You might remember the incident back in late 2016 that saw the Mirai botnet use 100,000 IoT devices to take down DNS service provide Dyn, knocking out huge parts of the web in the process. Now, a new variant of Mirai has been discovered, one that targets Internet of Things devices containing ARC processors.
Argonaut RISC Core (ARC) CPUs are the second most commonly used processors in the world. They are found in over 1.5 billion connected devices, including cars, TVs, cameras, and mobiles.
The new version of Mirai, which has been dubbed Mirai Okiru, was discovered by security research team Malware Must Die, though it was the independent security researcher ‘Odisseus’ who highlighted the seriousness of the botnet, writing that "the landscape of Linus IoT infection will change."
"This is the FIRST TIME ever in the history of computer engineering that there is a malware for ARC CPU & it is MIRAI OKIRU," he tweeted. "Pls be noted of this fact, & be ready for the bigger impact on infection Mirai (specially #Okiru) to devices hasn't been infected yet."
Malware Must die told The Register: "The samples have been spotted in multiple places from several sources, some were spotted after infection, some are sitting in C2. For sure, ARC Linux devices are being targeted."
"The analysis of the code after decompilation shows the herders were preparing ARC binary specifically to target one particular Linux environment."
IoT products remain notoriously insecure, and it’s not clear how many devices are already infected by Mirai Okiru. Test service VirusTotal reports that there currently 20 out of 58 virus tools that can detect it.
A week after Mirai was used in a then record-breaking 620 Gbps DDoS attack on famed researcher Brian Krebs’ website in September 2016, the source code was published online. The DDos attack on Dyn took place a month later. In December last year, New Jersey student Paras Jha admitted to creating and running the Mirai botnet behind the attack.