Botnet masters hide command and control server inside the Tor network

New botnet is controlled from an IRC server that runs as a hidden service inside the Tor network, researchers say

Security researchers from German antivirus vendor G Data Software have identified a botnet that is controlled by attackers from an Internet Relay Chat (IRC) server running as a hidden service inside the Tor anonymity network.

This strategy offers several advantages to the botnet's operators, but also some disadvantages, the G Data researchers said Monday in a blog post.

For one, the botnet command and control server can't be easily shut down by researchers or law enforcement because its very hard to determine its real location,

The Tor system was specifically designed to provide anonymity for its users. When using Tor to access resources on the Internet, the requests sent from a user's computer are routed randomly through a series of nodes operated voluntarily by other Tor users.

In addition, the connections between users and the Tor nodes is encrypted in a multi-layered fashion, making it very hard for surveillance systems that operate at the local network level or the ISP level to determine the intended destination of a user.

Another benefit of using Tor for controlling malware infected computers is that the traffic cannot be easily blocked by intrusion detection systems, the G Data researchers said.

Intrusion detection systems commonly use signatures to identify traffic that is generated by infected computers present on the network. These signatures often look at the traffic's destination or its actual content. Because Tor traffic doesn't directly point to known malicious destinations and its content is encrypted, it's hard to flag it as malicious.

The botnet discovered by G Data researchers uses an IRC (Internet Relay Chat) server that operates as a so-called "hidden service" inside the Tor network.

Tor's Hidden Service Protocol allows people to run various types of services, such as websites or instant messaging servers, which can only be accessed from within the Tor network. These Tor services are accessible through a .onion address and not a real IP address, which makes them anonymous.

While the Tor network was built for legitimate purposes like protecting user privacy by preventing network-level surveillance, it does offer an opportunity for abuse. For example, the hidden service functionality of the Tor network was used in the past to host an online marketplace for illegal drugs.

The possibility of using the Tor network to host resilient botnet command and control servers has been discussed before. Dennis Brown, a security engineer at Tenable Network Security, discussed the strengths and weaknesses of this approach during a talk at the DefCon 18 security conference back in 2010.

"It has to be noted that malware like this suffers from the latencies that come with the Tor network," the G Data researchers said. "In other words: Tor tends to be slow and unreliable, and inherits these flaws to underlying botnets."

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts