Re: [tor-talk] Botnets through Tor

[Claudio <claudio@xxxxxxxxxxxxxxxx>]

On 12/9/12 4:47 AM, andrew@xxxxxxxxxxxxx wrote:
> On Sat, Dec 08, 2012 at 05:50:53PM +0100, claudio@xxxxxxxxxxxxxxxx wrote 0.8K bytes in 23 lines about:
> : - What can be done to stop botnets abusing Tor for concealing its
> : infrastructure?
> 
> First off, remember hidden services are just an addressing and routing
> scheme. They don't actually provide any service at the host. As we've
> seen with the Dutch National Police and the Anonymous attacks on hidden
> services, they focused on the software behind the hidden service
> address. From reading your post, it seems this botnet is just using
> hidden services for command and control. Since you can't find the c&c
> host, you have to attack the c&c itself or the application running at
> the hidden service (likely some IRC software of some kind).
> 
> : - What kind of impact would a large adoption by malware writers of Tor
> : and Hidden Services have on the Tor network and its usability? Is it a
> : serious threat to the project?
> 
> The constant churn of hidden service circuits would slow down hidden
> services for all. One of the iterations of "torchat" created a unique
> hidden service "identity" per contact. This meant a single user with 50
> contacts had 51 hidden services on their machine.
> 
> : - Is there something the security community and botnet researchers can
> : do to help out?
> 
> Help figure out the scope of the problem. It's entirely plausible that
> this one botnet is an experiment to see if hidden services are reliable
> and performant enough to handle a c&c service. One is not a trend,
> it's a unicorn (even a brony unicorn).
> 
> I'd be interested if gnunet or i2p have seem similar usage by
> botnets. Sure, it gets lots of press when someone mentions "Tor", but
> at the same time, I can't imagine the entire botnet herder community
> jumping into one solution to rule them all.
> 
> Overall, I think you'll see more of these types of c&c servers
> hosted in decentralized tools and networks. As botnets
> are taken down and squeezed out of the naked IPv4/IPv6
> address space, the output is plausibly decentralized or
> p2p networks. I said this as much to Interpol in September, see
> https://svn.torproject.org/svn/projects/presentations/2012-09-04-Interpol-Keynote.pdf
> or the source with comments at
> https://svn.torproject.org/svn/projects/presentations/2012-09-04-Interpol-Keynote.odp.

p2p has some major flaws that make p2p botnets inherently unsafe and
exposed. All p2p botnets we observed so far have been dismantled and the
existing one are being poisoned. It hasn't been a successful approach so
far at all.

C.
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk