Security researchers have uncovered a new botnet targeting Linux-based devices that’s more sophisticated than most other IoT botnets seen before.
A botnet is “a collection of any type of internet-connected device that an attacker has compromised” (csoonline.com)
Commonly used in distributed denial of service (DDoS) attacks, botnets can also take advantage of their collective computing power to send large volumes of spam, steal credentials at scale, or spy on people and organisations.
Researchers from antivirus vendor Avast have dubbed the new botnet Torii because its method of propagation is through Telnet brute-force attacks that are routed through the Tor anonymity network.
According to their preliminary findings, the botnet can infect a wide range of devices that use many CPU architectures: MIPS, ARM, x86, x64, PowerPC, SuperH, Motorola 68k and more with various bit widths. It’s one of the largest sets of architectures supported by a single malware program that Avast has seen to date.
The first-stage payload is a “dropper” whose main purpose is to download and install a second-stage payload. The dropper also establishes persistence for the secondary payload using six different techniques to ensure the malware starts after every device reboot. This routine is just one of the places where the Torii attackers proved they are not amateur malware developers and have a high familiarity with embedded platforms.
The secondary payload also has binaries for different CPU architectures, but the functionality varies between variants. Common features include downloading and executing files from the command-and-control (CnC) server, executing shell commands and sending the output back to the attackers, reading files from local storage and sending their contents to the server, deleting files and downloading files from specified URLs. It also has some features such as anti-debugging techniques, data exfiltration, multi-level encryption of communication and many other evasion techniques.
Torii Botnet using a bash script to redirect the infected victim’s device into malware hosted server. Unlike most IoT botnets, the Torii malware uses anti-sandbox and other techniques that are designed to make analysis harder.
The Avast researchers have managed to analyse the files stored on the download server used for Torii payload delivery. The access logs indicate that almost 600 unique IPs were downloaded from the server over a period of a few days.
Investigations are continuing but it is clear that Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything experts have seen before.
This example of a new botnet demonstrates that cyber criminals are constantly working to develop new threats. To keep your IT system safe, it’s important to ensure you have sufficient protection, what level of protection you need will depend on the size of your network and what you do with it.
If you’re concerned about cyber security, would like to know more about possible threats or discuss your existing protection speak to one of our experts call 01482 210999 or email [email protected]