The Tor network may provide a lead-lined cover for Internet users seeking a measure of privacy online, but it also has proven to be an attractive shelter for attackers.
A number of malware campaigns have been able to successfully maneuver on Tor, using the anonymity network as a communication infrastructure that hides stolen data and malicious instructions as they’re sent between bots and the command and control server.
However, the fact that we’re hearing more about these campaigns running on Tor also means they’re being found out.
The latest to be exposed has been nicknamed Chewbacca by researchers at Kaspersky Lab’s Global Research and Analysis Team. Chewbacca finds running processes on compromised computers, reads process memory, drops a keylogger and is able to move that information off of infected machines.
Marco Preuss, director of the Kaspersky research team in Europe, said this malware is not available in public underground forums, unlike others such as Zeus; Kaspersky researchers recently found a 64-bit version of the infamous banking malware that uses Tor as a communication highway.
“Maybe this is in development or the malware is just privately used or shared,” Preuss wrote on the Securelist blog. “It seems that Tor is attracting some criminals to host their infrastructure, as it promises more ‘security’ for C&Cs – but this holds drawbacks.”
Because of the encryption securing communication on Tor between multiple proxy hops, hackers must contend with additional complexity and latency on the network. Also, hackers running a botnet on Tor run a greater risk of being found out because the addition of copious amounts of traffic could slow down the network and alert watchers that something is amiss.
This is exactly what brought down the Mevade botnet. Researchers speculate the Mevade gang moved the botnet to Tor to hamper takedown attempts by law enforcement, but all they did was spike Tor traffic literally overnight, alerting Tor handlers to the illicit activity.
Kaspersky researchers did not reveal how they discovered Chewbacca, nor the extent to which it has spread. The malware is a PE32 executable compiled with Free Pascal 2.7.1; its 5 MB file includes the Tor executable. The malware, once executed, drops as spoolsv.exe into the victim machine’s startup folder. It then launches its keylogger and stores all keystrokes to a log created by the malware, Preuss said.
It then relies on two php scripts extract information from the infected computer and send it to the attacker, although as of now, only one is functioning.
Preuss said that the command and control server is also hosted on a Tor .onion domain. The front end of the server is a log-in interface overlaying an image of Chewbacca from Star Wars. Kaspersky detects the Chewbacca Trojan as Trojan.Win32.Fsysna.fej.
It’s likely there are additional malware campaigns operating on Tor; recent research activity has uncovered not only the 64-bit version of Zeus and Mevade, but also an exploit kit known as Atrax that not only steals data from browsers, but can also launch denial-of-service attacks and carry out Bitcoin mining.
Tor isn’t the only option for attackers. Russian criminals were using a different darknet called I2P, or the Invisible Internet Project, as a communication protocol for the i2Ninja financial malware. I2Ninja is similar to other banking Trojans in that it has HTTP injection capabilities, email, FTP and form grabbers, but it also promotes 24/7 support for a price.
*Chewbacca image via Pierre Guinoiseau‘s Flickr photostream, Creative Commons.