Content, Breach

New Mirai Variant Threatens Billions of ARC IoT Processors


Think the Mirai botnet attack that brought the Internet to its knees and infected more than 2.5 million Internet of Things (IoT) devices and systems worldwide couldn’t be topped? Perhaps you remember last October’s discovery by security monitors Check Point and China’s Qihoo 360 of a new IoT botnet they dubbed “IoTroop” -- others called it “The Reaper” -- cementing IoT cyber zombies as officially a menacing thing.

Both may play second fiddle compared to the botnet that just been spotted by @unixfreaxip from the MalwareMustDie team, the same researcher who found Mirai in August, 2016. Consider the IoT already blanched by Mirai Okiru, such is the nature of the possible conflagration: It’s aimed squarely at ARC (Argonaut RISC Core) embedded processors, commonly used in IoT devices and applications such as smart home gadgets, cars, televisions, and much more, spanning about 1.5 billion products annually and 200 licensees.

Without doubt, the super-sized IoT playing field makes unfathomable the potential destruction Mirai Okiru could deliver, to say nothing of the digital theft and other nefarious things it could drop on devices worldwide. In some respects, that goes without saying in favor of the wider question: Standards, alliances, pledges and sincere intentions notwithstanding, can the IoT ever be sufficiently secured given its disposition?

Securing low-level hardware is challenging but not hopeless, said Mike Schuricht, Bitglass products vice president. "Where endpoints are vulnerable, sensitive corporate data is also at risk," he said. "Organizations can do little to prevent these attacks, but can take steps to encrypt, track, and protect data when it flows to any endpoint, managed or unmanaged."

Mirai Okiru is apparently the first Linux executable and linkable (ELF) malware designed to infect the ARC CPU architecture. When it had been unearthed it had gone undetected by antivirus engines, wrote security evangelist Pierluigi Paganini, in a blog post.

Here’s what @unixfreaxip said: (via Paganini)

“From this day, the landscape of #Linux #IoT infection will change. #ARC cpu has produced #IoT dervices (sic) more than 1 billion per year. So these devices are what the hackers want to aim to infect #ELF #malware with their #DDoS cannons. It’s a serious threat will be."

“!! Please be noted of this fact, and be ready for the bigger impact on infection Mirai (specially Okiru) to devices that hasn’t been infected yet.”

“#Mirai #Okiru variant is very dangerous, if you see how the coder made specific "innovative modification” in its variant codes+encryption you’ll see what I mean, & now they are the 1st malware to aim #ARC core. These guys can make greater chaos if not be stopped. Mark my word.”

The distinctions between Mirai Okiru and the Mirai Satori variant, which plagued Huawei routers at the close of last year, evidently are important to note. From MalwareMustDie: (via Paganini)

“From what we observe so far, these two types are very different, (among of several common similar characteristic), we think it is good to have different rules to detect Mirai variant Okiru and Satori.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.