It Is Truly Time To Start Worrying About IoT Botnets

Share this article

Share this article


It Is Truly Time To Start Worrying About IoT Botnets

Share this article

Honestly, the time to start worrying about Internet of Things or IoT botnets was probably back when they first started getting built.

If not at that point then maybe when they started launching DDoS attacks, or maybe when the Mirai IoT botnet unleashed a series of record-breaking attacks, one of which basically brought the internet to a standstill with the 50+ major sites and services it took down.

If not during the Dynpocalypse then perhaps the point to worry about IoT botnets was when they started getting rented out as uber-powerful DDoS for hire services. Certainly, many people and organizations began to worry about IoT botnets at one of the above-listed points. However, many did not.

Fortunately, or perhaps unfortunately, what we have now is one more opportunity to start to really, truly worry about IoT botnets and whether or not our devices are being invisibly enslaved in them. The dark side of the internet has come up with a new breed of botnet malware, and it’s stronger, smarter and scarier than ever.

Humble Mirai beginnings

An IoT botnet is a connected collection of IoT devices that have been hijacked by malware to give attackers remote control over the network to do things like launch DDoS attacks.

Back when botnets were made up of computers it was a feat to have a botnet containing thousands of devices thanks to the layers of security present on computers.

With the lax security so prevalent on IoT devices, it’s nothing to have an IoT botnet boasting hundreds of thousands of devices. The aforementioned Mirai was said to have 2.5 million devices in its network at the peak of its power.

Though successful, the Mirai malware was relatively simple. All it did was perform wide-ranging IP address scans for unsecured or undersecured IoT devices, and then employ a brute force technique of guessing hundreds of thousands or even millions of passwords until it cracked the default login credentials of the devices.

Two years ago it would’ve been certifiably insane to speak of the Mirai malware and botnet as though it were old and unimpressive news, but the cybercriminals behind botnets have been innovating non-stop to the point that they’ve come up with something that makes a botnet that was once king of the internet jungle look like a cuddly kitten.

Torii time

The Torii botnet was first noticed back in September when a security researcher saw some suspicious activity in one of his honeypots. Since then, researchers have been working to uncover everything they can about what the Torii botnet is for and how its malware works. It hasn’t been easy, and the findings aren’t pretty.

First of all, what researchers have been able to uncover has been limited because Torii uses the Tor Project network to obscure its traffic, hence the name. Due to this obfuscation, there is currently no way to estimate how big the Torii botnet might be.

Secondly, it’s probably safe to guess that the Torii botnet is impressively large.

This is because on a single server being used by the botnet, researchers found over 100 versions of its malware payload, discovered that it is capable of infecting between 15 and 20 different IoT architectures.

These include SuperH, PowerPC, x64, x86, MIPS and ARM, and found that it uses a variety of commands to ensure payload delivery. Brute force password guessing this is not.

Thirdly, while botnet malware like the one behind the VPNFilter botnet (which the FBI warned the public about back in June) could be wiped from a device with a reboot, it will not be so easy to remove Torii as Torii has seven methods of persistence, all of which run simultaneously to ensure the device stays infected and that it can be connected to the command and control server.

Fourthly, while standard botnet activities like DDoS attacks and cryptojacking are certainly bad enough, what might be worse is not knowing precisely what the team behind the Torii botnet intends to use it for.

One thing is scarily certain: it has definite surveillance capabilities and is able to read files from the device and spy on traffic passing through it. This means the Torii botnet could potentially steal sensitive data like passwords and payment card information.

It’s still unclear who is behind Torii, what exactly it’s going to be used for, and whether or not the version of the botnet we’re currently seeing is an end product or simply a framework, but all signs point to this botnet being very bad.

Complicated complications

One of the biggest issues facing IoT device owners is what to do about the Torii botnet. As of now, there’s no great answer. It’s always smart to change the default credentials to something obscure and hard to guess, and disabling unnecessary settings and capabilities is wise as well.

Considering Torii’s abilities, a natural next step is segregating all IoT devices on a guest network to which no other device is connected and no one is permitted to use. This will at least minimize the data that could be read or stolen.

Beyond that, all we can really do right now is wait for further research and try not to get too twisted up over it. It’s definitely time to worry about IoT botnets, but until we really know what’s going on, we have to keep our cool.

Get news to your inbox

It Is Truly Time To Start Worrying About IoT Botnets

Share this article