IoT malware evolves to exploit zero-day vulnerabilities


12 January 2018

Unlike early IoT malware that leveraged default or weak passwords to attack devices, new malware families are starting to exploit either known vulnerability or even zero-day vulnerabilities.

An example is the emergence of Satori, a derivative of the Mirai IoT botnet.  According to new research by Palo Alto Networks Unit 42, Satori is one of the first zero-day attacks against an unpatched vulnerability in IoT devices. A version of Satori was found active in late November 2017, exploiting a zero-day vulnerability in Huawei’s HG532e home gateway that was patched in December 2017.

There main variants of the Satori family have been identified. The first scans the Internet and checks which IP address is vulnerable in the telnet login by attempting different passwords. The second variant added a packer, a software that can compress and encrypt a program while still remaining executable. This is often done to evade static detection. The third variant uses exploits for two remote code execution vulnerabilities, including one zero-day vulnerability.

Palo Alto Networks noted that in response to early IoT malware families like Gafgyt and the original Mirai family which exploited default or weak passwords, users and manufacturers began changing default passwords and/or hardening passwords.

This led malware authors to change tactics to exploit known vulnerabilities for specific IoT devices. As IoT vendors started patching these vulnerabilities, the next step for attackers has been to move to a classic zero-day attack against unknown, unpatched vulnerabilities.

According to a Palo Alto Networks blog, Satori reuses some of Mirai’s source code to achieve the telnet scanning and password brute force attempting functionalities. It also identifies the type of IoT device and shows different behaviors in different device types. “We believe that the Satori’s author has started to reverse engineer the firmware of many IoT devices to collect device’s typical information and discover new vulnerabilities. If this is correct, we may see future versions of Satori attacking other unknown vulnerabilities in other devices,” said Palo Alto.