Satori isn’t new malware, but it’s the most infamous of its kind in the IoT world. Satori is a malicious application that scans the Internet for vulnerable devices and adds this vulnerable device to its botnet. It’s terribly effective for botnet creators – good for malware attackers but bad for innocent bystander users. The result: an unsuspecting user can be part of a botnet with little to no indication. The latest in Satori’s attack system focuses on D-Link routers – personal devices installed in many homes.

Building Better Malware after Detection

Satori’s success stems from a popular underground malware application called Mirai. Mirai was released on popular hacker forums after the writer indicated that he wanted to make the source public for other attackers. After its release, several high-end potent malware attacks were launched. Even the most secure of sites fell victim to this malware onslaught. For instance, the popular DNS DDoS attack several years ago stemmed from Mirai and its ability to infect IoT devices at the attackers’ beck and call.

Any malware writer must evolve. Cyber security experts are able to detect and build vulnerability detection and defense software, which makes a malware writer’s application obsolete. Obsolete malware is the bane of an attackers existence, so they constantly discover new routes of infection and build better systems to infiltrate and infect networks. It could be something as simple as a way to infect a computer that can then become a part of a botnet either through a trojan virus or through some other type of infection. It could also be a part of a higher level IoT botnet such as Mirai connected devices. This includes routers and mobile devices. Whatever the route of infection, Mirai has proven a good adversary against many of the best anti-malware applications and services on the market.

D-Link Routers are the Latest Target

In the last few days, Satori has specifically targeted D-Link home routers. Most of the routers infected were older ones that have been around for at least several years. Satori and more specifically Mirai target small home devices where the user leaves the default administrator username and password intact. This is because the router manufacturer makes this information public. It’s easily a common part of attacks where the attacker is able to guess a password based on users inability to change an admin password. Users that buy these routers and then install them blindly onto their network do not know how many vulnerabilities they introduce. This is why they must change the default password immediately. This is why Mirai and Satori are so effective at finding vulnerabilities and dropping malware on a local device.

According to Ars Technica, several D-Link routers are already infected across the globe. Brazil is the country with the most infected devices, and the United States is only fourth on the list. Ars Technica also indicates that this news comes after Russian spies were able to infect more than 500,000 routers recently. Researchers uncovered this threat. But the public generally ignored the threat. That has now led to more infections and vulnerabilities in the open market of mobile devices.

The unfortunate part of this attack is that currently there is no directions or advice from the D-Link manufacturer. The only current advice is to replace the router. This is fairly easy for a home network. But not so easy for someone who does not know how to reprogram and protect a device.

There are plenty of other cyber threats lurking out there. Routers, extensions, applications, email, and anything else can be a vulnerability.