Botnet operators hide C&Cs in the Tor network

Over the years, botnet owners have tried out different tactics for keeping their C&C servers online, in contact with the zombie computers, and hidden from researchers and law enforcement agencies.

The location of a centralized C&C server could be concealed by everyday domain-changing, but the algorithm that does that can be reverse engineered. Once the location is established, the server’s takedown leaves the bots orphaned.

A Peer-to-Peer architecture can solve the aforementioned problem of the single point of failure by making every zombie a kind of C&C server and capable of issuing commands to others. Still, the problems with this approach are many: routers blocking incoming traffic, protocols that must be especially designed for respective bots, and the possibility of an easy takeover of the botnet by law enforcement agencies or other bot herders.

A third, more fitting solution has been discovered by GData Software researchers, who spotted a botnet with its C&C server hidden behind the layers of the Tor anonymity network.

The advantages are many – the server is anonymous and can’t point to the botnet owners’ identity, and by the same token, can’t be taken down easily.

The traffic to and from the server is encrypted by Tor, so IDS solutions can’t block it. In fact, blocking Tor traffic in general is not usually done, because there are a lot of legitimate uses for it.

Finally, the bot creator does not have to create a custom protocol but, as it is in this particular case, can use the existing and reliable IRC protocol.

Unreliability and sluggishness are what makes this approach less than ideal, but the pros definitely outweigh the cons.