A new variant of the Mirai malware puts ARC processors at risk of being exploited.
The Mirai variant, known as Okiru, is the first malware that is able to infect Argonaut RISC Core (ARC) processors, according to a researcher known as unixfreaxjp at the malware security group MalwareMustDie.
ARC processors are used in a wide range of internet-of-things (IoT) devices, such as cellphones, televisions, cameras and cars.
It’s thought that there are approximately 1.5 billion devices worldwide with ARC processors in them that could be vulnerable to Okiru.
In 2016, Mirai malware was used to create a botnet of 100,000 IoT devices that caused a series of problems, such as shutting down domain name system (DNS) provider Dyn.
However, in a tweet, security researcher Odisseus warned that Okiru could have a bigger impact than Mirai.
This is the FIRST TIME ever in the history of computer engineering that there is a malware for ARC CPU, & it is #MIRAI OKIRU!!
Pls be noted of this fact, & be ready for the bigger impact on infection Mirai (specially #Okiru) to devices hasn’t been infected yet.#MalwareMustDie pic.twitter.com/y8CRwwkenA
— Odisseus (@_odisseus)
January 14, 2018
“The landscape of Linux IoT infection will change,” Odisseus said.
A Mirai malware variant called Satori, which was uncovered in December 2017, took down hundreds of thousands of Huawei routers. Satori was also sometimes called Okiru, but the two have significant differences, according to Security Affairs’ Pierluigi Paganini.
Okiru’s configuration is different because it “is encrypted in two parts,” but Satori’s is not, Paganini wrote in a blog post. “Also Okiru’s telnet attack login information is a bit longer,” Paganini explained, noting that the login information can be up to 114 credentials, but Satori has a “different and shorter database.”
At the time of this writing, the detection ratio on VirusTotal was 29-58. When Odisseus tweeted about the botnet threat earlier this week, it was only at 5-60.
In other news:
- Google launched a new tool for enterprise security called G Suite Security Center. The tool will be available to G Suite Enterprise users and is automatically accessible in the admin console. In a blog post, Google stated the three objectives of the security center are to show a “snapshot” of security metrics, to help enterprises stay ahead of security threats and to recommend ways for enterprises to improve their security posture. “We want to make it easy for you to manage your organization’s data security,” Google product managers Chad Tyler and Reena Nadkarni wrote in a blog post. “A big part of this is making sure you and your admins can access a bird’s eye view of your security — and, more importantly, that you can take action based on timely insights.” The security center will consist of a dashboard that shows the security metrics and the “security health” recommendations.
- The Internet Systems Consortium (ISC) put out a security advisory warning of a vulnerability in the Berkeley Internet Name Domain (BIND) DNS software. The vulnerability, with severity ranked “high,” was remotely exploitable and reportedly caused some DNS servers to crash. “BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named,” ISC said in its advisory. The vulnerability was found in BIND versions 9 and later, but not in earlier versions, so the ISC advised users to upgrade to the latest version. There have been no known active exploits, but the advisory stated that “crashes due to this bug have been reported by multiple parties.”