Introduction
Satori is malware that infects IoT devices and forms a botnet. In recent years, IoT devices such as smart home appliances have become widespread in society, but at the same time, the existence of malware targeting IoT devices has become a problem.
Security measures are required for IoT devices as well as personal computers and smartphones. Especially in the case of IoT devices, malware called Satori, which is a threat unique to IoT devices, is regarded as a problem. Here, we will introduce what Satori is and what measures are available.
What is the malware “Satori” in the IoT era?
Satori is malware that infects IoT devices and forms a botnet. A malicious program that turns into a puppet (robot) that moves according to the instructions of a third party is called a “bot”, and a networked version of it is a “botnet”. The state of being infected and hijacked is also called “zombie formation”.
The constructed botnet does not usually become apparent, but once it receives a command from the attacking server called the C & C server, it activates all at once and conducts a cyber attack.
A-C & C server is an abbreviation for “Command & Control Server” and is used to frequently send malicious commands remotely to a botnet.
In many cases, a botnet is used to perform an attack called DDoS (Distributed Denial of Service attack), causing damage such as bringing down the server. A DDoS attack is the sending of a large amount of data from multiple hijacked devices to the target site or server, and the server affected by this attack has abnormally increased traffic and cannot withstand the load. It will go down.
However, the DDoS attack method itself existed before the spread of IoT technology. The threat to Satori in the future is due to the characteristics of DDoS attacks and the compatibility of the spread of IoT devices. DDoS attacks have the characteristic that the more zombied devices there are, the stronger they become. And since the number of IoT devices is overwhelmingly large compared to the PCs and smartphones that have been representative of the Internet so far, DDoS attacks have become a more powerful and enormous method of causing damage.
Satori is derived from Mirai, the originator of IoT malware
In the first place, Satori was born as a variant of the malware “Mirai” that attacks IoT devices. Mirai is a type of malware that infects IoT devices to form a botnet and launches DDoS attacks, similar to Satori.
Mirai received a lot of attention when services such as Twitter and Amazon became inaccessible due to a large-scale cyber attack that occurred in the United States in October 2017. These incidents were due to a large-scale DDoS attack by an IoT device infected with Mirai.
The biggest feature of Mirai is that its source code is open to the public. When it was first discovered, it was feared as a mysterious malware, but in 2016, a person named “Anna-senpai”, who is regarded as a promising creator, suddenly released the source code of Mirai. This made it possible for anyone to create a variant of Mirai if they wanted to.
The mechanism by which Mirai proliferates is simple: it searches for infectable devices via randomly detected IP addresses. At this time, a method called port scan, which scans and searches for ports that can be accessed from the outside, is used to check whether the intrusion is possible.
Mirai mainly targets Linux-based operating systems and uses port scans to search for ports for services that can be penetrated from the outside, such as Telnet (port number 23) and SSH (port number 22). To do. After finding an IoT device that could be invaded, Mirai attempts to invade the device using a method called a dictionary attack.
A dictionary attack is one of the classic cyber attacks that has existed for a long time, and it is unauthorized access by sequentially inputting a combination of words and terms used by many people.
IoT devices in the early days of widespread use are not well aware of security, and the port numbers of services that allow access from the outside are disclosed, and the ID and password are also set to default settings such as Admin / Admin and root/root. Many of them were left as they were, so they became the target of Mirai’s infection.
How Satori Proliferates and Examples of Subspecies Damage
Mirai’s attack method is simple but extremely powerful, and Mirai variants have begun to appear with explosive momentum. Typical examples are Qbot, Hajime, Hakai, and Satori are variants of Mirai.
The existence of Satori was recognized in 2017, and it was discovered by security companies that attacks that exploited unknown vulnerabilities in Huawei’s router “Huawei HG53” were occurring all over the world. That was the trigger.
Satori is a subspecies of Mirai, and its growth method is similar to that of Mirai. After infection, it forms a botnet and self-proliferates. At the time of discovery, Satori used to scan port number 37215 and port number 52869 for intrusion by port scanning.
These ports are ports for using Universal Plug and Play (UPnP), a protocol that allows you to join a computer network simply by connecting devices such as information appliances, and Satori uses this. Illegal operation of the device with root authority.
Although Satori and Mirai have similar breeding methods, Satori invades by targeting vulnerabilities in contrast to Mirai, which attempts to invade an unspecified number of devices, in terms of how to invade IoT devices.
However, after that, various variants appeared in Satori, and some of them used Telnet as well as Mirai, and it is expected that more variants will appear in the future. In a typical place, a variant of Satori that hijacked the virtual currency excavation software “Claymore” has been confirmed, and damage that the excavated virtual currency is stolen has been reported.
How to prevent Satori’s attack? Measures to prevent intrusion
So what measures should we take to protect against attacks from Satori?
The first thing to keep in mind is to make sure that there are no unnecessary ports that are dangerous to publish on the Internet.
For example, a home broadband router has a function to block a specific port from the outside, so it is possible to reduce the risk by narrowing down the port numbers to be disclosed to the outside. Especially in the UPnP-related area, which is the target of Satori, many routers have a function to prohibit access to this part, so if you do not use it, use such a function.
When choosing hardware, it’s also important to choose a device that has security and privacy protection as well as functionality and ease of use. After selecting such a device, it is necessary to try to reduce the possibility of unauthorized access without leaving the device authentication information at the default setting.
In addition, attacks by Satori variants often have specific habits, and countermeasures are often taken according to those habits. Therefore, it is also effective to always obtain the latest information on security and take security measures diligently based on that information.
All of these measures are not limited to Mirai and Satori but are the basic methods of security. However, since there are many IoT devices, if there is even one device with inadequate security in the system, the infection will spread immediately after being caught in the gap.
It is important to take basic security measures firmly so that you do not become a victim and that your system does not become a springboard for attacks.