Cybercrooks Increasingly Use Tor Network To Control Botnets

alphadogg writes "Malware writers are increasingly considering the Tor anonymity network as an option for hiding the real location of their command-and-control servers, according to researchers from security firm ESET. The researchers recently came across two botnet-type malware programs that use C&C servers operating as Tor 'hidden services.' The Tor Hidden Service protocol allows users to set up services — usually Web servers — that can only be accessed from within the Tor network through a random-looking hostname that ends in the .onion pseudo domain extension. The traffic between a Tor client and a Tor hidden service is encrypted and is randomly routed through a series of computers participating in the network and acting as relays."

I guess I don't know how these things work

[beschra]

Why haven't they been doing this for a long time already?

Re:I guess I don't know how these things work

[houstonbofh]

No need... Cheap server hosting with little tracking was plentiful. Now, not so much... You see, as they develop new methods, lots of people study and find ways to defeat those methods. So in a small ammount of time, there will be many hackers finding a way to shatter annonomity in TOR. The NSA could not have planned it better.

Re:I guess I don't know how these things work

[stewsters]

Its pretty easy to take away the anonymity of tor if you could hypothetically record all traffic to and from each computer in the network. You can then see Alice send the message to Carlos who then forwarded it to Bob. Luckily in the US no one is recording every encrypted message you send... oh shit.

The only way to protect yourself would to use garlic routing [wikipedia.org] and make sure you send a lot of traffic. Turn your bandwidth up. To improve this, you need to create a widely used sharing client for your network to get as many others to create decoy traffic as you can.

Re:

[houstonbofh]

Its pretty easy to take away the anonymity of tor if you could hypothetically record all traffic to and from each computer in the network. You can then see Alice send the message to Carlos who then forwarded it to Bob. Luckily in the US no one is recording every encrypted message you send... oh shit.

Next time you are on TOR look and see where your exit node is. Surprisingly often is it Virginia... Hmm... Is my tinfoil hat on tight?

Re:

[lister king of smeg]

mine has never popped up in Virginia, it usually pops out in some eastern block country when i use it or japan a couple of time in California.

Re:

[blueg3]

You can only do this if the Tor traffic rate is fairly low or through fairly sophisticated correlated-timing attacks. Each layer of indirection wraps the TCP stream in a layer of encryption, so you cannot, in fact, see the same message transit between nodes in a Tor network.

Re:I guess I don't know how these things work

[Jane Q. Public]

"Its pretty easy to take away the anonymity of tor if you could hypothetically record all traffic to and from each computer in the network. "

Tor was specifically designed to prevent exactly that.

The vulnerability of Tor is in its exit nodes (where Tor routing ends, and regular internet routing resumes). A third party can snarf all the traffic through an exit router, and (if that traffic is from one person), they might as well have a tap at that person's ISP.

The difficulty, of course, is that there is no way to tell in advance via which exit router your traffic will exit. So the government's scheme is to monitor as many exit nodes as possible.

There are two ways to make this more difficult for them: hiding and switching.

Hiding means increasing the number of Tor exit nodes (preferably vastly increasing it), as well as turning them on and off at random times (I don't mean every few minutes, but more like in blocks of 4-8 hours or so). This makes it more difficult to track traffic through any given exit node. Note, however, that in order for Tor to work effectively while turning nodes on and off like that, it would definitely need many more exit nodes. Hell, it needs lots more anyway.

By "switching", I mean sending all your HTTP requests via multiple connections through different Tor routes. Because of the wait times to re-align packets, this is not necessarily significantly faster over Tor (as it is when using multiple connections for downloads, as some browsers do), but that is possible. It would mean that only some of your packets are exiting via any given Tor exit node, making tracing your activities much harder.

Re:I guess I don't know how these things work

[tacokill]

The vulnerability of Tor is in its exit nodes
This is true only if you intended target is on the regular internet and not within Tor itself. The article speaks to hidden services within Tor so exit nodes don't even come into play.

