Table of Contents

Another Botnet In The Market: Torii Botnet
Cyber Security /

Another Botnet In The Market: Torii Botnet

Earlier, it was just virus and worms, then as tech kept growing, malware and ransomware came into limelight.

But, these forms weren’t enough for attackers, with everyday challenges and their hacking skills, now they have found out a new way to enter in system, that is botnets.

Botnet stands for bot network, one of the most dangerous online threat. It is a network comprised of number of computer systems, which are already infected with some malware. With so many systems in control, botnets are used for sending spam emails, virus, stealing of personal data, and also to execute DDoS attacks.

First, Mirai Botnet was observed earlier this year, which targets protected Internet devices. For this, it uses telnet to find systems that are using factory default usernames and password.

Another botnet, which isn’t similar to Mirai, was observed by Avast security researchers dubbed as ‘Torii’. According to researchers. telnet attacks are executed from Tor exit nodes, so they decided to name this botnet “Torii”.

According to researchers, Torii botnet is active from December 2017. Once, the system is compromised, it become more persistent and starts doing the usual attacks, such as, DDoS, crypto mining, on daily basis.

Torii botnet uses several techniques to extract data and personal information. It can harm a range of devices and can also target architectures, including MIPS, ARM, x86, x64, PowerPC, SuperH, and more.

How Does Torii Botnet Work?

1. The first and foremost step Torii does is, it starts with a telnet attack on poorly protected Internet devices, and also on devices which have weak credentials. This all is followed by a shell script, which is different from other botnets.

2. This script is used to discover and find the architecture of targeted devices and then prompts system to download the payload on it. The architecture supported by Torii are as follows,

x86_64, x86, ARM, MIPS, Motorola 68k, SuperH, PPC and many more.

This will allow botnet to harm huge range of devices that runs on above given architectures.

3. After recognizing the architecture, it then downloads and executes the accurate binary from server.

Also Read : Is it safe to use AES 256 Bit Encryption?

Almost 6 methods are used by Torii that makes sure the files are running constantly on device, and all of the methods are executed at once, which are:

  • Automatic execution via injected code into ~\.bashrc
  • Automatic execution via “@reboot” clause in crontab
  • Automatic execution as a “System Daemon” service via systemd
  • Automatic execution via /etc/init and PATH. Once again, it calls itself “System Daemon”
  • Automatic execution via modification of the SELinux Policy Management
  • Automatic execution via /etc/inittab

4. After these it executes ELF file, which works as a second payload. It directly then executes command from the master server that is CnC. It tries to get commands from CnC servers running at:


Some more domains are hosted on the same network, such as:

  • cc
  • win

What Anti-Analysis Methods Does Torii Use?

 The anti-analysis methods used by Torii botnet are not that advanced, but yet are very much effective. Some of these are:

1. Torii uses 60 seconds sleep () method after execution, which is used to avoid preventions.

2. It also neutralize the process name via prctl(PR_SET_NAME) call to something like “\[[a-z]{12,17}\]” to avoid detection of blacklisted process names.

3. It has simple anti-debugging techniques, data exfiltration, multi-level encryption of communication techniques pre-installed.

So, this was all folks! It’s better to stay safe & secure, so take all the necessary measures and precautions available to keep your data and personal information safe from these types of malware and botnets.

Must Read : Insider Information On Trojan Horse

If you found this helpful, please let us know. You can also drop your feedback in the comment section below.

Leave a Reply

Your email address will not be published. Required fields are marked *