Botnet operators hide C&Cs in the Tor network
Posted on 12 September 2012.
Over the years, botnet owners have tried out different tactics for keeping their C&C servers online, in contact with the zombie computers, and hidden from researchers and law enforcement agencies.

The location of a centralized C&C server could be concealed by everyday domain-changing, but the algorithm that does that can be reverse engineered. Once the location is established, the server's takedown leaves the bots orphaned.

A Peer-to-Peer architecture can solve the aforementioned problem of the single point of failure by making every zombie a kind of C&C server and capable of issuing commands to others. Still, the problems with this approach are many: routers blocking incoming traffic, protocols that must be especially designed for respective bots, and the possibility of an easy takeover of the botnet by law enforcement agencies or other bot herders.

A third, more fitting solution has been discovered by GData Software researchers, who spotted a botnet with its C&C server hidden behind the layers of the Tor anonymity network.

The advantages are many - the server is anonymous and can't point to the botnet owners’ identity, and by the same token, can't be taken down easily.

The traffic to and from the server is encrypted by Tor, so IDS solutions can't block it. In fact, blocking Tor traffic in general is not usually done, because there are a lot of legitimate uses for it.

Finally, the bot creator does not have to create a custom protocol but, as it is in this particular case, can use the existing and reliable IRC protocol.

Unreliability and sluggishness are what makes this approach less than ideal, but the pros definitely outweigh the cons.


The evolution of backup and disaster recovery

Posted on 25 July 2014.  |  Amanda Strassle, IT Senior Director of Data Center Service Delivery at Seagate Technology, talks about enterprise backup issues, illustrates how the cloud shaping an IT department's approach to backup and disaster recovery, and more.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.


Mon, Jul 28th