[tor-talk] Botnets through Tor

andrew at torproject.is andrew at torproject.is
Sun Dec 9 03:47:04 UTC 2012


On Sat, Dec 08, 2012 at 05:50:53PM +0100, claudio at shadowserver.org wrote 0.8K bytes in 23 lines about:
: - What can be done to stop botnets abusing Tor for concealing its
: infrastructure?

First off, remember hidden services are just an addressing and routing
scheme. They don't actually provide any service at the host. As we've
seen with the Dutch National Police and the Anonymous attacks on hidden
services, they focused on the software behind the hidden service
address. From reading your post, it seems this botnet is just using
hidden services for command and control. Since you can't find the c&c
host, you have to attack the c&c itself or the application running at
the hidden service (likely some IRC software of some kind).

: - What kind of impact would a large adoption by malware writers of Tor
: and Hidden Services have on the Tor network and its usability? Is it a
: serious threat to the project?

The constant churn of hidden service circuits would slow down hidden
services for all. One of the iterations of "torchat" created a unique
hidden service "identity" per contact. This meant a single user with 50
contacts had 51 hidden services on their machine.

: - Is there something the security community and botnet researchers can
: do to help out?

Help figure out the scope of the problem. It's entirely plausible that
this one botnet is an experiment to see if hidden services are reliable
and performant enough to handle a c&c service. One is not a trend,
it's a unicorn (even a brony unicorn).

I'd be interested if gnunet or i2p have seem similar usage by
botnets. Sure, it gets lots of press when someone mentions "Tor", but
at the same time, I can't imagine the entire botnet herder community
jumping into one solution to rule them all.

Overall, I think you'll see more of these types of c&c servers
hosted in decentralized tools and networks. As botnets
are taken down and squeezed out of the naked IPv4/IPv6
address space, the output is plausibly decentralized or
p2p networks. I said this as much to Interpol in September, see
https://svn.torproject.org/svn/projects/presentations/2012-09-04-Interpol-Keynote.pdf
or the source with comments at
https://svn.torproject.org/svn/projects/presentations/2012-09-04-Interpol-Keynote.odp.

-- 
Andrew
http://tpo.is/contact
pgp 0x6B4D6475


More information about the tor-talk mailing list