The new botnet infects the miners technique, replacing the addresses of the wallets

Satori is a family of malicious software whose representatives affect routers, surveillance cameras and other IoT devices. The goal is the formation of botnets, which allows you to perform various tasks - from DDoS to more complex ones, like mining. But now a new representative of this family has appeared, who does not mine anything, but simply steals the mined coines.



On January 8, representatives of information security company Netlab 360 from China published a report, which reported on the detection of malware, an exciting mining system. The new version of Satori uses vulnerabilities in Claymore Miner , replacing the address of the wallets of the owners of mining equipment with the wallets of intruders.



Since the equipment continues to operate normally, the miner may not immediately detect the problem. Of course, after the mined Coins cease to arrive at the wallet, this attracts attention. But in some cases it may take days to the moment this problem is noticed. It is impossible to call this malware massive yet.



The wallet is known , and how much money there is also known. For all the time, only two Ethereum coins were mined, so the developers of the worm have not (yet) received a huge income. But if the virus turns out to be contagious, finance flows can increase many times. At the moment, the performance of the hardware captured by the malware is about 2.1 million hashes per second. This capacity can be developed by 85 PCs with a Radeon Rx 480 card or 1135 computers with GeForce GTX 560M cards.



As far as can be judged, the hardware performance does not grow much, the virus probably either does not infect new devices, or the system owners quickly find problems and the virus fails to form any significant network.



It should be noted that the Satori family is a modified version of the Mirai botnet, the sources of which have recently been shared. Mirai is taking control of the Internet of Things devices, and in 2016 this botnet began to develop at a very fast pace, which caused quite significant problems.



As for Satori, the code of this software is significantly modified. The worm itself does not infect gadgets with default passwords. Instead, the malware analyzes the device software for vulnerabilities. If any, the devices get infected. At the beginning of December, Satori infected more than 100 thousand devices, and in the near future the scale of this botnet can grow many times.



Researchers from Netlab 360 claim that the new version of Satori, sharpened to cryptocurrency, appeared on January 8. It analyzes devices for two different IoT vulnerabilities, plus it uses a hole in the Claymore Mining software, as mentioned above.



So far, it is not clear exactly how the new virus infects computers that extract cryptocurrencies. Now it is known, at least, about one vulnerability in Claymore Mining . As far as you can understand, the worm works with port 3333 with default settings (without authentication).



Netlab 360 did not provide more data in order to avoid hackers getting useful information for their work. The developers of Claymore Mining have not yet responded to the statements of cybersecurity.



But one of the developers of Satori added the following message: “Do not worry about this bot, it does not perform any harmful actions. You can contact me at curtain@riseup.net. ” This is a rather strange statement, since even the fact that the malware replaces miners' wallets with the wallets of its own developers is clearly not a harmless action.



As for Satori, this is not the only "heir» Mirai. Last October, researchers announced that a new problem had emerged on the Web - another powerful malware that became known as Reaper and IoTroop. It also finds vulnerabilities in the software and hardware of cloud devices, and infects them, turning them into zombies.