If you’re an IT historian, you might remember Sub7 and Pretty Park botnets back in 1999. If you pay attention to IT current events, you’ve probably heard about Necurs, Mirai, and Stealth. Now, Torii, the latest and most sophisticated in a long line of botnets, is in the spotlight.
One of many Mirai variants, Torii is the object of plenty of hype. For once though, the hype might be justified. Torii is newsworthy butfor sinister reasons: it proves that botnets can evolve and do great harm to IT operations.
Torii takes center stage
There are four reasons why Torii is worth the screen space it’s getting. To start, it’s not just one more cut-and-paste coding exercise created by hacker wannabes. It’s developed to steal information and harm a growing variety of computers and devices. Torii is especially newsworthy because it’s:
Torii bots use and spread a lethal type of malware to steal confidential information on computers, tablets, and smartphones.The bots can destroy all files on a computer hard drive or stop legitimate functions such as anti-virus operation. Firewall security, system registry, and Control Panel settings are at risk.
Torii bots also infect and control more types of devices than earlier model botnets. Also, it takes relatively more effort to get rid of Torii malware after an infection.
A security researcher first discovered Torii in cyber-attacks that emerged from an anonymity portal on the dark web. Also, no one is sure what Torii is designed to actually do. Some analysts speculate that Torii is surveillance software. Others think that it’s a prototype of a new malware framework or tool. There’s no definitive evidence.
Stealthy. Torii hides infection instructions in a CSS file, a standard utility that helps developers format web pages. Torii also disguises information transferred during infection and keeps the bot-herder’s identity secret.
Highly evolved. Torii uses a broad and flexible set of commands, which bots use to run malware on a wide range of target devices.
Looking under Torii’s hood
Virtually all descriptions of Torii involve the word “more”—more powerful, sophisticated, and damaging.So, what makes Torii bots extreme malware?
Torii differs from Mirai and earlier botnet designs in several ways:
- A flexible structure.Torii has a modular structure of mix-and-match subunits. Using different combinations of these subunits enables Torri to do several types of damage and target many different IoT devices.
- Unlike most Mirai variants, Torii doesn’t run DDoS attacks or engage in crypto mining. Instead, Torii’s core functions include stealing sensitive information and running malicious commands. After infecting a target device, Torii malware hides from observation. It uses multi-layered encryption to continually communicate with the bot herder’s command and control server.
- Target hardware.Torii attacks virtually all types of modern computer hardware—desktops, laptops, tablets, and smartphones—as well as IoT devices.
How Torii infects IoT devices
Torii bots use a two-stage process to breach IoT devices that have weak credentials. We won’t get bogged down in technical details. However, the bots’ operation highlights how much more sophisticated Torii is than earlier bot designs. Here’s a general description of the infection process:
- The first stage uses a sophisticated set of instructions, which identify the structure and type of target devices.
- The bot uses different commands to download malware that’s appropriate for the specific type of infected device. (This is where Torii’sflexible design comes in.) Torii uses these commands to increase the odds that the malware will resist removal and continue running, no matter what.
- The download commands can attack devices connected to the internet or in client-server networks. In other words, after entering your internal IT system via the internet, Torii can infect local devices, too.
- Torii bots aren’t one-task wonders. Each one runs commands to store, download, or delete files; steal data; block debugging commands, and use multi-level encryption to hide communications with the command and control server.
As you can see, this is no “Hello, world!” application.
How IT pros can reduce the risk of Torii-related damage
You can summarize Torii botnet risk mitigation in one word—hypervigilance.
As dangerous as Torii might be, hackers still need a way into a device, a weakness that says, “open sesame!” The ease or difficulty of infection depends on the practices of IT system operators, companies like yours.
No silver bullet offers total IT protection from Torii-related damage. However, thereare practical measures that your IT team can take to reduce the risk of Torii mayhem. These measures include:
- Secure your IoT devices. It’s true, manyIoT devices have terrible security or can’t be patched. However, they’re the entry point for Torii infections, so decide which measures your operations require. Then, set up and enforce IoT device security policies.
- Embrace data management basics. It’s an oldie but goodie—use robust backup and recovery software to back up all your files. If you will miss a file after a Torii botnet attack, back it up. Then, update the backups frequently.
- Be vigilant. Monitor traffic outside of the normal set of communications. Then, teach IT team members what to look for and what to do if Torii bots come knocking.
- Stay observant. Encourage your IT team to investigate device communications that they don’t usually see on your network.
- Make sure that yournetwork and security professionals work together to identify and mitigate threats when they occur. Torii-infected computers and devices often remain unnoticed on networks for months. The longer that infected files fester in your system, the greater the damage.
- Practice device password hygiene. Change the default passwords on your devices as soon as you install them. Then, do regular audits to ensure that everyone’s following security best practices. Also, did we mention keeping tight control of device access privileges?
Perhaps the most upsetting thing about Torii botnet infections is that they are new and more diverse and powerful than what we’ve seen before. It doesn’t help that there are no new tools or methods to protect IT assets and information resources. The best that can be done for now is to rely on tried-and-true security and data management methods.