Satori botnet suddenly activated over 280,000 active bots




Cybersecurity experts reported that the new botnet dubbed Satori has been seen active on over 280,000 different IPs within just 12 hours.

Satori in Japanese means "awakening" and is a variant of Mirai IoT DDoS malware.

Li Fengpei of Qihoo 360 Netlab says the Satori variant came to life out of the blue and started scans on ports 37215 and 52869.

However, the Mirai Satori variant differs quite well from all previous pure Mirai variants.

Previous versions of Mirai infected IoT devices and then downloaded a Telnet scanner that was trying to find other victims and infect them with the Mirai bot.

The Satori variant does not use a scanner but uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.

This makes Satori an IoT worm that is able to spread itself without the need for separate components.

Mysterious Huawei exploit (zero-day?)

Li Fengpei says the telemetry collected by Netlab's infrastructure has observed 263,250 different IPs scanning port 37215, and 19,403 IPs scanning port 5286 in just 12 hours. That's over 280,000 bots in half a day.




The success of Satori is largely due to the exploit it delivers on port 37215. According to Li Fengpei's description, it is obviously zero-day.

"The one on port 37215 is not fully disclosed yet, our team has been tracking this in the last few days and got quite some insight, but we will not discuss it," Li Fengpei said.




The other exploit, on port 52869, this is for a known and old vulnerability in Realtek devices (CVE-2014-8361), which most likely has been fixed in some devices, so, scans for this exploit are less successful.

Li Fengpei also points out that there are clues linking the botnet created with the Mirai Satori variant with another Mirai-based botnet that appeared last month and reached about 100,000 bots, most located in Argentina.

It is not clear whether the same hacker manages both botnets, or not, but the current Mirai Satori variant and the previous Mirai-based have common filenames and static features, and some of the C2 protocols.

Would you like to comment on this article?


Latest news


Hacker removed malware from Netgear site, the company failed to do so for 2 years

An anonymous hacker has removed malware from a Netgear site after the company failed to clean up a malware infection for more than two years.


Hacker robbed church in Northern Ireland

The hacker told the priest that the church computer should be remotely accessible to fix an internet problem.


Synaptics to remove keylogger from its drivers

The company has decided to remove the keylogger functionality from its products.

Sign up for our online newsletter!