Update: Malware analysts are in a constant cat-and-mouse game with hackers when it comes to studying malicious code behaviors. Researchers handle malware samples gingerly, in a test network away from production machines and away from the Internet. Samples are opened in virtual machines and analysts observe not only malicious payloads, but communication with third-party servers.

In the past year, there have been reports of concerted attempts by hackers to avoid detection and analysis. Hackers have built routines into their code that can detect when a sample is executed in a VM or remote desktop protocol connections, and consequently prevent it from executing, or in the case of peer-to-peer botnets, domain generation algorithms are used that generate lists of potential new peer hosts to stem botnet shutdowns.

In addition to virtual machines, researchers rely on the Tor network to observe communication between advanced malware and command and control servers. There are limitations to Tor for this purpose, however, especially for Windows users.  Researchers can rely on the Tor Browser Bundle, which includes its own version of Firefox to preserve anonymity. But plug-ins such as Flash don’t work with the bundle, neither does other networking software necessary for malware research.

One of the biggest networking limitations is the fact that Tor listens on ports with the SOCKS proxy, yet most networking applications don’t support SOCKS natively, requiring a researcher to buy additional hardware or virtual machines, or learn an unfamiliar operating system.

A researcher with startup Crowdstrike may have bridged those gaps with a tool called Tortilla. Expected to be unveiled at the upcoming Black Hat Briefings in Las Vegas in two weeks, senior security researcher Jason Geffner will not only deliver a presentation on the tool, but will release it as open source.

“Oftentimes, security researchers need to communicate with rogue servers for monitoring and we don’t want to leak our own IP addresses, especially if we’re working from home or working from our company’s IP address,” Geffner said. “Anonymity is valuable to us while doing research.”

In addition to having the ability to securely communicate with attack servers, it’s also important, whether over a browser or another Net-based tool, not to leak network traffic onto Tor, Geffner said. Tortilla, he said, provides a secure, anonymous means of routing TCP and DNS traffic through Tor regardless of client software and without the need for a VPN or secure tunnel.

“The Tor client does all of the work,” Geffner said. “Tortialla redirects TCP and DNS traffic through Tor ensuring nothing else gets out. I wouldn’t call it a plug in; it does communicate with the Tor client over the SOCKS port Tor opens up, but it’s not a plug in.”

Tor is extensively used by privacy conscious individuals who want to browse the Web anonymously. Tor provides location anonymity by routing traffic through a network of voluntary users that act as proxies for Web traffic. The Tor client contacts a Tor directory server for a list of nodes and selects a path to the destination on which to route traffic. No proxy along the chain knows the entire path, only the next stop in the chain. Tor is not just for censorship opponents, but is a vital tool for activists living in oppressed parts of the world to communicate with followers they otherwise would not be able to reach, or journalists communicating with sources.

Tortilla is pretty lightweight and doesn’t boast a lot of extra features, Geffner said. He hopes the security community will take the beta and run with it, delivering feedback on areas of improvement.

“I’m hoping the talk will be well received and the tool will be used,” Geffner said. “As with any software, improvements can be made in terms of optimization, processing network traffic, or interface improvements. What we’re releasing is a fully functioning beta, but not a beautiful UI.”

This story was updated at 5:30 p.m. ET to include a clarification from Jason Geffner.

Categories: Malware

Comments (10)

  1. davidwr
    1

    So, if I’m running malware that “phones home,” I should have my command-and-control machine(s) check all incoming traffic for TOR exit nodes and take countermeasures like dropping traffic from those nodes and, on the “client/infected machine” side, assume that I’ve been spotted if I can’t “phone home” and take appropriate action. Such countermeasures won’t stop my adversary but it will slow him down a bit.

    • Captain Stupendousness
      2

      “Tortilla, he said, provides a … means of routing TCP and DNS traffic through Tor … without the need for a VPN or secure tunnel.”

      Imagine my surprise when the tor protocol was previously incapable of routing either TCP or DNS traffic prior to the tortilla application.

      “…it’s also important, whether over a browser or another Net-based tool, not to leak network traffic onto Tor, Geffner said.”

      Yes, because the very last thing we want to do is to put any kind of network traffic onto the tor network. Good heavens.

      None of this is meant to quibble about what the tortilla app does; apparently it’s a local proxy that redirects application-specific network traffic onto the tor network (so that malicious ISPs can’t use data-mining techniques to correlate traffic on the tor network with things that potentially aren’t on the tor network, like DNS requests). No. This is meant to point out well-known phenomena: that hackers can’t do expository writing to save their lives, that even good writers have a hard time faking it when they don’t know what they’re talking about, and that somewhere, a copy editor was nodding off on Albanian heroin when he should have been sober and putting a red pen to good use.

  2. Peter Gasper
    5

    A better approach is torrifying your C & C traffic, and each new sample have script generated. Researchers will get only one sample with unique hash, and you will have bulletproof C & C.

  3. lamont
    6

    I have been trying to install Tortilla but keep getting this error: error in wmain: failed to open totortillawrittenevent. Can you help with this? I tried starting the app and TOR browser in different orders and ways but nothing works. Appreciate any suggestions. thanks

  4. wischi
    8

    same issue here. would be nice if there is a solution out there ;-)
    I even tried “bcdedit.exe -set TESTSIGNING ON” -> same problem

Comments are closed.