Move over Mirai – Torii is tipped to be the new botnet boss

By Cameron Abbott and Jessica McIntosh

It’s been hailed a true example of the evolution of IoT malware with researchers from security vendor Avast last week explaining in detail just how persistent and powerful this “new” strain of botnet can be. According to Avast, Torii is a “level of sophistication above anything they have seen before”.

For us, it’s newly found cutting-edge techniques and features mean it is a threat to EVERY type of computer and device…it’s a threat to all of us.

The way it works?

Torii launches a telnet attack which pinpoints weak credentials. Once infected the botnet executes an initial shell script to discover the architecture, which facilitates the download and execution of binary files (dropper) in an ELT format, this lays the ground work for the second stage of the attack. That being, the dropper stays embedded in the device with real sturdiness, a type of determination like no other. How? Torii utilises six layers of persistence – it’s not using one layer, or a combination of several layers….it uses all six!

For an everyday user, good luck trying to get rid of Torii with a simple reboot, and for other malware authors you won’t be getting rid of Torii by trying to infect a device with their malware instead. In fact, researchers currently can’t confirm with certainty just how we should handle this new botnet boss.

How fitting given its National Cyber Security Awareness Month – welcome.

The lesson for us all?

We think it’s important to remain positive and take a proactive approach to personal security – both in our homes and workplaces. We constantly advocate in this blog that your users are your first line of defence and awareness needs to be constantly reinforced. You need your workforce to be its own layer of persistence!  Also… time for a password change!

Copyright © 2018, K&L Gates LLP. All Rights Reserved.