Satori: Not just for IoT anymore
Satori is a modified version of the open source Mirai botnet malware. Mirai took control of so-called Internet-of-Things devices and caused them to participate in distributed denial-of-service attacks that paralyzed large swaths of the Internet in 2016. When Satori appeared in December, the underlying code was significantly overhauled. Instead of infecting devices that were secured with easily guessable default passwords, it exploited programming vulnerabilities in the device firmware. In early December, Satori had infected more than 100,000 devices and reportedly grew much bigger in the following weeks.
According to a Netlab 360 researcher who goes by the name RootKiter and wrote in Wednesday’s post, the Satori version that appeared on January 8 continues to exploit two IoT vulnerabilities. But, RootKiter continued, the new version also exploits the weakness in the Claymore Mining software.
It’s not clear precisely how the new variant is infecting mining computers. At least one vulnerability has been reported in the Claymore Mining software, along with a corresponding vulnerability. Wednesday’s post said Satori isn’t exploiting it. Instead, Wednesday’s post said Satori “works primarily on the Claymore Mining equipment that allows management actions on 3333 ports with no password authentication enabled (which is the default config).”
To prevent further abuse, Netlab 360 said it wasn’t providing further details. Developers of the Claymore Mining software didn’t respond to an email seeking comment for this post.
Oddly, the developer of the new variant left a message on infected computers that reads:
Satori dev here, dont be alarmed about this bot it does not currently have any malicious packeting purposes move along. I can be contacted at curtain@riseup.net
The message is demonstrably untrue, since malware that uses other people’s computers and electricity to mine cryptocurrency is by definition malicious.