Okiru malware: How does this Mirai malware variant work?

A Mirai variant known as Okiru was recently discovered and is believed to have the capability to put over 1.5 billion devices at risk of becoming part of a botnet. How does the Okiru malware work and what types of devices are at risk?

It's hard to compare the state of IoT device security with the risk of a large-scale financial market going bad; however, the interconnection and open nature of the internet enables IoT devices and large-scale IoT worms and can have a significant impact on how the internet functions, just like Mirai did.

A new Mirai variant named Okiru was detected by malware security group MalwareMustDie, and it targets IoT devices with Argonaut RISC Core (ARC) processors. The Okiru malware has similar functionality and high-level architecture to Mirai in the sense that it scans for systems with Telnet configured with default passwords.

Okiru malware is different from Mirai and from Mirai variant Satori because it uses its own unique configurations and botnet command-and-control servers, and it uses different exploits to gain control of victim systems.

MalwareMustDie reported that the Okiru malware is the first malicious code to specifically target ARC processors. Since ARC processors share a common software development environment with other IoT devices based on Linux, it's not a big surprise that these devices are being targeted.

While ARC processors are not as common as Intel or ARM, they are still widely used in many devices. ARC processors are used in a wide array of system-on-a-chip devices, such as wearable fitness and medical devices, intelligent appliances, smart energy hubs, and automotive and industrial equipment.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)