highlighted the fact that it exploits those IoT devices which have weak credentials. After
infiltrating, it begins to execute a shell script which determines the type of architecture. After
verifying the system architecture, the cybercriminals send the relevant malicious payload to
completely take control of the system.
Some of the commands used by the Torii for making sure the payload is delivered to the
victims include “ftp”, “wget”, “ftpget”, “busybox wget,” or “busybox ftpget”.
When the botnet is unable to download binaries through the HTTP protocol, it then sets
its sight on the FTP protocol. While using the latter, the shell script’s embedded credentials are
used by the botnet to establish a connection with an FTP server through the Internet Protocol.
The botnet uses these binaries as droppers to advance its next payload.
The botnet uses multiple methods in order to ensure that persistent is maintained on
an infected device so the control of the system does not go back to the victim. These are the
following:
• Automatic execution via injected code into ~.bashrc,
• Automatic execution via “@reboot” clause in crontab,
• Automatic execution as a “System Daemon” service via system,
• Automatic execution via/etc/init and PATH. Once again, it calls itself “System Daemon”,
• Automatic execution via modification of the SELinux policy management, and
• Automatic execution via/etc/inittab.
The next stage of the payload then begins its operation. It is important to note that it is at this
point that the malware is able to establish a connection with the C2 (command and control)
server of the cybercriminals. These are usually three addresses which are associated with this
server. They are used to perform three tasks.
• Lock and delete data.
• Run cryptographic algorithms to encrypt data and communication.
• Apply anti-debugging tools.
In order to communicate with its server, Torii makes use of the 443rd port of the TCP pro-
tocol. Interestingly, Avast claims that this is trickery because the TLS protocol is never used.
Instead, the malware deceives by using the port of HTTPS trac.
Despite its extremely dangerous mechanism, experts are baed at why it is not following
the modus operandi of the typical botnets who try to bombard users with DDoS attacks.
Therefore, there are divided opinions in its mystery.
MIRAI
When Mirai was at its peak, it managed to damage many high profile names like Krebs on
Security, OVH, and Dyn by organizing a DDoS attack. According to OVH, the attack surpassed
the 1 Tbps mark, a record.
At that time, it was reported that the entire US was brought down by Mirai such was its
digital invasion. Interestingly, security professionals revealed that it inflicted such large-scale
havoc through the use of IoT devices like personal surveillance cameras, air-quality monitors,
and home routers. When Mirai was at the top of its game, it is estimated that it infiltrated over
600,000 IoT devices.
Chapter 11 Security Challenges for IoT 275
Internet_of_Things_CH11_pp271-308.indd 275 9/3/2019 10:16:19 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.