Torii botnet more advanced than any other Mirai-based malware
4 October 2018
Security researchers at Avast recently stumbled upon a new botnet variant dubbed Torii that, they believe, is more sophisticated than any other variant of Mirai botnet and is capable of executing any code or delivering any payload to an infected IoT device.
The Mirai botnet first appeared in 2016 as the first real botnet that could seriously exploit vulnerabilities in millions of IoT devices deployed across the world either to take control of industrial networks or to steal credentials of millions of IoT device owners.
Armed with a dictionary of username and password combinations, the Mirai botnet scanned IP addresses for open ports in IoT devices, subsequently infected millions of such devices in the process, and then used the affected devices in coordinated distributed denial of service (DDoS) attacks against websites worldwide.
Thanks to Mirai’s proven capabilities, hackers started using Mirai’s code to develop various new botnets with varying capabilities. Because of the explosion of new botnets based on Mirai, botnet-led malware attacks on IoT devices affected 49% of healthcare organisations, 82% of manufacturing, 76% of retail and 85% of government-owned or issued IoT tech by October last year.
Even though Mirai’s source code is still being used by hackers to develop new botnets, security researchers recently stumbled upon a new botnet which, they believe, is more sophisticated and a level above anything they’ve encountered before.
Torii arrives with unique features and capabilities
Dubbed Torii by the researchers as telnet attacks by the botnet come from Tor exit nodes, not only does the new botnet send quite a lot of information about the machine it resides on to the CnC, but by communicating with the CnC, it allows Torii authors to execute any code or deliver any payload to the infected device.
According to Avast researchers, this capability could make Torii become a modular platform for future use and since it is quite stealthy on the network layer, it will become difficult for malware-detection tools to detect its presence. It is possible that the malware has been in existence since at least December 2017 or even earlier.
What makes Torii unique is that, unlike Mirai-based botnets, it does not mine cryptocurrency, launch DDoS attacks, or attack devices connected to the Internet. Instead, it uses a rich set of features to exfiltrate information to a remote server, and a modular architecture to fetch and execute other commands via multiple layers of encrypted communication.
Another feature that sets Torii apart from other Mirai-based botnets is that it can infect an astonishing variety of connected devices that include devices with MIPS, ARM, x86, x64, PowerPC, Motorola 68k, and SuperH achitecture, making it quite useful for hackers looking to infiltrate as many devices as possible and exfiltrate data to their own remote servers.
“The infection chain starts with a telnet attack on the weak credentials of targeted devices followed by execution of an initial shell script. This script looks quite different from typical scripts that IoT malware uses in that it is far more sophisticated.
“The malware uses several commands to download binary payloads by executing the following commands: “wget”, “ftpget”, “ftp”, “busybox wget”, or “busybox ftpget”. It uses multiple commands to maximize the likelihood that it can deliver the payload.
“Once the script determines which architecture the target device it is running on, it downloads and executes the appropriate binary from the server. All of these binary files are in the ELF file format. While analyzing these payloads, we found that they are all very similar and are “just” droppers of the second stage payload,” the researchers noted in a blog post.
Torii botnet is possibly the hardest to detect
According to them, once a secondary payload is executed, the dropper uses at least six methods to make sure the file remains on the device and always runs and remains persistent. The secondary payload is capable of executing commands from its master CnC server, features almost the same code as in the first-stage payload, and features anti-debugging techniques, data exfiltration, and multi-level encryption of communication to evade detection.
Hackers behind Torii botnet also use a variety of anti-analysis techniques to ensure the success of their operations. These techniques include a 60 seconds sleep period after execution to circumvent simple sandboxes, randomises certain process names to avoid detection of blacklisted process names, and strips identifiable symbols from executables.
Commenting on the discovery of the sophisticated botnet with so many unique features and capabilities, Sam Curry, chief security officer at Cybereason, said that it is imperative that manufacturers think about the effect that their product at scale will have in much the same way that car manufacturers didn’t decades ago in the pre-catalytic converter and leaded gasoline days.
“We shouldn’t do that again, and that means shipping with good identity hygiene, requiring unique device ID, not shipping with default accounts that are fully enabled or default passwords. It also means planning for upgrades and patches in a secure fashion and leveraging hardware-based security and strong cyrptography. The technology exists today and isn’t moonshot stuff; it just needs to get done,” he added.