There are plenty of hidden services inside the Tor network that are far worse than botnet C&Cs and those have been going on for years now. Methinks if there was a way to shutdown bad stuff on Tor, you'd have already heard about it.

Re:

[Jane Q. Public]

"The article speaks to hidden services within Tor so exit nodes don't even come into play. "

YES, BUT...

I was replying to GP, and GP's comment was NOT about the hidden services within Tor. It was about tracking traffic within Tor.

My point was that it is not at this time possible to track traffic within Tor. (Unless of course you are monitoring each individual hop and that is impractical at best.) If you want to track Tor traffic, you have to do it at the exit nodes.

Re:

[tacokill]

we are saying the same thing

Re:

[icebike]

Its pretty easy to take away the anonymity of tor if you could hypothetically record all traffic to and from each computer in the network. You can then see Alice send the message to Carlos who then forwarded it to Bob. Luckily in the US no one is recording every encrypted message you send... oh shit..

One has to wonder if this story isn't simply a trial balloon for a world wide campaign against TOR. Get some Slovakian "security researcher" company (that goes out of its way to avoid telling you anything about itself on its website) to publicly worry about TOR, and induce a few press articles. Pretty soon, the government can step in and "protect us" from the evil TOR.

Re: I guess I don't know how these things work

[yahwotqa]

ESET is actually a somewhat well-known company in malwar protection business, at least in Europe. Still, you might be onto something...

Re:

[Aryeh Goretsky]

Hello,

I guess you didn't look very closely at ESET's web site:

About Page - http://www.eset.com/us/about/profile/overview/ [eset.com]

Contact Page - http://www.eset.com/us/about/contact/ [eset.com]

According to their page on Wikipedia, they have over 800 employees: https://en.wikipedia.org/wiki/ESET [wikipedia.org]

Hardly obscure, and as for the U.S. government listening to them, they'd have to get in line far, far behind Symantec, McAfee, Trend, etc.

Regards,

Aryeh Goretsky

Re:

[lennier]

Its pretty easy to take away the anonymity of tor if you could hypothetically record all traffic to and from each computer in the network. You can then see Alice send the message to Carlos who then forwarded it to Bob. Luckily in the US no one is recording every encrypted message you send... oh shit.

Ding!

I bet that's exactly what the NSA is doing. And suddenly you've shown me a real legitimate use case for their heavy-hammer total interception approach. The real hardened high-value nasties are in the Tor streams; crack those and it might be worthwhile dragnetting everyone else as collateral.

Which, crap. I was not wanting to see it like that, but that makes a whole lot of sense from a certain point of view.

Re:

[Immerman]

And then hackers on the other side find a way to make a more shatterproof alternative, which could really suck for the NSA. After all IIRC Tor is a closed-source NAVY project so it can be reasonably assumed that it includes a military-controlled backdoor, and if the NSA doesn't already have the keys I'm betting they could get them pretty quickly if they wanted them, whether via official channels, blackmail, or other maneuverings.

Re:

[Electricity Likes Me]

Tor isn't closed source.

The more pertinent issue is that Tor exit nodes are under no obligations to allow certain types of traffic to exit. So it's perfectly possible to block known malware data. Though not much you could do about Tor running as the malware, but in that regard scanning for unintended Tor processes would be a pretty good red flag.

Re:

[CastrTroy]

Yeah, but botnets are often controlled with common protocols like HTTP and IRC, because they are simple, and the code already exists, so they don't have to write their own protocols from scratch. So it may not really be that easy to determine if traffic is botnet contol codes or just a regular browser requesting a web page.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

Because many of them are idiotic script kiddies who don't know the first thing about security?

shocking

[schneidafunk]

In other news, bank robbers are increasingly wearing masks.

Re:

[robot256]

First thing the police would do is see if they could identify the same person buying spray tan, fauxhawk wig, and fake tattoos in the last month...

