We found an old IoT botnet that became active again. It strangely happened just 2 months after 21-year-old Kenneth Schuchman pleaded guilty to developing and deploying the Satori botnet.
The Satori botnet
The Satori malware family was discovered in December 2017. It is a derivative of the famous Mirai botnet, however, the technique of leveraging default or weak passwords doesn’t seem as effective for hackers anymore. As users became aware of the Mirai botnet’s threat, they strengthened their passwords.
That’s why the author of the Satori botnet turned to a new method, and besides using the Mirai botnet’s source code, Kenneth Schuchman also exploited two vulnerabilities for telnet scanning and password brute force:
: RCE vulnerability in the miniigd SOAP service in Realtek SDK
- CVE 2017-17215
: RCE vulnerability in Huawei HG 532
The Satori botnet infected 700,000 endpoints in total, including home digital video recorders (DVRs), surveillance cameras, and enterprise networking gears. The group behind the botnet said that the access for these infected devices was selling to others to launch DDoS.
Old botnet is attacking again
At BitNinja, we started to see signs of the Satori botnet on November 12, 2019. In the graph below, you can see this wave:
The distribution of the Satori botnet attacks – How an old botnet relived
Satori botnet attacks stopped by BitNinja
After this botnet appeared again, it became quite active suddenly. Until 27 Nov, BitNinja blocked more than 19,000,000 Satori botnet attack attempts! Here, you can see some examples of the stopped attacks:
Satori botnet attack stopped by BitNinja
"PORT HIT": "184.108.40.206:26218->83.#.#.19:23",
[18:38:38] => root
[18:38:39] => aquario
[18:38:40] => enable
[18:38:40+1] => /bin/busybox SATORI
"PORT HIT": "220.127.116.11:28226->83.#.#.19:23",
[18:38:53] => root
[18:38:54] => aquario
[18:38:55] => enable
[18:38:55+1] => >/dev/netslink/.t && cd /dev/netslink/
>/var/tmp/.t && cd /var/tmp/
>/tmp/.t && cd /tmp/
>/var/.t && cd /var/
>/home/.t && cd /home/
>/var/run/.t && cd /var/run/
>/.t && cd /
[18:38:56] => /bin/busybox cp /bin/busybox xhgyeshowm; /bin/busybox cp /bin/busybox gmlocerfno; >xhgyeshowm; >gmlocerfno; /bin/busybox chmod 777 xhgyeshowm gmlocerfno
Check out this attacking IP’s history on the BitNinja Dashboard.
As you can see from the logs, this IP is doing a telnet scan on port 23. The following keywords all refer to the Satori botnet:
- /bin/busybox satori
- /bin/busybox cp /bin/busybox xhgyeshowm
- /bin/busybox cp /bin/busybox gmlocerfno; >xhgyeshowm
- /bin/busybox chmod 777 xhgyeshowm gmlocerfno
If you want to see the results of the BitNinja Port Honeypot module, visit the Network Attacks menu on your Dashboard and choose the BL_PORT_HONEYPOT_BADPORT incident type:
Attacks stopped by BitNinja Port Honeypot
In the Network Attacks menu, you can also filter for the date range, IP addresses, countries and even servers. There’s no doubt that this menu will be your best friend when you come to analyze the incidents on your servers. 😉
The top 10 countries, where the Satori attacks are coming from, can be seen on the pie chart below. In total, these countries are responsible for more than 90% percent of the Satori botnet logs.
Top 10 countries responsible for Satori botnet attacks – China is at the top followed by Brazil and Thailand.
Defend against Satori botnet
The BitNinja Port Honeypot module will automatically block every Satori botnet attack attempt, so if you’d like to avoid this kind of attack, make sure that this powerful module is enabled on your servers.
Are you not using BitNinja yet? This is your time to keep your servers safe against botnet attacks, so don’t hesitate, sign up for a 7-day trial now: