Over the past year, a handful of sizeable botnets have used Tor, the Onion Router, to hide their command and control operations. This niche activity might be set to explode, as dark market sellers have increasingly started offering services to add such functionality.
“It seems that there’s an increasing tendency of Torifing existing botnets. This isn’t new but it looks like it’s getting somewhat trendy”, a contact working the forums tells me.
“Fraudsters can now purchase a service that will turn their Zeus, Citadel or SpyEye regular botnets into Torified botnets, running on the Tor network, which makes it bulletproof.”
Using Tor – which routes traffic through participating nodes, or relays, and encrypts all traffic – makes tracking bot masters considerably harder. Just as with most things on Tor, the origin, location and nature of command and control operations are concealed, and there is no way to take over or sinkhole the crooks’ associated .onion domain.
As botnet traffic is encrypted, it evades most network monitors. To make life even more difficult for law enforcement and security researchers, the Tor Hidden Services protocol allows non-public IP addresses to host command and control infrastructure behind firewalls or network address translation (NAT) devices.
Bitcoin Bargains
Cyber crooks are finally picking up on these manifold benefits, building up full services around Torifying malicious networks. One member of a certain underground store has been selling Tor botnets with a 25 per cent discount for the first five customers. “Ever dreamed of running your own botnet that can’t get taken down? I have the solution! I can provide and Torify a wide range of botnets”, the seller claimed.
Two services were on offer. The first was the full package: choose from a selection of botnets, including Zeus, SpyEye and Citadel, and the buyer gets the bulletproof control panel and the .onion domain with login details to access it. A Tor Hidden Service Key lets the user easily switch hosting to another node as and when they please.
For those early birds, the cost is 2.25 Bitcoins per month. For anyone coming in later, it’s 3 BTC. At the time of writing, the value of one Bitcoin, according to the Mt. Gox exchange, was hovering around the $180 mark, making the pre-packaged offering worth around $540. That’s fairly cheap by underground standards, where the Blackhole exploit kit still goes for $10,000 a month, despite the arrest of alleged creator Paunch.
The seller is also offering to add Tor functionality to any HTTP-based botnet (IRC botnets are on the way, the dealer promises), for the low cost of 2 Bitcoin ($360). This offer is really for the more technical crooks, the other for anyone wanting to make some easy money and cover their tracks without having to expend much effort.
“Due to its design and internal mechanics, Tor makes it a perfect protocol for solid botnet infrastructure. By abusing Tor services, botnet operators can - easily and at no cost at all - create much stronger infrastructure”, says Dell SecureWorks Counter Threat Unit senior security researcher Pallav Khandhar.
Right now, there are two sizeable botnets heavily using Tor: Skynet and Mevade. The latter was first seen downloading a Tor module in the last week of August, subsequently causing a massive spike in the number of Tor users as the tens of thousands of bots started speaking to their masters. Some had speculated the growth came as a result of greater activist use of Tor, following the leaks of NSA whistleblower Edward Snowden, but Mevade was to blame, as it sought to expand its click fraud, ransomware and rogue anti-virus operations.
Expect More Bots in Your Network
Skynet uses Tor to connect to its backend infrastructure, whilst setting up Tor Hidden Service on an infected system, just to make detection that bit trickier. To make its owners money, it carries out Bitcoin mining with the CGMiner tool, whilst a Zeus component harvests banking logins.
As dark web operators up their Tor-based botnet offerings, offering support for more malware types, expect hundreds of thousands more bots to connect into the network. That’s going to make the lives of security researchers, law enforcement and those managing the Onion Router considerably more difficult.
This all begs the question: what are the Tor Project’s operators doing about it? “C&C over hidden services have been around for a few years. What's new is the sheer scale of this single botnet using them”, a spokesperson says, pointing to a recent update from the team in how to cope with the rise of Tor botnets.
Tor Project participants aren’t keen to determine how to get rid of C&C hubs. Their main concern, perhaps rightly, is the maintenance of the network. They would rather leave the botnet cleaning up to security teams. They don’t even think there is much value in Torifying malicious networks anyway.
“If you have a multi-million node botnet, it’s silly to try to hide it behind the 4,000-relay Tor network. These people should be using the botnet as a peer-to-peer anonymity system for itself”, Tor Project leader ‘Arma’ wrote in a blog post from September.
“So I interpret this incident as continued exploration by botnet developers to try to figure out what resources, services and topologies integrate well for protecting botnet communications. Another facet of solving this problem long-term is helping them to understand that Tor isn’t a great answer to their problem.”
It appears cyber criminals aren’t convinced of Arma’s argument just yet, though. Looking at recent activity on the underground forums, the opposite would appear to be true.