores have been licensed by more than 190 companies and are used in more than 1.5 billion products a year.” Since that post is four years old, how many more products now have ARC cores? How many of those are “secure?”

If you think back on the havoc wreaked by 100,000 devices taken over by the Mirai botnet in 2016, what hell can be unleashed in 2018 if attackers gain control of millions of ARC-based IoT devices for the Mirai Okiru DDoS botnet?

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.