Shedding New Light on Tor-Based Malware

tor cloud

Researchers at Kaspersky Lab and Microsoft have shared new insight into how malware campaigns operate over the Tor anonymity network, as well as other darknets.

Alarm bells went off last August when spikes in Tor client downloads were traced to a large click-fraud and Bitcoin-mining botnet called Sefnit.

The malware was using the popular anonymity network to communicate with hackers in order to transmit stolen data and receive additional commands. In Sefnit’s case, the 600 percent increase in Tor usage it kicked off was also its downfall as Tor administrators noticed performance issues and steps were taken to strangle its activity.

Hackers’ use of Tor and other Darknet services is really nothing new, but incidents such as the Sefnit takedown that ensued as well as the disruption of the Silk Road drug and malware underground market that also operated over Tor shed more light on the practice.

For example, researchers have Kaspersky Lab have published research uncovering three different campaigns that use Tor as a host infrastructure for criminal malware activities: a 64-bit version of the Zeus Trojan that sends traffic through Tor and creates Tor hidden services to obscure the hackers’ location; Chewbacca, a Trojan that steals data from memory a la ram scapers, and communicates over Tor; and most recently an Android Trojan that uses a .onion domain as a command and control infrastructure.

Researcher Sergey Lozhkin, a senior researcher with Kaspersky Lab, said his work investigating criminals’ use of darknets turned up 900 Tor hidden services and 5,500 nodes.

“The possibility of creating an anonymous and abuse-free underground forum, market or malware C&C server is attracting more and more criminals to the Tor network,” Lozhkin said. “Hosting C&C servers in Tor makes them harder to identify, blacklist or eliminate.”

Lozhkin said Tor underground markets aren’t set up much differently than legitimate ecommerce sites; most include some sort of registration process, offer buyers ratings on traders, and familiar interfaces through which purchases are made. Criminals are selling everything from money laundering services, credit cards, skimmers, carding equipment and more. And most of it is sold using Bitcoin.

Yesterday, Microsoft published new details on Sefnit’s Tor components and configuration data, the domains it was in contact with and how it communicates over Tor.

After the August spike in Tor traffic alerted experts, Microsoft took steps to stop the botnet that were finally realized last Oct. 27 when it modified signatures sent through its update services that removed the outdated Tor client service installed by the malware. The Tor client service had a specific configuration that Microsoft identified, and despite some concerns that Microsoft was overstepping by possibly snaring some versions of Tor legitimately installed by users, the cleanup moved forward and Sefnit numbers dwindled.

The version installed with Sefnit was v0.2.3.25 and it did not automatically update, Microsoft said, leaving users exposed to a number of exploitable vulnerabilities. The Tor client was added as a Windows service on every computer infected by Sefnit and was configured to accept connections over ports 9050 and 9051; 9051 was used by Sefnit to obtain status information regarding its connection to Tor, while 9050 was used as a communication point for the malware’s SOCKS proxy. Any application configured to use a proxy server, Microsoft said, to communicate over Tor. Sefnit, Microsoft said, used this port to contact its command servers and bypass intrusion detection systems, and utilized Tor hidden services to obfuscate server locations.

The malware comes with a list of .onion domains that are drop points for stolen data. Microsoft said the list of C&C servers was found in file inside a random directory that is cryptographically generated. Within that directory is a file with a .ct extension that contains the victim’s IP address, a string that is likely a victim ID, a list of command and control domains, and a working directory of the malware, Microsoft said.

Microsoft said that at its peak in August 2013 there were an estimated four million Sefnit clients which began receiving commands; that number had dipped significantly by the end of December, leaving two million that could still be at risk for attack because of Sefnit-added Tor services that are outdated, Microsoft said.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.