Torii Botnet – Not Another Mirai Variant

Avast’s threat labs team have uncovered “the most sophisticated botnet that they have ever seen”, and it is targeting IoT devices.

The new IoT malware strain/botnet labelled ‘Torii’ has spread over poorly secured Telnet services, with the attack coming from Tor exit nodes. The malware captures data from IoT devices and gives attackers remote code execution – allowing them to hijack infected devices, and run any command they choose.

Sean Newman, Director at Corero Network Security:

“The latest botnet, dubbed Torrii, cashing in on the rapidly expanding global pool of IoT devices may not be based on the ever-morphing Mirai code but, surprisingly, it does still rely on weak login credentials.  The general level of sophistication of this new botnet may be higher than Mirai but, with Mirai variants already leveraging more sophisticated vulnerabilities to infect devices, you have to assume that its author still feels confident that they don’t need to go to those additional lengths.

“Its secret could be the large number of different platforms the code can support, which gives it the diversity needed to find enough devices that still use simple default username/password pairs.  And, until IoT manufacturers solve the issue of shipping devices with the same default administrator credentials, then it’s going to remain child’s-play for cyber criminals to leverage them for nefarious purposes.

“Although the mission for this latest botnet has yet to be established, there’s every expectation that leveraging it for DDoS attacks is high on the priority list.  With the continually increasing threat of such attacks, organisations which rely on their online presence should be deploying dedicated real-time DDoS protection, to safeguard their applications and services.”