The Mevade botnet made news when it was found to be using the Tor anonymity network to communicate with its command and control infrastructure. Running C&C on Tor, however, turned out to be a fatal mistake when Tor usage spiked alerting administrators to the unusual activity.

A group of Russian criminals apparently were paying attention to what happened to Mevade and are using a different darknet called I2P, or Invisible Internet Project, as a communication protocol for new financial malware called i2Ninja.

Researchers at Trusteer monitoring a Russian malware forum spotted i2Ninja, which seems to be run-of-the-mill financial malware that includes HTTP injection capabilities, email , FTP and form grabbers. The twist on this one is that it uses I2P to send stolen credentials back to the attackers, and it promotes 24/7 support as a differentiator.

“It offers to whoever buys the malware, in the command and control itself, a direct line of sight with the authors and the support team,” said Etay Maor, fraud prevention solutions manager at Trusteer.” In the control panel, they offer 24/7 support implemented through the I2P protocol. “

Providing support through the command and control panel is new as well; generally support is arranged through an underground forum or support site.

“I2P is similar to Tor in that it’s a darknet, but it’s actually considered more secure by criminals,” Maor said. “This is the first time I’ve seen malware operating over I2P and the first time I’ve seen it offering 24/7 support from the C&C. This means they have a lot of confidence in the security of the protocol.”

It’s unknown whether the support is automated through C&C or whether there is a live person communicating with an attacker. Other malware such as Citadel and the Neosploit Exploit Pack have marketed support; Neosploit even offered tiered support.

“[Support] is super important. I remember when the Zeus source code was leaked and people started developing their own malware, the chats in the different underground forums was about who they were going to get support from,” Maor said. “The people who buy this malware may be looking to make money, but they may not be super technical like they used to be in the past. Six or seven years ago, the people who wrote the code were the people who were operating the malware. It’s not the case today. Today you have a buyer’s market and a seller’s market. When you buy a product today you expect support to come with it and if you have questions, you expect someone to talk to.”

As for the I2P darknet, much like Tor, it’s favored by individuals who prefer or require anonymity online. Individuals in oppressed regions, journalists, activists and even health care and legal professionals who require private, secure communications with clients use services such as Tor to get the job done. These networks, however, also attract criminals such as the Mevade botmasters and the Silk Road gang who also operated over Tor until the FBI took down the underground drug market in early October.

I2P, meanwhile, operates unlike Tor in that it’s a peer-to-peer protocol, and computers on the network communicate via the proxy client between themselves using encrypted messages.

“It’s not like [Tor] where you’re browsing the Internet safely; this is a true darknet, a network you cannot reach,” Maor said. “You cannot Google it. You cannot find it. It’s its own protocol laying on top of HTTP.”

The use of I2P also serves to keep the malware fairly safe from law enforcement and rival gangs, Maor said. Governments interested in surveillance have had limited success, for example, in breaking Tor and watching users’ communication over that network through the spy agency’s FoxAcid program and Quantam servers.

“From what I gather from different forums I participate in, I2P is considered even more secure than Tor,” Maor said. “I2P is still considered a true darknet, something that’s not currently compromised, or no one knows if it’s been compromised. That’s a good enough reason for them to use this.”

Categories: Malware