Torii Botnet

Botnets have been known to malware researchers for a long time, but such sophisticated botnets as Torii Botnet are not uncovered every day. Avast researchers say that it differs from ordinary botnets they have analyzed during their career quite a lot. First of all, they have pointed out that Torii Botnet is much more sophisticated if compared to older malware that has been placed under the botnet category. What else distinguishes it from similar threats is that it uses advanced techniques to infect devices. Third, researchers suspect that this malicious application might be used to launch any commands on affected devices. Finally, it does not infiltrate ordinary computers. Its prime target is various smart gadgets that can be found at home. To be more specific, the threat targets the so-called IoT devices. Companies keep focusing on the development of smart home solutions, but they still do not spend enough time to make them secure. Anti-malware tools that could protect IoT devices from harmful threats like Torii Botnet still do not exist, making them extremely vulnerable to hacking.

The ability to easily access the source code of botnets has led to the emergence of Mirai, QBot, and their variants in 2018. Even though it is almost the end of the year, we would not be surprised at all if a new botnet with a Japanese-sounding name would be released during the last month of the year. Hundreds of malicious botnets exist in the wild, and malware researchers already know a lot about them, but Torii Botnet is not like any of the previously-released botnets. What is so special about it? Well, first of all, it does not perform the usual activities botnets perform. For example, it does not try to affect all devices connected to the same network, it does not use hacked devices to mine cryptocurrency, and, finally, it does not perform any distributed denial of service (DDoS) attacks, though there are no guarantees that this cannot change soon. Instead, as research has shown, it comes with sophisticated features that may allow it to steal sensitive information in no time. According to specialists, Torii Botnet may be used to execute any other command as well. Do you have an IoT device at home? If so, you may not even know that it has been affected by Torii Botnet because it, of course, does not ask for permission to affect devices. Additionally, research conducted by specialists has revealed that it can infect a great number of devices based on the following architectures: MIPS, ARM, x86, x64, PowerPC, SuperH, and many others, focusing on those that have weak encryption. It is suspected that Torii Botnet has been active since December 2017, so we can only imagine how many IoT devices it has already affected.

What else distinguishes Torii Botnet from other botnets is that Torii Botnet is spread via Telnet. What is Telnet? It can be described as a remote access tool that was widely used to log into remote servers. Nowadays, there are much more secure remote access tools available on the market, and it seems that Telnet has already been largely replaced by them. Unfortunately, a handful of devices that can be affected by Torii Botnet still exist. The infection, first of all, identifies weak device credentials and then hacks it. This attack is followed by the execution of the initial shell script. The script is used to determine the architecture of the system so that it could download the appropriate payload based on the type of the device. This feature allows Torii Botnet to affect a bunch of different IoT devices. According to Avast researchers, it is clear that “Torii is an example of the evolution of IoT malware.”

It does not mean that you cannot do anything to prevent your device to be added to Torii Botnet. Keeping your devices up-to-date and installing all the latest updates/security patches are two key security measures you should take to protect IoT devices you use. Also, you should set secure login/password combinations so that they could not be hacked. This is applicable to all devices that are connected to the Internet.

References:

1. Kroustek, J., Iliushin, I., Shirokova, A., Neduchal, J., and M. Hron. Torii botnet – Not another Mirai variant. Avast blog