New IoT Botnet Makes Mirai Look Like its Written by an Amateur

As if the Mirai botnet didn’t do enough damage (based on the fact that users don’t change the passwords on their smart light bulbs and other things) by almost taking out the Internet on the East coast of the United States that day about a year ago (see details), we now have something that you might call “son of Mirai”. Mirai was written by a couple of undergrads at Rutgers, the State University of New Jersey on a lark.

This new malware, called Torii because it uses the TOR network, was definitely written by pros.

It starts by finding an infectable IoT device and loads a really small piece of code. That code runs a script to figure out what the hardware platform is and then downloads code for that specific platform. Platforms supported include MIPS, ARM, X64, X32, PowerPC and Super H, among others.

If it can’t download using HTTP, it will try using FTP.

It then tries to persist by hooking into the system with up to 6 different ways to execute including Linux policy manager, system daemon, etc\inittab and others.

Now comes the dastardly part. The code is modular and could download almost anything. It appears from some reports that unlike Mirai, which did not care anything at all about the host network it infected. Torii is all about trying to steal data off the host network. THIS. IS. A. BIG. PROBLEM!!!

So, assuming your light bulb (or whatever) gets infected, your whole entire network and your data are at risk. Home network. Work network. Wherever. Do I have your attention?

There are a number of things that you can do to protect yourself.

First of all, if you can, do not allow the devices to be exposed to the Internet.

If you can’t, make sure that only the bare minimum number of ports are open.

For whatever access methods are exposed (userids and passwords and likely nothing more),make sure that any default userids and passwords are changed and new passwords are very secure – as in long and complicated.

If you do that and do it correctly, you will be protected from this particular attack.

Note that right now, this variant, does not look for vulnerabilities in the device, but that doesn’t mean that the next version won’t.

That means that you MUST be good about patching your smart light bulbs and other IoT devices.

What does make this malware different is that it does try to steal your data. That is a problem.

Information for this post came from ZDNet and other sources.