The FUNCTIONALITY OF THE BOTNET
- Analysis of the 1st stage payload (dropper)
- String Obfuscation
- Install 2nd Stage ELF File
- Make the 2nd Stage Persistent
- Analysis of the 2nd stage payload (bot)
- Anti-Analysis Methods
- CnC Servers
- CnC Communication
- CnC Commands
- Analysis of the sm_packed_agent
ANALYSIS OF LOGS FROM THE SERVER
Additionally, there are 8 clients that were using both the HTTP server and the FTP server, which could be the case if downloading using HTTP failed for some reason, or if Torii authors were testing functionality of the bash script or a server set up
We cannot speculate about what we do not have evidence for, but this server could be just one of a number of servers infecting new target devices, and only further investigation will reveal the true scope of this botnet. Given the level of sophistication of the malware we researched, it would seem likely that it is designed to map and control a large number of diverse devices.
Even though our investigation is continuing, it is clear that Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before. Once it infects a device, not only does it send quite a lot of information about the machine it resides on to the CnC, but by communicating with the CnC, it allows Torii authors to execute any code or deliver any payload to the infected device. This suggests that Torii could become a modular platform for future use. Also, because the payload itself is not scanning for other potential targets, it is quite stealthy on the network layer.