[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Botnets through Tor



Thus spake andrew@xxxxxxxxxxxxx (andrew@xxxxxxxxxxxxx):

> On Sat, Dec 08, 2012 at 05:50:53PM +0100, claudio@xxxxxxxxxxxxxxxx wrote 0.8K bytes in 23 lines about:
> : - What can be done to stop botnets abusing Tor for concealing its
> : infrastructure?
> 
> First off, remember hidden services are just an addressing and routing
> scheme. They don't actually provide any service at the host. As we've
> seen with the Dutch National Police and the Anonymous attacks on hidden
> services, they focused on the software behind the hidden service
> address. From reading your post, it seems this botnet is just using
> hidden services for command and control. Since you can't find the c&c
> host, you have to attack the c&c itself or the application running at
> the hidden service (likely some IRC software of some kind).
> 
> I'd be interested if gnunet or i2p have seem similar usage by
> botnets. Sure, it gets lots of press when someone mentions "Tor", but
> at the same time, I can't imagine the entire botnet herder community
> jumping into one solution to rule them all.

Indeed. A little over a year ago, I came across this article:
https://www.computerworld.com/s/article/9218034/Massive_botnet_indestructible_say_researchers

It describes a 4.5 million host botnet that uses a side channel inside
the Bittorrent DHT (Kademlia) as a communication channel for C&C.
Incidentally, we've pondered using similar side channels ourselves
either for bridge discovery or even as a full-fledged pluggable
transport. It's low bandwidth, but there's a *lot* of noise to hide in.

There have also been academic analysis of similar (but much smaller)
DHT-based botnets as early as 2007/2008:
http://static.usenix.org/event/hotbots07/tech/full_papers/grizzard/grizzard_html/
http://www.sba-research.org/wp-content/uploads/publications/Starnberger_Overbotbotnet_2008.pdf

In comparison to using covert channels in a pre-existing public DHT,
using vanilla tor + a hidden service is awfully centralized for C&C
communications, and with a comparatively not very large userbase to hide
in.

Tor does have the advantage of being much easier to deploy, though. If I
had to guess, this means they probably don't have much of a crimeware
dev budget as compared to much larger, more sophisticated operations.
This would also be consistent with it just being a one-man operation run
by the IAmA poster on reddit.


-- 
Mike Perry

Attachment: signature.asc
Description: Digital signature

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk