The Newly Discovered Torii Botnet Cannot Be Matched by Others in Its Sophistication

If you have no idea what a botnet is, it might be difficult to understand the sophistication of Torii, a newly discovered botnet that, according to researchers, could have been active since at least December 2017. The botnet has been brought out of the dark corners of the web into the daylight by Vesselin Bontchev, who shared his discovery via Twitter on September 19. Since then, researchers everywhere have been analyzing Torii, and the mutual consensus is that this botnet is like nothing else that has been observed before. From what we know so far, virtually any command could be executed remotely using it, and that makes it an immense threat to virtual security. The targets of this botnet are still unknown, but it is obvious that everyone must secure their networks against it.

Just like Bontchev first reported via its tweet, Torii Botnet was found spreading via Telnet, which is a kind of a protocol that allows anyone to access a computer remotely. Without a doubt, in this situation, the attacker uses known and discovered security backdoors to obtain access to the computer silently. Just like any other botnet, Torii relies on stealthiness to guarantee that its malicious activity stays undisturbed. If malware is uncovered right away, victims can take action to protect their systems and remove intruders. Of course, when it comes to botnet malware, removal isn’t something that can be handled easily. After all, a botnet is a net of Internet-connected devices that are infected at the same time. These devices can include servers and computers, and if one computer is cleaned and is removed from the botnet, that does not mean that Torii stops existing. In most cases, botnets are employed to perform mass spam attacks and DDoS (distributed denial of service) attacks, but that is not something that has been linked to Torii yet.

So, how do you know if your operating system has been affected by Torii? Unless you notice something out of the ordinary – for example, your computer starts running slower or crashes completely – you might be able to uncover malware that has attacked your operating system only with the help of the right anti-malware security system. As discussed already, malware is distributed via a Telnet attack, which is possible only on vulnerable systems with a weak access to them. If a vulnerability on a x86_64, x86, ARM, MIPS, Motorola 68k, SuperH, or PPC system is found, a malicious payload is downloaded silently. Both HTTP and FTP protocols are used for that, depending on the system that is being infected. The binaries are downloaded as ELF files, and it appears that they are used solely for the purpose of downloading a secondary payload, which is also in ELF format.

After execution, Torii employs six unique methods (could be more) to ensure that the payload survives. If it is deployed successfully, it can start executing commands from a remote C&C server. It can also start exfiltrating data, which, of course, is done silently and illegally. At the time of research, Torii was contacting cloud.tillywirtz.com, top.haletteompson.com, and trade.andrewabendroth.com C&C servers, but this is something that changes constantly and frequently. The data that is being transmitted between the servers and the computer in the botnet is encrypted using the AES-128 cipher to conceal it. Furthermore, every piece of data is encrypted with a XOR cipher too. According to the information, the data that Torii malware exfiltrates includes hostnames, MAC addresses, device type and name, and even the version of the operating system. Because the botnet contacts the C&C server on a loop, new commands can be received and executed at any given time.

Torii malware can connect hundreds or even thousands of unique IPs into one botnet, and the number of times these IPs might connect to C&C servers could reach millions. Unfortunately, once the device is infected with this malware, malicious attackers could exfiltrate sensitive data and then execute any code they want. Due to this, this malware is incredibly versatile, adaptable, and unpredictable. There is no doubt that this malware has great potential to become a serious weapon in the hands of cyber criminals, and only time will tell how it will be deployed. For now, it is most important that everyone who owns an Internet-connected device takes appropriate security measures. Installing all updates and employing trustworthy, up-to-date anti-malware software are two most important steps you must take right now.

References

Rouse, M. Botnet. TechTarget.
Rouse, M. Telnet. TechTarget.
Threat Intelligence Team. September 27,2018. Torii botnet - Not another Mirai variant. Avast Blog.