Researchers at Kaspersky have discovered that the new malware makes use of the Tor overlay network for anonymity. In some ways Tor is perfect for this kind of thing since it uses its own top-level domain, which protects the location of a server as well as the identity of the owner in most cases. Once running, the trojan logs all keystrokes by the user, according to Marco Preuss, a Kasperky lab researcher.
Chewie hasn’t yet been spotted in the wild. “Chewbacca is currently not offered in public (underground) forums, unlike other toolkits such as Zeus,” said Preuss in a blog. “Maybe this is in development, or the malware is just privately used or shared.”
But, the sample is an example of how criminals are slowly adopting Tor to host their malicious infrastructure. Tor capability was added to a 64-bit version of Zeus recently, and both the crimeware kit Atrax and the botnet-based Mevade became known because of that functionality.
Earlier this year, Tor was found to be hosting a massive botnet that became responsible for doubling Tor usage levels nearly overnight. And, a botnets-as-a-service using Tor is publically available.
But while Tor is attracting more criminals to host their infrastructure, as it promises more security for command and control, it could be that such variants will be few and far between. “There are drawbacks preventing many criminals from hosting their servers within Tor,” Preuss explained. “Due to the overlay and structure, Tor is slower and timeouts are possible. Massive botnet activity may influence the whole network…and therefore let researchers spot them mpre easily. Also, implementing Tor adds more complexity.”