TOR-based botnets on the rise
Posted on 25.07.2013
Keeping their botnet's C&C centers online is crucial for bot herders, so that they can keep taking advantage of the computers they zombified. But given that cyber security firms and law enforcement agencies have ramped up their efforts to take them down in the last couple of years, cyber crooks are looking for ways to thwart them.

The most popular of these ways is to decentralize the communication infrastructure, make it Peer-to-Peer. But another option is to hide the C&C in the TOR network.

A favorite with online criminals, the use of TOR allows them to hide their and the botnet's C&C's real location from researchers, and a successful example of this approach has already been discovered.

Other bot masters have obviously become intrigued with the idea, as ESET researchers have recently unearthed and have been analyzing two distinct TOR-based botnets.

For creating the first one, the bot master used an old form-grabber Trojan that has only recently acquired the capability of using the TOR hidden service protocol for communicating with its C&C panel and servers inside the TOR network.

The other one is a little more interesting, as it has been created very recently - earlier this month, to be exact.

The Atrax Trojan serves as a backdoor, steals information, is able to download additional files, malware and plugins, as well as to set up a TOR client on the target machine.

"When the first connection is made with the C&C, Atrax.A sends collected information about the infected system to an address inside the TOR network," the researchers explain. "It isnít possible to ascertain the original C&C IP address or domain with a TOR enabled connection but it is possible to use the address generated in the TOR network for analysis."

And so they did, and they discovered a login panel for the C&C (and used the logo to name the malware):



"Win32/Atrax.A is interesting example of a TOR-based botnet with AES encryption for additional plugins and a unique encryption key dependent on hardware parameters of the infected machine for its generation," they pointed out, and added that they continue to track its activity.

They also expect to see more TOR-based botnets in the future, as they have lately observed a growth in the numbers of malware families starting to use TOR-based communications.









Spotlight

The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Sep 1st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //