Hunting Down Malware on the Deep Web
Botnets are still considered one of the most dangerous cyber threats. These malicious networks of compromised machines are used by cyber criminals and state-sponsored hackers for numerous activities, including DDoS attacks, spam campaigns, and financial scams.
The principal problem for a botmaster is to make a botnet resilient against operations run by law enforcement. For operators it is essential to hide Command and Control servers and network traffic to avoid takeover of the malicious infrastructure.
The Tor network offers a privileged environment for botmasters that could exploit the popular anonymizing network to hide the C&C servers.
During the Defcon Conference in 2010, security engineer Dennis Brown discussed Tor-based botnets, highlighting pro and cons of the choice to hide C&C servers in the Tor network. The principal advantages of Tor-based botnets are:
•Availability of Authenticated Hidden Services
•Availability of Private Tor Networks
•Possibility of Exit Node Flooding
Security researchers use traffic analysis to detect botnet activities and to localize the C&C servers. Typically they do this by using Intrusion Detection Systems and network analyzers. Once they’ve detected a botnet, the researchers and law enforcement have different options to eradicate it:
•Obscuration of the IP addresses assigned to the C&C server
•Cleaning of server hosting botnet and of the compromised hosts
•Domain name revoke
•Hosting provider de-peered
The botnet traffic is routed to the C&C server through the Tor network that encrypts it, making its analysis more difficult.
Brown proposed the following two botnet models that exploit the Tor network:
•“Tor2Web proxy based model”
•“Proxy-aware malware over Tor network”
“Tor2Web Proxy Based Model”
The routing mechanism relies on the Tor2Web proxy to redirect .onion web traffic. The bot has to connect to the hidden service passing through the Tor2Web proxy pointing to an onion address that identifies the C&C server that remains hidden.
The principal problem related to this approach is that it is easy to filter Tor2Web traffic, and a similar configuration could suffer from considerable latencies due to the Tor network that could make a botnet built with this approach unresponsive.
“Proxy-Aware Malware Over Tor Network”
This approach is based on making use of proxy-aware malware. Due to the absence of the Tor2Web service, the bot agents have to run Tor clients on the infected hosts. The main difference with respect to the first solution is in the requirements for the bot agents and their configuration.
Bots need to have SOCKS5 support to reach .onion addresses through the Tor network by loading Tor on the victims’ systems.
This second approach is more secure because traffic isn’t routed through a proxy and it is entirely within the Tor network due the direct connection between Bots and C&C servers. This configuration avoids traffic interception from exit nodes that are not involved in the architecture.
This approach is more complex from a Bot perspective due to the complexity in managing the SOCKS5 interface and in botnet synchronization. This kind of botnet could be easily detected by the presence of Tor traffic on a Network.