Rise of TOR-based Botnets

Monday, July 29, 2013 @ 04:07 PM gHale


Botnet leaders know one of the vital aspects to keeping their enterprise thriving is to ensure the command and control (C&C) centers remain online.

That, however, is not as easy as it once was as security firms and law enforcement agencies are constantly looking to take down. Now the cyber bad guys are looking for new ways to stay one step ahead.

RELATED STORIES
Most of Citadel Botnet Down
Spam Botnet Dodges Detection
Customized Mobile Number Harvesting
Custom Spam Uses Personal Data

The most popular of these ways is to decentralize the communication infrastructure, make it peer-to-peer. But another option is to hide the C&C in the TOR network.

Tor is an open network that helps you defend against a form of network surveillance that threatens freedom and privacy, confidential business activities and relationships, and traffic analysis.

A favorite with online criminals, the use of TOR allows them to hide their and the botnet’s C&C’s real location from researchers, and researchers already found a successful example of this approach.

Other bot masters have obviously become intrigued with the idea, as ESET researchers just found are analyzing two TOR-based botnets.

To create the first one, the bot master used an old form-grabber Trojan that just acquired the capability of using the TOR hidden service protocol for communicating with its C&C panel and servers inside the TOR network.

The other one, created earlier this month, is also interesting.

The Atrax Trojan serves as a backdoor, steals information, is able to download additional files, malware and plugins. In addition, it is able to set up a TOR client on the target machine.

“When the first connection is made with the C&C, Atrax.A sends collected information about the infected system to an address inside the TOR network,” the researchers in a blog post.

“It isn’t possible to ascertain the original C&C IP address or domain with a TOR enabled connection but it is possible to use the address generated in the TOR network for analysis,” the researchers said.

“Win32/Atrax.A is interesting example of a TOR-based botnet with AES encryption for additional plugins and a unique encryption key dependent on hardware parameters of the infected machine for its generation,” they pointed out, and added they continue to track its activity.

They also expect to see more TOR-based botnets in the future, as they have lately observed a growth in the numbers of malware families starting to use TOR-based communications.



Leave a Reply

You must be logged in to post a comment.