Satori Malware Aims at D-Link Routers
Satori isn’t new malware, but it’s the most infamous of its kind in the IoT world. Satori is a malicious application that scans the Internet for vulnerable devices and adds this vulnerable device to its botnet. It’s terribly effective for botnet creators – good for malware attackers but bad for innocent bystander users. The result is that an unsuspecting user can be a part of a botnet with little to no indication that they are attacking a public site at any given point in time. The latest in Satori’s attack system focuses on D-Link routers, which are personal devices installed in many homes across the globe.
Building Better Malware after Detection
Satori’s success is from a popular underground malware application called Mirai. Mirai was released on popular hacker forums after the writer indicated that he wanted to make the source public for other attackers. After its release, several high-end potent malware attacks were launched that even the most secure of sites fell victim to. For instance, the popular DNS DDoS attack several years ago stemmed from Mirai and its ability to infect IoT devices at the attackers’ beck and call.
Any malware writer must evolve. Cyber security experts are able to detect and build vulnerability detection and defense software, which makes a malware writer’s application obsolete. Obsolete malware is the bane of an attackers existence, so they constantly discover new routes of infection and build better systems to infiltrate and infect networks. It could be something as simple as a way to infect a computer that can then become a part of a botnet either through a trojan virus or through some other type of infection. It could also be a part of a higher level IoT botnet such as Mirai connected devices including routers and mobile devices. Whatever the route of infection, Mirai has proven a good adversary against many of the best anti-malware applications and services on the market.
D-Link Routers are the Latest Target
In the last few days, Satori has specifically targeted D-Link home routers. Most of the routers infected were older ones that have been around for at least several years. Satori and more specifically Mirai target small home devices where the user leaves the default administrator username and password intact. Because this data is published publicly by the routing manufacturer, it’s easily a common part of attacks where the attacker is able to guess a password based on users inability to change an admin password. Users that buy these routers and then install them blindly onto their network do not know how many vulnerabilities they introduce when they don’t take the time to change and admin username and password. This is why Mirai and Satori are so effective at finding vulnerabilities and dropping malware on a local device.
According to Ars Technica, several D-Link routers are already infected across the globe. Brazil is the country with the most infected devices, and the United States is only fourth on the list. Ars Technica also indicates that this news comes after Russian spies were able to infect more than 500,000 routers recently. This infection was found by researchers and generally ignored by the public, which has now led to more infections and vulnerabilities in the open market of mobile devices.
The unfortunate part of this attack is that currently there is no directions or advice from the D-Link manufacturer. The only current advice is to replace the router, which is fairly easy for a home network but not so easy for someone who does not know how to reprogram and protect a device.
See GateKeeper Enterprise in action
Take a self-guided tour of GateKeeper Enterprise. Proximity-based centralized access control for secure identity and access management.