Okiru malware puts billions of connected devices at risk

News roundup: Okiru, a new Mirai variant, could put over 1.5 billion devices at risk of a botnet. Plus, G Suite Enterprise now comes with a security center, and more.

A new variant of the Mirai malware puts ARC processors at risk of being exploited.

The Mirai variant, known as Okiru, is the first malware that is able to infect Argonaut RISC Core (ARC) processors, according to a researcher known as unixfreaxjp at the malware security group MalwareMustDie.

ARC processors are used in a wide range of internet-of-things (IoT) devices, such as cellphones, televisions, cameras and cars.

It's thought that there are approximately 1.5 billion devices worldwide with ARC processors in them that could be vulnerable to Okiru.

In 2016, Mirai malware was used to create a botnet of 100,000 IoT devices that caused a series of problems, such as shutting down domain name system (DNS) provider Dyn.

However, in a tweet, security researcher Odisseus warned that Okiru could have a bigger impact than Mirai.

"The landscape of Linux IoT infection will change," Odisseus said.

A Mirai malware variant called Satori, which was uncovered in December 2017, took down hundreds of thousands of Huawei routers. Satori was also sometimes called Okiru, but the two have significant differences, according to Security Affairs' Pierluigi Paganini.

Okiru's configuration is different because it "is encrypted in two parts," but Satori's is not, Paganini wrote in a blog post. "Also Okiru's telnet attack login information is a bit longer," Paganini explained, noting that the login information can be up to 114 credentials, but Satori has a "different and shorter database."

At the time of this writing, the detection ratio on VirusTotal was 29-58. When Odisseus tweeted about the botnet threat earlier this week, it was only at 5-60.

In other news:

  • Google launched a new tool for enterprise security called G Suite Security Center. The tool will be available to G Suite Enterprise users and is automatically accessible in the admin console. In a blog post, Google stated the three objectives of the security center are to show a "snapshot" of security metrics, to help enterprises stay ahead of security threats and to recommend ways for enterprises to improve their security posture. "We want to make it easy for you to manage your organization's data security," Google product managers Chad Tyler and Reena Nadkarni wrote in a blog post. "A big part of this is making sure you and your admins can access a bird's eye view of your security -- and, more importantly, that you can take action based on timely insights." The security center will consist of a dashboard that shows the security metrics and the "security health" recommendations.
  • A team of researchers discovered a way to hack the Android Pixel phone. The exploit involves combining two separate vulnerabilities. The first, which Google patched in September 2017, is a type confusion flaw in the V8 open source JavaScript engine. The second vulnerability is a privilege escalation flaw in Android's libgralloc module. Google patched that one in December 2017. However, security researchers were able to exploit both vulnerabilities to inject arbitrary code into the system_server process. All they had to do to make the exploit successful was get the targeted user to click on a malicious link in Chrome. The research team received a total of $100,000 from Google for the find, through both the Android Security Rewards program and the Chrome bug bounty program.
  • The Internet Systems Consortium (ISC) put out a security advisory warning of a vulnerability in the Berkeley Internet Name Domain (BIND) DNS software. The vulnerability, with severity ranked "high," was remotely exploitable and reportedly caused some DNS servers to crash. "BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named," ISC said in its advisory. The vulnerability was found in BIND versions 9 and later, but not in earlier versions, so the ISC advised users to upgrade to the latest version. There have been no known active exploits, but the advisory stated that "crashes due to this bug have been reported by multiple parties."

Dig Deeper on Network security