New vicious Torii IoT botnet discovered

Move over, Mirai. There’s a new, much more sophisticated Internet of Things botnet boss. The Torii IoT botnet has advanced techniques and persistence methods.

New vicious Torii IoT botnet discovered
Magdalena Petrova/IDG

Torii – you might not have heard the name yet, but this new botnet has advanced techniques and persistence and is a threat to nearly every type of computer. 

Researchers from Avast warned about Torii, which is certainly no spinoff of the Mirai botnet. Torii, they said, is an “example of the evolution of IoT malware” and “its sophistication is a level above anything we have seen before.”

For starters, Torii can run on almost every modern computer, smartphone, and tablet. Target architectures include x86_64, x86, ARM, MIPS, Motorola 68k, SuperH, PPC and others. Avast security researcher Martin Hron told The Parallax that one server had over 100 versions of malware payloads and supported 15 to 20 architectures. This suggests a “team effort,” as what Torii can do “would be hard for any on person to accomplish.”

Torii malware is sophisticated, persistent, and hard to eliminate

This new malware strain is sophisticated, has an impressive set of features for stealing sensitive information, and has at least six methods to maintain persistence. You won’t be getting rid of Torii with a reboot, and other malware authors won’t be getting rid of Torii by trying to infect a device with their malware instead.

The fact that Torii is stealthy plays into how it was named. It was first spotted by Dr. Vesselin Bontchev, aka @VessOnSecurity, in September. Since the telnet attacks Bontchev discovered came to his honeypot via Tor exit nodes, Avast decided to name the botnet strain Torii.

The infection first starts via a telnet attack on weak credentials. And the script is far more sophisticated than other IoT malware with its capabilities to download the appropriate payload to infect so many common architectures.

Avast concluded:

Once it infects a device, not only does it send quite a lot of information about the machine it resides on to the CnC, but by communicating with the CnC, it allows Torii authors to execute any code or deliver any payload to the infected device. This suggests that Torii could become a modular platform for future use. Also, because the payload itself is not scanning for other potential targets, it is quite stealthy on the network layer.

Torii has no real clear purpose at this time

At this time, Torii isn’t being used for “normal” botnet activities, such as DDoS or mining cryptocurrencies.

“Instead, it comes with a quite rich set of features for exfiltration of (sensitive) information, modular architecture capable of fetching and executing other commands and executables and all of it via multiple layers of encrypted communication,” Avast said.

Hron told The Parallax, “Torii is a botnet for surveillance, or it’s just the first stage of something, like a framework or a tool.” He compared it to a VPN, since “it hides both the traffic itself and who is creating the traffic.”

As for the methods of persistence for the second payload, Avast wrote:

"It uses at least six methods to make sure the file remains on the device and always runs. And, not just one method is executed – it runs all of them."

  1. Automatic execution via injected code into ~\.bashrc
  2. Automatic execution via “@reboot” clause in crontab
  3. Automatic execution as a “System Daemon” service via systemd
  4. Automatic execution via /etc/init and PATH. Once again, it calls itself "System Daemon"
  5. Automatic execution via modification of the SELinux Policy Management
  6. Automatic execution via /etc/inittab

When Bontchev first discovered Torii, he found there were no detections in VirusTotal for the executable or script. That’s changed in the last two weeks, but it is still far from being detected by most. Currently, at the time of writing, it is sitting at 22 detections of 58 engines and 10 detections of 58 engines for the bg.css file – which Bontchev noted is a “sophisticated shell script.”

Justin Jett, director of audit and compliance for Plixer, advised:

Fortunately, Torii uses some common network protocols to exploit IoT devices. Firstly, it spreads via Telnet, which is easily detectable from a network standpoint, but it also downloads a payload to enable the execution of commands from a CnC server. Given that IoT devices are purpose-built (meaning they have a very narrow set of functions), communications outside the normal set of communications should be monitored and IT professionals should be quick to investigate communications to devices they don’t normally see on their network. Network traffic analytics is well suited to address these types of attacks, but network and security professionals need to work together to mitigate the threats after it has been identified. Finally, organizations should audit the IoT devices on their network to ensure that default passwords have been changed and have been deployed with as few privileges as required. This will reduce the foothold that botnets like Torii can take, and allows IT professionals insight when the devices are compromised.

Oh, by the way, happy National Cybersecurity Awareness month!

SUBSCRIBE! Get the best of CSO delivered to your email inbox.