Re:

[lxs]

Who I call for black market spray-tan? Do I ask for Mr. Brown?
Can I live in your reality for a while?

Re:

[lgw]

I bought mine 20 years ago.

at a gas station in fargo.

traded a dog for the items.

The dog had an embedded tracking chip.

It has been kept in cryogenic stasis, per the secret "freeze dogs traded for disguises or the communists win" law of 1954.

The dog remembers you and your scent, and will provide positive ID.

Re:

[Anonymous Coward]

The best way to rob a bank is... owning one !

so true, and so wrong, that is not funny :-\

Re:

[fustakrakich]

Yes, and the chosen solution will be to outlaw masks. And we all know that bank robbers will balk at violating that law. But most of today's biggest bank robbers are wearing suits. They are even so brazen to keep an office in that bank with their name on the door!

Re:

[fustakrakich]

What, robbing banks from the inside? I suppose it works everywhere.

Re:

[icebike]

Perfect anonymity is always a goal for hackers

NSA guy hiding as AC these days? Sheesh, how far you've sunken.

Glorious Leader Obummer

[Anonymous Coward]

Fear not Citizen. Glorious Leader Obummer will ban Tor and encryption so that the terrorists can never hurt you again. We now return you back to your regularly scheduled programming: American Idol.

Re:

[MrEricSir]

Nah, I'm sure DARPA considered this possibility before deciding to fund Tor.

Cool.

[magic maverick]

Of course, you shouldn't blame Tor for this. I'm sure Freenet could equally be used, but Tor is just easy. Instead, blame the OS manufactures, and the owners of the bot-ridden machines. Seriously. It's your fault if you don't know enough about your car that you ignore the oil light and it seizes up on a highway. And it's your fault if your machine is turned into a cog of part of a greater machine, bending to the whims of some "hacker".

Maybe it's time to bring back computers with the OS stored in ROM, so that is is reset to a clean state every time the computer is restarted.

Re:

[houstonbofh]

Maybe it's time to bring back computers with the OS stored in ROM, so that is is reset to a clean state every time the computer is restarted.

But how do you safely burn the rom every 4th Tuesday?

Re:

[ADRA]

Yes, we often blame the victims for crimes, because they're dumb.

Re:Cool.

[houstonbofh]

Victims passing out in alleys in high crime areas with a Rolex on the wrist? Yes.

Victims leaving boxes of expensive electronics in the back seat at the mall over the hollidays? Yes.
Blame the criminal as well, but take precautions. For example, leaving the keys in your car or leaving your car running, is a crime in several staes. When it is stolen, you get a fine, and insurance may not pay out.

Re:

[Threni]

This, but without the sarcasm.

Like the policemen talking about the woman who drink 20 gin and tonics and claimed she'd been spiked with rohypnol. What were you doing drinking 20 alcoholic drinks? Which one do you think was spiked?

Re:

[lister king of smeg]

we live ins computer controled civilization willful ignorance of how to use them is a major problem.
car ananlogy

We expect people who own a car to be trained to drive it, and part of the training is basic maintenance and knowledge of how it works. people know how to change out spark plugs and add fluids swap light bulbs put in new filters change a tire etc.

but with computers they don't bother to learn the don't want to learn and the actively avoid training. they don't want lo learn how to secure their comput

Re:

[girlintraining]

Of course, you shouldn't blame Tor for this. I'm sure Freenet could equally be used, but Tor is just easy. Instead, blame the OS manufactures, and the owners of the bot-ridden machines.

Actually, you could use magnet links, or any one of a dozen peer to peer services, embedded commands in images on Facebook... the list goes on. The vulnerability isn't Tor, it's the fact that the entire internet is a giant peer to peer network. And Tor wouldn't be in such wide use if not for (wait for it) Governments dumping mass amounts of money into spying on people. And the more they do that, the more people who legitimately just want privacy to do ordinary and perfectly reasonable things are turning to

Re:

[Kazoo the Clown]

If the NSA wasn't sitting on OS bugs because they want back doors, instead of reporting them, there probably wouldn't be so many infected machines to run as botnets.

Re:

[John Bokma]

Maybe it's time to bring back computers with the OS stored in ROM, so that is is reset to a clean state every time the computer is restarted.

Yeah, that worked very well for RISC OS, right? Or were you one of its users who actually believed that it was virus-free?

Re:

[MMC Monster]

And it's your fault if your machine is turned into a cog of part of a greater machine, bending to the whims of some "hacker".

Actually, that sounds pretty cool. Like there's a higher purpose in my computer's existence.

And aren't we all just cogs in the greatest machine there is, creation?

Re:

[rossjudson]

If someone hacks into your car through the always-on wireless interface (that's so popular with new cars these days) and fires a command at your anti-lock brakes, is that *your* fault, as a driver?

Exactly when does an owned box "turn on the oil light" and let the user know they should fix it?

Re:

[Splab]

I'll be sure to check the malware light and virus light when I start my computer...

Re:

[Pubstar]

I blame them for having no taste and buying a Pinto.

Re:

[eennaarbrak]

Instead, blame the OS manufactures, and the owners of the bot-ridden machines. Seriously. It's your fault if you don't know enough about your car that you ignore the oil light and it seizes up on a highway.

Well, if an idiot ignores his oil light and ends up stranded on the highway, that is generally his problem. If an idiot allows a bot to run on his server, that becomes everybody's problem.

Well, so much for Tor.

[kheldan]

As if the powers-that-be weren't already looking for excuses to criminalize Tor, shut it down, and arrest people involved with it, now it's a certainty. Between overtly oppresive governments wishing to further tighten their grip on their citizens, and the U.S. and other Western countries wanting to destroy every notion of privacy for it's citizens and spying on everyone, this is just the excuse they all need to start black-bagging Tor operators and users. Thanks so much, assholes, for further ruining the world for everyone.

Re:

[Anonymous Coward]

If the NSA wanted to kill Tor, they would stop funding it.

This activity is not enabled by Tor. Criminals controlling lots of computers can make their own anonimizing proxy out of compromised computers, or use some other comparable service. Tor is simply easier to use, and legal, so it benefits those who follow the law.

This just in: bribes use to control police and politicians: the powers-that-be are looking to outlaw money (and the internet, and guns, and cars, and fertilizer...)

Re:

[Desler]

Nope it was the U.S. Naval Research Lab that was the original sponsor. Also as of 2012, 80% of their funding was still from the U.S. government.

Re:

[Threni]

It's WikipediaMan!

NSA? CIA? "US Naval Research Lab"? Whatever. The authorities. The people who want to ensure things don't change because for those guys and their rich friends there's no recession, no energy crisis, no job insecurity, no risk from "terrorism" etc.

Re:

[Desler]

No what you saw was funding from the US government not the NSA. Nowhere in their lists of sponsors or their annual reports is the NSA mentioned.

Re:

[Desler]

And no, not even a couple of months ago was that said on their site either.

Re:

[Desler]

You do realize that in 2012, 80% of the Tor Project's funding was from the US Government, right? If they wanted to kill it they need to do nothing more than defund it.

Re:

[icebike]

You do realize that in 2012, 80% of the Tor Project's funding was from the US Government, right? If they wanted to kill it they need to do nothing more than defund it.

Originally conceived to allow un-censored access [wikipedia.org] for people behind state sponsored firewalls, it has now become just another microphone bugging the net. All good things in Washington become corrupted.

Just today there is a story on how companies are forced to turn SSL keys. http://news.cnet.com/8301-13578_3-57595202-38/feds-put-heat-on-web-firms-for-master-encryption-keys/ [cnet.com]

And in spite of their posturing, your representatives rolled over once again just yesterday [defundthensa.com].

Re:

[meta-monkey]

That's an expensive honeypot.

