Sora; The IoT Botnet King

During our February webinar, our senior security analyst, Justin Heard and our manager of our security incident response team, Mike Devens, talked about the biggest threats we saw throughout 2019. One of the botnets that came up in every threat report throughout the year was Sora. See what they had to say about Sora, the IoT Botnet King…

Shawn Pope: If you’ve looked at any of our threat reports, we’ve talked about Sora. I’ve done multiple write-ups on Sora. It’s a Mirai variant, one of the most popular, if not the most popular, IOT botnet of all time, responsible for some of the biggest DDOS attacks that we’ve ever seen. It’s been sort of quiet. I mean, the source code was released a few years ago, and that’s why we’re seeing all these different random ones spin-off like Sora. The interesting thing about Sora to me is that we see it so prevalent across the board in our detections and everything to the point where it was so far ahead on detections every quarter I was starting to be like, OK, you know what’s causing this?

But I mean, when we talk about IoT botnets, there are so many issues with IoT security. I don’t even want to get into it. I mean, with hard code of passwords being published all over the Internet, you can basically get in any IoT device you want. So, to see that large of detections is not that alarming, but to see something like sorer exist as long as it has for the year without showing any signs of slowing down until this last quarter. So, you can see our botnet detection basically drops off to almost nothing in the grand scheme of things. And Sora was one of those that went to the point of where it was pretty consistent throughout the year where we would see about the same number of detections and then towards the end of 2019 it was like it didn’t exist anymore. So that raises the red flag.

We talk about less people being in and out of the office, but when it comes to like botnets like that, they’re typically looking to infect additional things. So, it doesn’t add up to me, and I feel like we might see something new coming. 

There was an article about the guy that wrote Sora a couple of years back, and he said Sora’s a dead project, and he was working on a different one called Owari, or something like that. But I mean, that’s been years ago, and obviously, it’s still prevalent. So, again, with the source code being out there, I mean, these things are just going to continue to spin up. We’re going to see so many different ones. But it is a little alarming to see that, you know, it went to the point where it basically doesn’t exist anymore. And it’s not like IoT security got any better. Any protection tips you would recommend?

Mike Devens: Yeah, as you said, I mean, there’s so much to cover how you’re into that. But really, it comes down to network segmentation, making sure that any IoT devices you have on your network can’t communicate with anything else on your network, making sure that you’re changing those default passwords, and ensure you have automatic updates configured. And, I think most importantly, you have to be monitoring whatever subnet you’ve got those IoT devices on that way you can see if you have an infection going on. The way IoT devices work, you’re otherwise are not going to notice if the device is acting funny or it’s acting a little bit slower. The only visibility you have really is going to be by monitoring the network.

To watch our full webinar, click here.