As declared several time Deep Web, thanks to the anonymity of its connection, provides to cyber criminals an ideal environment to grow up profitable business. We have mainly discussed of deep web such as a portion of cyber space mainly used to sell any kind of good, from malware agent to drugs and other criminal services, but the hidden world could also be used to give host to component of a malicious architecture used by cyber criminals.
On September 2012 the German security firm G Data Software has detected a botnet with a particular feature, it is controlled from an Internet Relay Chat (IRC) server running as a hidden service of the Tor.
I discussed in past article of the advantage of this design choice, let’s think for example to how much difficult could be the localization of the command and control servers, due the encryption of the connections interior to the network and the unpredictability of the routing of the information.
The security engineer Dennis Brown during the Defcon Conference in 2010 discussed the possibility of using the Tor network to host botnet command and control servers.
The engineer explained the advantage to adopt an hidden service in a botnet architecture that is summarized in the following points:
- Availability of Authenticated Hidden Services.
- Availability Private Tor Networks
- Possibility of Exit Node Flooding
The mechanism used by IDS is based on the detection of known signatures available for the principal botnet agents, this implies the analysis of the data transmitted by infected machines. In the specific case the traffic is routed is encrypted making hard the process of analysis, let’s remind that the hidden services inside the Tor network which can only be accessed from within the Tor network knowing the assigned .onion address.
The model of botnet could be used for various scopes, in military as cyber weapon, in industry for cyber espionage, in cybercrime to steal sensible information such as banking credentials.
Researchers use traffic analysis to detect botnet activities and to localize the control servers, typically Intrusion Detection Systems and network analyzers are adopted for the purpose.
Once detected the botnet to decapitate it are used different methods such as:
- IP of C&C server obscuration
- Cleaning of server hosting botnet and of compromised hosts
- Domain nama revoke
- Hosting provider de-peered
- “Tor2Web proxy based model”
- “Proxy-aware Malware over Tor network”
“Tor2Web proxy based model”
The use of hidden services for a botnet setup is an interesting choice, an HTTP hidden service could operate behind network devices such as NAT or Firewalls without the need to expose services to the network. The preparation phase of a botnet is quite easy due the large availability of web server easy to setup as hidden service in the DeepWeb and the possibility to retrieve botnet components practically everywhere. Botnet infrastructure are increasing in complexity but are also equipped with friendly administration consoles that make easy their configuration.
In the model proposed the traffic leaves the Tor network using Tor2Web proxy to redirect .onion web traffic, let remind that tor2web is a project to let Internet users access anonymous servers.
Here’s how it works: Imagine you’ve got something that you want to publish anonymously, like the Federalist Papers orleaked documents from a whistleblower. You publish them via HTTP using a Tor hidden service; that way your anonymity is protected. Then people access those documents through tor2web; that way anyone with a Web browser can see them.
The Scripts to run Command and Control happens via Tor2Web so that the bot have to connect to the hidden service passing through the proxy pointing to an address
In this way the traffic is redirect by the proxy to the Hidden Service identified by an .onion address, the Command & Control servers remain so hidden in the Tor network and are impossible to track down.
The weaknesses aspects of a similar approach are that is normally easy to filter Tor2Web traffic, similar proxy must be managed by botmaster in order to avoid failure or logging from third parts and the entire infrastructures suffer of the considerable latencies of Tor network that make unresponsive a botnet build with this approach.
“Proxy-aware Malware over Tor network”
The second scenario does not provide for Tor2Web, instead it make us of proxy-aware malware, agent that due the absence of Tor2Web have to run Tor on infected hosts. The main difference respect the first solution is in the requirements for the bot agents and their configuration, Bots need to have SOCKS5 support to be able to connect through Tor to .onion addresses loading Tor on the victims.
This second approach is more secure because traffic isn’t routed through a proxy and is entirely within Tor network due the direct connection between Bots and C&C, avoiding the possibility to intercept data from exit nodes that are not used for this scenario.
It’s clear that a similar approach is more complex from a Bot side, a bot needs SOCKS5 support and of course it need that Tor have to function properly to maintain the synchronization within the machines of the botnet. To presence of Tor traffic on a network may indicate the presence of a similar botnet architecture that can be so detected using network anomaly detection methods.
G Data experts declared
“In other words: Tor tends to be slow and unreliable, and inherits these flaws to underlying botnets.”
My personal opinion is that today is not so difficult to build a bot net based on Tor networks and as declared by researchers the cons of this choice are mainly related to slowness of the network. As usual the best solution is represented by a compromise, similar solution represents a valid choice to maintain hidden the command and control servers making hard the investigations for security experts and law enforcement.
The solutions presented must represent an insight into the topic in order to develop appropriate countermeasures if we were to find us before such botnets.