Re:

[Seumas]

Did Tor ever get any better? I tried using it many (ten?) years ago and while I appreciated the concept, it was miserable in practice. It literally took minutes for a page of text to load or for a single little button icon to load. I don't think I ever let an entire page load before I just finally gave up and uninstalled it.

Re:

[tacokill]

I don't mean to point out the obvious but what makes you think the entity who created Tor (US Armed Forces, Navy) wants to shut it down?

Or did you not realize that part of Tor's funding comes from the US government itself?

Anonymity and you

[intermodal]

Anonymity is a powerful force. In both directions. The anonymous writings of the late 18th century were every bit as powerful as a masked bandit.

I, for one, do not consider the risk of Tor to be greater than the benefit.

Re:

[icebike]

As long as you realize its fully compromised by the NSA, you are probably correct.

Re:

[lgw]

I see you didn't get the memo and are still wearing a tinfoil hat. HAARP is all a distraction, the real government mind control machines are underground. Only tinfoil shoes can help you - the hat just reflects and doubles the effect, which is why the government started the rumors in the first place!

Re:

[intermodal]

I never doubted that it was likely compromised. I'd just rather see it exist than not.

Re:

[Desler]

And a terrorist pedo at that.

Re:

[meta-monkey]

I believe the pejorative you're looking for is "secret muslim terrorist pedo communist."

Re:What is wrong with being anonymous?

[lgw]

The main use of TOR seems to be buying drugs. Clearly he's a drug-dealer terrorist pedo! And a hacker.

Back when /. was young and dinosaurs walked the earth, some pundit predicted the "four horsemen of the internet apocalypse": terrorists, pedos, drug dealers, and hackers. Every freedom the internet provided would be removed over time because for each freedom the public could be sufficiently scared by one of the four horsemen.

Sadly that was overly optimistic, having underestimated the power of the copyright lobby.

Before I flame

[ADRA]

I have a suggestion instead. Build a tor like tool but mandate personal key exchange between known parties. This would strengthen the security of the service, and it would be possible to segment bad actors from people seeking true anonymity. If I welcome job drug dealer to my networks (say by monitoring edge transactions) I may decide to pull my permission for some key's nodes to connect to mine. Problems solved and we can burn out the pedo's, criminals, and all those nasty folks who's agenda's I disagree with.

Re:

[houstonbofh]

Check out Retroshare. It does exactly this. http://retroshare.sourceforge.net/ [sourceforge.net]

A quick article about it. http://www.linuxadvocates.com/2013/06/retroshare-for-paranoid-in-you.html [linuxadvocates.com]

Tor is for terrorists

[Anonymous Coward]

Remember, Citizen, the mere act of using Tor is reason enough to suggest that you could be doing something illegal which gives the police probable cause to send in a SWAT team. Anyone using Tor is a potential terrorist or paedophile otherwise they wouldn't have anything to hide. Welcome to the no-fly list.

Re:

[Desler]

Then the US government better stop being the source of 80% of the project's funding.

Re:

[fredrated]

Tor is for torrorists.

At least there's one benefit...

[Gman2725]

I wondered why browsing over Tor had been getting so much faster lately. I guess these guys have at least some of their slaves set up as relays, in effect adding capacity to the network. Honestly not sure if I'm joking though because it almost makes sense.

Alarmist journalism

[joeflies]

The article found two examples of using Tor, and had already identified one from the past. That's the justification for the "increasingly using Tor" headline? Then again, I'm surprised that they didn't run with a headline of "Malware using Tor Doubled!"

Ummm, yeah ...

[gstoddart]

Malware writers are increasingly considering the Tor anonymity network as an option for hiding the real location of their command-and-control servers

Isn't it kind of obvious that if you build something designed to try to make you anonymous that people will try to use that anonymity for shady reasons?

I'm not saying we shouldn't have anonymous data, but I don't think this observation is exactly new -- I've always assumed this was the case with Tor.