Thus spake andrew@xxxxxxxxxxxxx (andrew@xxxxxxxxxxxxx): > On Sat, Dec 08, 2012 at 05:50:53PM +0100, claudio@xxxxxxxxxxxxxxxx wrote 0.8K bytes in 23 lines about: > : - What can be done to stop botnets abusing Tor for concealing its > : infrastructure? > > First off, remember hidden services are just an addressing and routing > scheme. They don't actually provide any service at the host. As we've > seen with the Dutch National Police and the Anonymous attacks on hidden > services, they focused on the software behind the hidden service > address. From reading your post, it seems this botnet is just using > hidden services for command and control. Since you can't find the c&c > host, you have to attack the c&c itself or the application running at > the hidden service (likely some IRC software of some kind). > > I'd be interested if gnunet or i2p have seem similar usage by > botnets. Sure, it gets lots of press when someone mentions "Tor", but > at the same time, I can't imagine the entire botnet herder community > jumping into one solution to rule them all. Indeed. A little over a year ago, I came across this article: https://www.computerworld.com/s/article/9218034/Massive_botnet_indestructible_say_researchers It describes a 4.5 million host botnet that uses a side channel inside the Bittorrent DHT (Kademlia) as a communication channel for C&C. Incidentally, we've pondered using similar side channels ourselves either for bridge discovery or even as a full-fledged pluggable transport. It's low bandwidth, but there's a *lot* of noise to hide in. There have also been academic analysis of similar (but much smaller) DHT-based botnets as early as 2007/2008: http://static.usenix.org/event/hotbots07/tech/full_papers/grizzard/grizzard_html/ http://www.sba-research.org/wp-content/uploads/publications/Starnberger_Overbotbotnet_2008.pdf In comparison to using covert channels in a pre-existing public DHT, using vanilla tor + a hidden service is awfully centralized for C&C communications, and with a comparatively not very large userbase to hide in. Tor does have the advantage of being much easier to deploy, though. If I had to guess, this means they probably don't have much of a crimeware dev budget as compared to much larger, more sophisticated operations. This would also be consistent with it just being a one-man operation run by the IAmA poster on reddit. -- Mike Perry
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk