Botnet operators hide C&Cs in the Tor network
Posted on 12 September 2012.
Over the years, botnet owners have tried out different tactics for keeping their C&C servers online, in contact with the zombie computers, and hidden from researchers and law enforcement agencies.

The location of a centralized C&C server could be concealed by everyday domain-changing, but the algorithm that does that can be reverse engineered. Once the location is established, the server's takedown leaves the bots orphaned.

A Peer-to-Peer architecture can solve the aforementioned problem of the single point of failure by making every zombie a kind of C&C server and capable of issuing commands to others. Still, the problems with this approach are many: routers blocking incoming traffic, protocols that must be especially designed for respective bots, and the possibility of an easy takeover of the botnet by law enforcement agencies or other bot herders.

A third, more fitting solution has been discovered by GData Software researchers, who spotted a botnet with its C&C server hidden behind the layers of the Tor anonymity network.


The advantages are many - the server is anonymous and can't point to the botnet owners’ identity, and by the same token, can't be taken down easily.

The traffic to and from the server is encrypted by Tor, so IDS solutions can't block it. In fact, blocking Tor traffic in general is not usually done, because there are a lot of legitimate uses for it.

Finally, the bot creator does not have to create a custom protocol but, as it is in this particular case, can use the existing and reliable IRC protocol.

Unreliability and sluggishness are what makes this approach less than ideal, but the pros definitely outweigh the cons.






Spotlight

How to keep your contactless payments secure

Posted on 19 September 2014.  |  Fraudsters can pickpocket a victim’s financial data using low-cost electronics that can fit into a rucksack. Here are the top security threats you should be aware of if you’re using a RF-based card, along with our top safety tips to keep your payments secure.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Sep 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //