Cybercrooks Increasingly Use Tor Network To Control Botnets 99
alphadogg writes "Malware writers are increasingly considering the Tor anonymity network as an option for hiding the real location of their command-and-control servers, according to researchers from security firm ESET. The researchers recently came across two botnet-type malware programs that use C&C servers operating as Tor 'hidden services.' The Tor Hidden Service protocol allows users to set up services — usually Web servers — that can only be accessed from within the Tor network through a random-looking hostname that ends in the .onion pseudo domain extension. The traffic between a Tor client and a Tor hidden service is encrypted and is randomly routed through a series of computers participating in the network and acting as relays."
shocking (Score:5, Informative)
Re:Cool. (Score:4, Informative)
Victims leaving boxes of expensive electronics in the back seat at the mall over the hollidays? Yes.
Blame the criminal as well, but take precautions. For example, leaving the keys in your car or leaving your car running, is a crime in several staes. When it is stolen, you get a fine, and insurance may not pay out.
Re:I guess I don't know how these things work (Score:4, Informative)
"Its pretty easy to take away the anonymity of tor if you could hypothetically record all traffic to and from each computer in the network. "
Tor was specifically designed to prevent exactly that.
The vulnerability of Tor is in its exit nodes (where Tor routing ends, and regular internet routing resumes). A third party can snarf all the traffic through an exit router, and (if that traffic is from one person), they might as well have a tap at that person's ISP.
The difficulty, of course, is that there is no way to tell in advance via which exit router your traffic will exit. So the government's scheme is to monitor as many exit nodes as possible.
There are two ways to make this more difficult for them: hiding and switching.
Hiding means increasing the number of Tor exit nodes (preferably vastly increasing it), as well as turning them on and off at random times (I don't mean every few minutes, but more like in blocks of 4-8 hours or so). This makes it more difficult to track traffic through any given exit node. Note, however, that in order for Tor to work effectively while turning nodes on and off like that, it would definitely need many more exit nodes. Hell, it needs lots more anyway.
By "switching", I mean sending all your HTTP requests via multiple connections through different Tor routes. Because of the wait times to re-align packets, this is not necessarily significantly faster over Tor (as it is when using multiple connections for downloads, as some browsers do), but that is possible. It would mean that only some of your packets are exiting via any given Tor exit node, making tracing your activities much harder.
Re:NSA still funding to? I don't think so... (Score:3, Informative)
Nope it was the U.S. Naval Research Lab that was the original sponsor. Also as of 2012, 80% of their funding was still from the U.S. government.