Destructive botnet Mirai is back, now known as Mirai Okiru, and is targeting ARC-based Internet processors. ARC (Argonaut RISC Core) processors are the second most widely used processors on the planet, and are used in all sorts of Internet-connected devices, from car tech to smartphones to TVs and cameras.
There are billions of devices worldwide that make use of ARC processors. The goal of Okiru, which means “wake up” in Japanese, is to knock them offline via DDoS attacks. It is the first malware strain aimed specifically at ARC processors.
Independent security researcher @_odisseus tweeted: From this day, the landscape of #Linux #IoT infection will change. #ARC cpu has produced #IoT devices more than 1 billion per year. So these devices are what the hackers want to aim to infect #ELF #malware with their #DDoS cannons. It’s a serious threat will be. #MalwareMustDie!
@_odisseus acknowledged credit was due to @unixfreaxjp, from the Malware Must Die team for first spotting the Okiru sample.
ARC processors are used by desktops, servers and laptops as much as IoT devices, however, the situation is made more challenging by the fact that IoT device security is notoriously weak, allowing them to be easily taken advantage of as the attack surface and manipulated as botnets.
Test service VirusTotal says that there are only 19 anti-virus tools available, which can detect the Mirai Okiru threat. However, they will only be effective if they can be used to protect networks of IoT devices. Security Affairs journalist, Pierluigi Paganini, said “the Mirai Okiru was undetected by almost all the antivirus engines at the time of its discovery”, likely because it is the first time that a malware has targeted ARC-based systems.
In October 2016, the original Mirai botnet was used to attack DNS provider Dyn with a powerful DDoS attack, knocking offline many of the websites it hosted (including Twitter, CNN, Reddit and Netflix), disrupting service across the US and Europe. Unlike other botnets, which have traditionally been made up of a network of computers, the Mirai botnet was at that time unique because it was comprised of IoT devices such as DVR players and digital cameras, which then bombarded the Dyn server with traffic until it collapsed under the vast volume of requests.
After Pierluigi Pagani wrote about the Mirai Okiru botnet on Security Affairs, Italy’s CERT (Computer Emergency Response Team) noted that “the domain was subject to a massive DDoS attack that inhibited access for about an hour”.
Another variant of the Mirai malware, dubbed Satori, was discussed in the security press back in December, which was sometimes also referred to as Okiru. Satori was deployed to attack hundreds of thousands of Huawei routers via a zero-day vulnerability.
Despite some similarities (both are Linux IoT DDoS malware), Mirai Okiru is said to be “very different” from the Mirai Satori variant. The subreddit LinuxMalware strand discusses some of these differences, including “from the way they are coded. their plan to pick the targets, to how they are actually herded (or managed)”.
Security researchers and journalists are now on tenterhooks. CSO journalist, Ms. Smith, for instance, posing the question, “If you think back on the havoc wreaked by 100,000 devices taken over by the Mirai botnet in 2016, what hell can be unleashed in 2018 if attackers gain control of millions of ARC-based IoT devices for the Mirai Okiru DDoS botnet?”