New botnet Torii showcases next stage of IoT abuse, researchers say
Security researchers have caught hackers lashing together Internet-connected devices in a botnet they’re calling Torii, which uses techniques not seen in an IoT botnet before—including intercepting and stealing data, and using the Tor Project network to hide its network traffic.
The Torii botnet, which researchers named with the Japanese word for “gate” after discovering the botnet uses Tor and its network of anonymously linked computers to obscure Internet traffic, was first discovered by Bulgarian researcher Vesselin Bontchev on September 19. Martin Hron, security researcher at Avast and co-author of the report, says Torii must target a breathtaking number of devices because it is designed to work on an unusually large number of hardware systems. (Avast sponsors this site.)
Torii will work on devices that run on at least six types of hardware, Hron says: ARM, x86, x64, MIPS, PowerPC, and SuperH. The first three cover nearly every modern desktop, laptop, smartphone, and tablet in use today. MIPS has been used in a variety of devices, from the original Sony PlayStation to the current Tesla Model S sedan. PowerPC and SuperH are mostly legacy hardware chips, best known for their use in Apple computers and a Hitachi-Mitsubishi partnership, respectively.
READ MORE ON BOTNETS AND THE INTERNET OF THINGS
FBI’s router reboot call reminds us why to check for updates
Your old router could be a hacking group’s APT pawn
Why hackers love your Wi-Fi (and how to protect it)
Time for a Department of the Internet of Things?
The long reach of Mirai, the Internet of Things botnet
5 questions to ask before buying an IOT device
Hron, along with his report co-authors, Jakub Kroustek, Vladislav Iliushin, Anna Shirokova, and Jan Neduchal, says that because of how new the research is, as well as Torii’s use of Tor to hide its tracks, it’s hard to pin down many of Torii’s details. Hron says it heralds a “new era of IoT botnets.”
Over four days of research, Hron and his colleagues found that the botnet’s malicious content had been downloaded “approximately” 592 times, all from the one server they discovered that the botnet was using near Phoenix. Other log files had been “wiped out,” he says.
Botnets are malware-infected computing devices controlled as a group without the owner’s knowledge. While a botnet with not even 600 devices might not sound like much of a threat, Hron cautions that what they saw Torii do would be hard for one person to accomplish. That indicates a team effort, intentionally hidden, he says. And only uncovering more Torii servers will get his team the information they need.
Hron fears that Torii’s use of Tor and encryption indicates that it has infected far more devices than is apparent from the logs.
“There were more than 100 versions of [malware] payloads on the server, with 15 or 20 architectures supported,” he says. And because of the encryption, he suspects that Torii is used not for traditional botnet tasks of DDoSing or cryptocurrency mining, but rather for stealing data.
“It’s a remote shell for a command-and-control server. You can even read files from the device,” unheard of with IoT botnets, he says. “Torii is a botnet for surveillance, or it’s just the first stage of something, like a framework or a tool. I’d say it’s very similar to a VPN,” in that it hides both the traffic itself and who is creating the traffic.
Hron compares the potential level of threat that Torii poses to the VPNFilter botnet, which the FBI warned consumers about in June. But unlike VPNFilter, which can be wiped by rebooting an infected router, Torii has seven methods of persistence that operate simultaneously, so that turning an infected device off and on doesn’t remove the malware.
While many of the techniques that Torii uses are not new to botnets, this is the first time that researchers have found them on a botnet targeting notoriously low-security Internet of Things devices. And as hackers get better at targeting the myriad hardware systems that run IoT devices, often with little-to-no security on them, there’s little that can be done to protect those devices from harm—or from spreading the malware further.
“Botnets are still quite a problem. They can be used for so many different, bad purposes, that unless you have some security posture at your house, you’ve no way of knowing or blocking any of this.”—Jen Miller-Osborn, deputy director, Palo Alto Networks’ Unit 42
Historically, botnets have been focused on either causing havoc like Mirai did, or making money through spreading ransomware or cryptocurrency mining. Torii is a “vivid example” of the evolution of online attacks, Ted Harrington, IoT expert and executive partner at security-testing company Independent Security Evaluators, said in an email.
“Where Mirai was profoundly impactful when it was first deployed, this botnet actually improves upon Mirai’s malicious effectiveness,” he wrote.
One potential threat from a Torii-style botnet is that it can more easily surveil the Internet traffic passing through an infected device—a “man in the middle” attack, speculates Jen Miller-Osborn, the deputy director for threat intelligence at Unit 42, a research team at security company Palo Alto Networks. If that device happens to be a Wi-Fi router, she says, Torii could easily capture banking information, passwords, and other sensitive data.
“Botnets are still quite a problem. They can be used for so many different, bad purposes, that unless you have some security posture at your house, you’ve no way of knowing or blocking any of this,” Miller-Osborn says.
For the growing number of consumers who run IoT devices at their homes, from Internet-connected door locks to baby monitors, Miller-Osborn recommends segmenting those devices on a guest network used by no one else.
“There’s security built into your laptop, desktop, and on your phone. The problem when it’s home things [is that] there’s hardly any protections around the house,” she says. “And these things, fridges and baby monitors, there’s no security on them. They often have no interface.”
Correction on October 1 at 2:45 p.m. PDT: A previous version of this story misspelled the last name of Jen Miller-Osborn.