First IoT ARC Botnet "Okiru" Discovered

Read Time: 2 min.

A concerning world first in the discovery of a binary designed to compromise ARC processors leads to heightened botnet warnings for IT security pros

Big botnets aren’t really news - there are plenty of them around, and they’re occasionally refitted - as with the Satori IoT botnet or enhanced and retargeted. Indeed, there was a 37% increase in botnet command-and-control (C&C) listings in 2017, with the majority (68%) of them being hosted on servers run by threat actors, according to Spamhaus Botnet Threat Report 2017.

However, a new and potentially devastating threat has been detected by security researchers - a retuned variant of the Mirai botnet named "Okiru", which means "wake up" in Japanese, which looks to be employing the first ever malware developed for ARC-based systems.

RISC-based ARC embedded processors are used in a variety of internet-connected products including cars, mobiles, TVs, cameras and more, adding up to more than a billion shipped devices. The potential for a massive IoT botnet to wreak havoc - as the original Mirai did in October 2016 when it was used to DDoS DNS service provider Dyn - is significant.

The researchers said they had no estimate of current levels of device infection, but attributed the first sample identification to Twitter user @unixfreaxjp.

Ilia Kolochenko, CEO, High-Tech Bridge, pointed to the asymmetric nature of DDoS as an ongoing concern: “ Quite often DDoS attacks are used by professional Black Hats to distract IT security teams and cover massive data breaches. The DDoS attack in general is quite simple to organize, but very difficult and expensive to mitigate.

“ As more and more insecure devices are connected to the Internet, from smart watches to coffee machines, cybercriminals won’t miss their chance to turn them into zombies to reinforce their DDoS botnets. In the next couple of years, we may arrive at a situation when several hacking groups will be able to “censure” and temporarily shut down even such companies as Google. ”

Meanwhile, Kaspersky researchers have reported a uniquely powerful Android malware strain in the wild. Dubbed SkyGoFree - a clue to the infection vector - the malware can spy on communications, even WhatsApp conversations, collect passwords and track user devices to the point of being able to trigger location-based audio recording.

According the researchers the malware began life in 2014, but has been considerably enhanced since then, evolving into a powerful and sophisticated spy tool. An example of that sophistication is the author’s use of a self-protection ability exclusively for Huawei devices. By hijacking a ‘protected apps’ list in this brand’s smartphones the malware is able to continue running when the screen is off, skirting battery-saving deactivation routines.

The malware is most active in Italy, according to the researchers, but the likelihood of it being used in corporate espionage spearfishing campaigns seems pretty high...