INTERNET OF BROKEN THINGS —

A potent botnet is exploiting a critical router bug that may never be fixed

With Internet stability hanging in the balance, router maker maintains radio silence.

A Dasan Networks router similar to this one is under active exploit by the potent Satori botnet.
A Dasan Networks router similar to this one is under active exploit by the potent Satori botnet.

A fast-moving botnet that turns routers, cameras, and other types of Internet-connected devices into potent tools for theft and destruction has resurfaced again, this time by exploiting a critical vulnerability that gives attackers control over as many as 40,000 routers. Despite the high stakes, there's no indication that the bug will be fixed any time soon, if at all.

Satori, as the botnet has been dubbed, quickly made a name for itself in December, when it infected more than 100,000 routers in just 12 hours by exploiting critical vulnerabilities in two models, one made by Huawei and the other by RealTek. Last month, Satori operators released a new version that infected devices used to mine digital coins, a feat that allowed the attackers to mine as much as $3,000 worth of Ethereum, based on prices the digital coin was commanding at the time.

In recent days, Satori has started infecting routers manufactured by Dasan Networks of South Korea. The number of daily infected routers is about 13,700, with about 82 percent of them located in Vietnam, a researcher from China-based Netlab 360 told Ars. Queries on the Shodan search index of Internet-connected devices show there are a total of more than 40,000 routers made by Dasan. The company has yet to respond to an advisory published in December that documented the code-execution vulnerability Satori is exploiting, making it possible that most or all of the devices will eventually become part of the botnet.

"We tried to contact Dasan since October 8, 2017," researchers from vulnerability disclosure service SecuriTeam wrote in the December 6 advisory. "Repeated attempts to establish contact went unanswered. At this time, there is no solution or workaround for this vulnerability." In an email sent Wednesday, Noam Rathaus, CTO of SecuriTeam's parent company Beyond Security, wrote:

We tried to contact Dasan several times since October. By "several times" I mean probably over 10 emails, several phone calls, and requests to both their support and their sales departments.

Since we were aware that there may be a possible language barrier, we went as far as having the head of our Korean office send them the full explanation in Korean with an invitation to communicate directly with us to coordinate the disclosure; our Korean office tried to contact them via email and over the phone but, except for a short confirmation that they have received our communication, we never got any updates.

Attempts by Ars to contact Dasan representatives weren't immediately successful.

Nearly endless supply of vulnerabilities

Satori is based on Mirai, the open source Internet of Things malware that powered a series of botnets that delivered record-breaking distributed denial of service attacks in 2016 and debilitated core parts of the Internet for days. Unlike thousands of other Mirai variants, Satori featured a key improvement. Whereas Mirai and its imitators could infect only devices that were secured with easily guessed default passwords, Satori exploited firmware bugs, which often go unpatched, either because of manufacturer negligence or the difficulty device owners face in patching their devices.

"The Satori developer is actively updating the malware," Netlab 360 researcher Li Fengpei wrote in an email. "In the future, if Satori makes more headlines, we will not be surprised."

Like most IoT malware, Satori infections don't survive a device reboot. That means the December infections of the Huawei and RealTek devices—which Netlab 360 estimates totaled 260,000—are largely gone. The botnet, however, has managed to persist thanks to a nearly endless supply of vulnerabilities in other IoT devices. Besides the infection methods already mentioned, Satori has also managed to spread by exploiting flaws in custom versions of the GoAhead Web server that are embedded in wireless cameras and other types of IoT devices, researchers from security firm Fortinet reported two weeks ago. A GoAhead spokesman told Ars: "The flaw isn’t really in the implementation of the web server, but in the web application that uses it, i.e. just because a device has GoAhead does not mean it is vulnerable."

Pascal Geenens, a researcher at security firm Radware who reported the new Satori variant on Monday, told Ars it's not entirely clear what the purpose of the botnet is. Last month's variant, mentioned earlier, that infected the Claymore Miner software for generating cryptocurrency may provide a key clue. The variant, Geenens said, is a strong indication that Satori operators want to steal digital coins or computing resources used to generate them. He said both the Claymore and Dasan variants rely on the same command-and-control infrastructure and that the word Satori is included in the binary files of both versions.

Piotr Bazydło, a researcher at the NASK Research and Academic Computer Network, told Ars that he believes the new variant may have infected as many as 30,000 routers so far and that Satori developers likely have plans for new attacks in the near future.

"I guess they are trying to follow the trend and provide a botnet for cryptocurrency mining/stealing," he wrote in an email. "People should be aware that there may be more variants of Satori in the future, [and] thus other IoT devices may be targeted."

This post was updated on 2/15/2018 to add comment from GoAhead.

Channel Ars Technica