You probably have not heard of it yet, but Torii is a botnet that you’ll want to keep on your radar. Researchers say that it has advanced techniques and persistence and is a threat to nearly every type of computer. Avast researchers also say it is an “example of the evolution of IoT malware” and “its sophistication is a level above anything we have seen before.”
Torii can run on almost every modern computer, smartphone and tablet – which is why researchers believe that it will be more vicious than botnet Mirai was. Target architectures include x86_64, x86, ARM, MIPS, Motorola 68k, SuperH, PCC and others. The malware botnet uses common network protocols to exploit IoT devices. Avast security researcher Martin Hron told The Parallax that one server had over 100 versions of malware payloads and supported 15 to 20 architectures. This suggested a “team effort,” as what Torii can do “would be hard for any one person to accomplish.”
It was first spotted by Dr. Vesselin Bontchev back in September and since the telnet attacks Bontchev discovered came to his honeypot via Tor exit nodes, Avast decided to name the botnet strain Torri. The infection first starts via a telnet attack on weak credentials. And the script is far more sophisticated than any other IoT malware we’ve seen before, with its capabilities to download the appropriate payload to infect so many common architectures.
Once it infects a device, not only does it send quite a lot of information about the machine it resides on to the CnC, but by communicating with the CnC, it allows Torii authors to execute any code or deliver any payload to the infected device. This suggests that Torii could become a modular platform for future use. Also, because the payload itself is not scanning for other potential targets, it is quite stealthy on the network layer.
However at this time, Torii isn’t being used for what would be considered “normal” botnet activities, such as DDoS or mining cryptocurrencies. Instead, it seems to be running features for the sake of exfiltration of sensitive information.
This new malware strain has an impressive set of features for stealing sensitive information, and has at least six known methods to maintain persistence and ensure that the file remains on the device. And not just one method is executed at a time – instead, all six are executed at once. That said, you won’t be getting rid of Torii via a simple reboot nor will other malware authors be able to override Torii by trying to infect a device with their own malware.