Open-source tool to ease security researchers' quest for secrecy

Security startup CrowdStrike plans to release this month an open-source tool that makes it easier for researchers to secretly monitor malware communications with a command-and-control server.

Called Tortilla, the tool will be available for free on CrowdStrike's Website July 31, the day it is presented by developer Jason Geffner at the Black Hat USA conference in Las Vegas, Nev. The release will include the source code and an executable.

Tortilla corrects the unique hurdles in using Windows workstations for clandestine malware research. The problem stems from Windows' limitations in supporting Tor, an online anonymity network.

Researchers use Tor to hide their computers' IP addresses while monitoring communications between malware and a C&C server and observing the malicious payloads uploaded by the latter.

Anonymity is important because researchers do not want to tip off criminals or hackers working for nation states that they are being watched. Doing so could lead to the subjects denying access to the server, feeding false information to the researcher or taking down the server completely.

"They can do anything they want to misdirect us or mislead us," Geffner said.

The malware creators, who are often tied to organized crime groups, could also trace the IP address directly to the researcher, if he's using a home computer, or the company he works for.

[Also see (premium): Black Hat targets the C-level]

"The more that we keep secret, the better," Geffner said.

The problem researchers face on Windows stems from the operating system's lack of native support for Socket Secure (SOCKS), which is the Internet protocol Tor uses to route network packets through proxies in order to hide the originating computer.

To get around the problem researchers will use other hardware or run the malware on a different operating system running on a virtual machine. VMs are often used to run malware in order to seal it off from the rest of the computer and its software.

Tortilla enables the researcher to use Tor on any Windows computer running XP or later without jumping through hoops. In addition, researchers can use any browser or plugin and any networking software. Tor normally supports only a special version of Firefox.

CloudStrike plans to provide Tortilla with no strings attached, Geffner said. "[Researchers] are free to use it as they like."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Tags CrowdStrikeData Protection | MalwareapplicationsBlack Hat Conferencelegalsoftwaredata protectionTortillacybercrime


Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

IT Compliance Solutions

Enforce compliance consistently and cost-effectively across your organization.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.