Update: Malware analysts are in a constant cat-and-mouse game with hackers when it comes to studying malicious code behaviors. Researchers handle malware samples gingerly, in a test network away from production machines and away from the Internet. Samples are opened in virtual machines and analysts observe not only malicious payloads, but communication with third-party servers.
In the past year, there have been reports of concerted attempts by hackers to avoid detection and analysis. Hackers have built routines into their code that can detect when a sample is executed in a VM or remote desktop protocol connections, and consequently prevent it from executing, or in the case of peer-to-peer botnets, domain generation algorithms are used that generate lists of potential new peer hosts to stem botnet shutdowns.
In addition to virtual machines, researchers rely on the Tor network to observe communication between advanced malware and command and control servers. There are limitations to Tor for this purpose, however, especially for Windows users. Researchers can rely on the Tor Browser Bundle, which includes its own version of Firefox to preserve anonymity. But plug-ins such as Flash don’t work with the bundle, neither does other networking software necessary for malware research.
One of the biggest networking limitations is the fact that Tor listens on ports with the SOCKS proxy, yet most networking applications don’t support SOCKS natively, requiring a researcher to buy additional hardware or virtual machines, or learn an unfamiliar operating system.
A researcher with startup Crowdstrike may have bridged those gaps with a tool called Tortilla. Expected to be unveiled at the upcoming Black Hat Briefings in Las Vegas in two weeks, senior security researcher Jason Geffner will not only deliver a presentation on the tool, but will release it as open source.
“Oftentimes, security researchers need to communicate with rogue servers for monitoring and we don’t want to leak our own IP addresses, especially if we’re working from home or working from our company’s IP address,” Geffner said. “Anonymity is valuable to us while doing research.”
In addition to having the ability to securely communicate with attack servers, it’s also important, whether over a browser or another Net-based tool, not to leak network traffic onto Tor, Geffner said. Tortilla, he said, provides a secure, anonymous means of routing TCP and DNS traffic through Tor regardless of client software and without the need for a VPN or secure tunnel.
“The Tor client does all of the work,” Geffner said. “Tortialla redirects TCP and DNS traffic through Tor ensuring nothing else gets out. I wouldn’t call it a plug in; it does communicate with the Tor client over the SOCKS port Tor opens up, but it’s not a plug in.”
Tor is extensively used by privacy conscious individuals who want to browse the Web anonymously. Tor provides location anonymity by routing traffic through a network of voluntary users that act as proxies for Web traffic. The Tor client contacts a Tor directory server for a list of nodes and selects a path to the destination on which to route traffic. No proxy along the chain knows the entire path, only the next stop in the chain. Tor is not just for censorship opponents, but is a vital tool for activists living in oppressed parts of the world to communicate with followers they otherwise would not be able to reach, or journalists communicating with sources.
Tortilla is pretty lightweight and doesn’t boast a lot of extra features, Geffner said. He hopes the security community will take the beta and run with it, delivering feedback on areas of improvement.
“I’m hoping the talk will be well received and the tool will be used,” Geffner said. “As with any software, improvements can be made in terms of optimization, processing network traffic, or interface improvements. What we’re releasing is a fully functioning beta, but not a beautiful UI.”
This story was updated at 5:30 p.m. ET to include a clarification from Jason Geffner.