{
	"id": "9e457269-280d-4234-ace6-9e2473d2a7dc",
	"created_at": "2026-04-06T01:29:32.140764Z",
	"updated_at": "2026-04-10T03:20:47.724708Z",
	"deleted_at": null,
	"sha1_hash": "ba385b9e78e8e818bacc02981df99456612ef063",
	"title": "Collaborative Takedown Kills IoT Worm ‘Satori’",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 37230,
	"plain_text": "Collaborative Takedown Kills IoT Worm ‘Satori’\r\nBy Robert Lemos\r\nPublished: 2017-12-19 · Archived: 2026-04-06 00:32:44 UTC\r\neWeek content and product recommendations are editorially independent. We may make money when you click\r\non links to our partners. Learn More\r\nIn early December, a new version of Mirai—the internet of things malware responsible for creating a massive\r\nbotnet that took down internet services in October 2016—started infecting home routers.\r\nUnlike Mirai, the latest version—dubbed Satori by security researchers—used two exploits in popular routers to\r\ncompromise IoT devices and build a 700,000-node botnet in less than four days, according to Dale Drew, chief\r\nsecurity strategist at internet infrastructure firm Level 3 Communications, now owned by CenturyLink. The\r\nattack, which mainly affected devices in Egypt and Latin America, where the specific routers were in widespread\r\nuse, could have led to another major denial-of-service campaign, he said.\r\nInstead, security researchers worked with the two largest internet service providers (ISPs) in the areas affected to\r\nblock traffic to the server managing infected devices—known as a command-and-control (C2) server—and begin\r\npatching customers’ routers.\r\n“We were able to cooperate with the security research community very quickly, we got the command-and-control\r\nsystems shut down very fast, and we pushed out notices to the two largest ISPs who have those modems,” Drew\r\nsaid. “So the good news is—in very, very quick order—we were able to block scanning on our backbone.”\r\nThe quick reaction and shutdown of the botnet is significant because the Satori malware automatically used any\r\ncompromised router to scan and infect new systems, which qualifies the code to be a worm, according to an\r\nanalysis posted by Chinese security firm 360 Netlab on Dec. 5. The company stated that the scanning from the\r\nworm had “gotten more intense” and noted the existence of the two exploits, one of which appeared to be a zero-day attack for a previously unknown vulnerability.\r\nFollowing the ISPs blocking the command-and-control traffic, 360 Netlab noticed that the scanning dropped off\r\nsignificantly.\r\n“[W]e observed the C2 sending kill scan command to the bots, and that explains why the scan activities on the two\r\nports started to drop on a global scale,” the company wrote.\r\nMalware targeting vulnerabilities in the IoT will increasingly be a concern, said CenturyLink’s Drew, because a\r\nsingle vulnerability can be exploited globally.\r\n“Unlike any other device, a single exposure can be exploited across the entire vendor platform,” he said. “With\r\nWindows devices, the attacker is hindered by how each individual person has customized their environment.”\r\nhttp://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori\r\nPage 1 of 2\n\nWhile the Satori attacker can no longer connect to the compromised devices, the battle between malware authors\r\nand security researchers is not over, Drew said. The creator of the Satori malware has shown a quickness to adapt,\r\nso Drew warned that the similar attacks will likely continue. Prior to Satori, the attacker created another Mirai\r\nvariant that similarly exploited Huawei routers, but—taking a page from Mirai’s playbook—used brute-force\r\npassword guessing as another vector to exploit devices.\r\nYet, the system of information exchange and research collaboration worked well and holds out hope that such\r\nattacks in the future can be quickly blunted, Drew said.\r\n“This is one of the few times that we were able to make an event a non-event,” he said. “I’m very proud of the\r\ncollaborative effort.”\r\nSource: http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori\r\nhttp://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori"
	],
	"report_names": [
		"collaborative-takedown-kills-iot-worm-satori"
	],
	"threat_actors": [],
	"ts_created_at": 1775438972,
	"ts_updated_at": 1775791247,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ba385b9e78e8e818bacc02981df99456612ef063.pdf",
		"text": "https://archive.orkl.eu/ba385b9e78e8e818bacc02981df99456612ef063.txt",
		"img": "https://archive.orkl.eu/ba385b9e78e8e818bacc02981df99456612ef063.jpg"
	}
}