New DDoS botnet Mirai Okiru Preys on ARC powered IoT devices

Mirai malware and its many variants which have targeted CPU architectures in the past, is now targeting the second most popular type of CPU core – ARC processors.

Meet Mirai Okiru, the Mirai variant targeting ARC processors, which are embedded processors used in IoT, auto, mobile, TVs, cameras and a nearly endless list of products – CPUs reportedly shipped in over a billion products per year. Brace yourself for the botnet targeting ARC-based IoT devices.

According to security researcher Odisseus:

This is the FIRST TIME ever in the history of computer engineering that there is a malware for ARC CPU, & it is #MIRAI OKIRU!!
Pls be noted of this fact, & be ready for the bigger impact on infection Mirai (specially #Okiru) to devices hasn’t been infected yet.#MalwareMustDie pic.twitter.com/y8CRwwkenA

— Odisseus (@_odisseus) January 14, 2018

You may remember hearing about the Mirai malware variant Satori (pdf) back in December; it was sometimes also called Okiru. Satori was used to attack “hundreds of thousands” of Huawei routers. The exploit was released for “free” on Christmas by what NewSky Security dubbed a blackhat Santa.

Despite the similarities of the two type of Linux IoT DDoS malware, Mirai Okiru is “very different” from the Mirai Satori variant. The differences were pointed out on the subreddit LinuxMalware.

According to the translated version of CERT-PA’s post:

The MMD researchers who have already proceeded to release the Yara rules to identify this new variant of Mirai, have compared Okiru with the previous Mirai botnet called Satori. According to the observations of the researchers, the Okiru configuration is encrypted in two parts and the attack via Telnet is much more incisive as it uses a list of over 100 credentials (114 are the credentials counted by MMD).

Odisseus noted that it is important to understand the differences and have different signatures to detect both. Read more