Mirai Okiru botnet targets for first time ever in the history ARC-based IoT devices

Pierluigi Paganini January 14, 2018

Researcher @unixfreaxjp spotted the first time ever in the history of computer engineering a Linux malware designed to infect ARC CPU, this new Linux ELF malware was dubbed MIRAI OKIRU.

In August 2016 the researcher @ from @ team first spotted the dreaded Mirai botnet, now the same researcher is announcing a new big earthquake in the malware community.

 spotted the first time ever in the history of computer engineering a Linux malware designed to infect ARC CPU, this new Linux ELF malware was dubbed MIRAI OKIRU.

This is the first time that a malware specifically targets ARC-based systems, the Mirai Okiru was undetected by almost all the antivirus engines at the time of its discovery.

Mirai ARC OKIRU

“!! Please be noted of this fact, and be ready for the bigger impact on infection Mirai (specially Okiru) to devices that hasn’t been infected yet.” said 

The Linux IoT threat landscape is rapidly changing, crooks will start targeting IoT devices based on ARC CPU.

“From this day, the landscape of #Linux #IoT infection will change. #ARC cpu has produced #IoT dervices more than 1 billion per year. So these devices are what the hackers want to aim to infect #ELF #malware with their #DDoS cannons. It’s a serious threat will be. #MalwareMustDie!” wrote MMD.

As highlighted by the colleague  the impact of such botnet could be devastating, it has been estimated that ARC embedded processors are shipped in more than 1.5 billion products per year. This means that the number of the potentially exposed devices is enormous, and a so powerful botnet could be used for a multitude of malicious purposes.

“ARC (Argonaut RISC Core) embedded processors are a family of 32-bit CPUs originally designed by ARC International. They are widely used in SoC devices for storage, home, mobile, automotive, and Internet of Things applications. ARC processors have been licensed by more than 200 organizations and are shipped in more than 1.5 billion products per year.” reads Wikipedia.

#Mirai #Okiru variant is very dangerous, if you see how the coder made specific “innovative modification” in its variant codes+encryption you’ll see what I mean, & now they are the 1st malware to aim #ARC core. These guys can make greater chaos if not be stopped. Mark my word” wrote MalwareMustDie.

It is very important to understand that the Mirai Satori variant is very different from Okiru as explained by MalwareDustdie.

  1. From what we observe so far. these two types are very different, (among of several common similar characteristic), we think it is good to have different rules to detect Mirai variant Okiru and Satori
  2. Some simple highlights to differ Okiru to Satori variant:
  • The config is different, Okiru variant’s config is encrypted in two parts w/ telnet bombardment password encrypted, Satori does not split it in 2parts and doesn’t encrypt brute default passwords. Also Okiru’s telnet attack login information is a bit longer (can be up to 114 credentials, max counted), while Satori is having different and shorter database.
  • Satori seem to have “TSource Engine Query” common Distributed “Reflective” (DRDoS) attack function via random UDP, while Okiru does not seem to have this function,
  • The infection follow up commands written in both Okiru and Satori in their configurations are a bit different, showing possibility that they don’t seem sharing a same “herding environment”,
  • (up to) Four types of router attack exploit code has only being spotted hard coded in Okiru variant, yet Satori does not use these exploits at all,
  • Satori (see VT comment part for reversed code) is using small embedded ELF trojan downloaders to download other architecture binaries which were coded differently compared to Okiru ones (see reversed code is in VT comment),
  • (there are more minors stuff too that you can notice using the pictures shown in previous points, like differences in usage of watchdog, the usage of command “echo -en \x…” etc)

wrote MalwareMustDie.

 ARC Core CPU base compiled Mirai Okiru ELF malware (botnet client) (ELF 32-bit LSB executable, ARC Cores Tangent-A5, version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, for GNU/Linux 4.8.0, stripped).

The risk that someone could build a powerful Mirai Okiru botnet composed of a billion device is concrete.

Researchers from MalwareMustDie published the Yara rules for the threat

https://github.com/unixfreaxjp/rules/blob/master/malware/MALW_Mirai_Okiru_ELF.yar

and IoCs:

  • MD5: 9c677dd17279a43325556ec5662feba0
  • MD5: 24fc15a4672680d92af7edb2c3b2e957

Stay tuned …

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Mirai Okiru botnet, Linux malware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment