- Jan 24, 2011
- 9,378
Alarm bells went off last August when spikes in Tor client downloads were traced to a large click-fraud and Bitcoin-mining botnet called Sefnit.
The malware was using the popular anonymity network to communicate with hackersin order to transmit stolen data and receive additional commands. In Sefnit’s case, the 600 percent increase in Tor usage it kicked off was also its downfall as Tor administrators noticed performance issues and steps were taken to strangle its activity.
Hackers’ use of Tor and other Darknet services is really nothing new, but incidents such as the Sefnit takedown that ensued as well as the disruption of the Silk Road drug and malware underground market that also operated over Tor shed more light on the practice.
For example, researchers have Kaspersky Lab have published research uncovering three different campaigns that use Tor as a host infrastructure for criminal malware activities: a64-bit version of the Zeus Trojan that sends traffic through Tor and creates Tor hidden services to obscure the hackers’ location; Chewbacca, a Trojan that steals data from memory a la ram scapers, and communicates over Tor; and most recently an Android Trojan that uses a .onion domain as a command and control infrastructure.
Researcher Sergey Lozhkin, a senior researcher with Kaspersky Lab, said his work investigating criminals’ use of darknets turned up 900 Tor hidden services and 5,500 nodes.
“The possibility of creating an anonymous and abuse-free underground forum, market or malware C&C server is attracting more and more criminals to the Tor network,” Lozhkin said. “Hosting C&C servers in Tor makes them harder to identify, blacklist or eliminate.”
Lozhkin said Tor underground markets aren’t set up much differently than legitimate ecommerce sites; most include some sort of registration process, offer buyers ratings on traders, and familiar interfaces through which purchases are made. Criminals are selling everything from money laundering services, credit cards, skimmers, carding equipment and more. And most of it is sold using Bitcoin.
Yesterday, Microsoft published new details on Sefnit’s Tor components and configuration data, the domains it was in contact with and how it communicates over Tor.
Read more: http://threatpost.com/shedding-new-light-on-tor-based-malware/104651
The malware was using the popular anonymity network to communicate with hackersin order to transmit stolen data and receive additional commands. In Sefnit’s case, the 600 percent increase in Tor usage it kicked off was also its downfall as Tor administrators noticed performance issues and steps were taken to strangle its activity.
Hackers’ use of Tor and other Darknet services is really nothing new, but incidents such as the Sefnit takedown that ensued as well as the disruption of the Silk Road drug and malware underground market that also operated over Tor shed more light on the practice.
For example, researchers have Kaspersky Lab have published research uncovering three different campaigns that use Tor as a host infrastructure for criminal malware activities: a64-bit version of the Zeus Trojan that sends traffic through Tor and creates Tor hidden services to obscure the hackers’ location; Chewbacca, a Trojan that steals data from memory a la ram scapers, and communicates over Tor; and most recently an Android Trojan that uses a .onion domain as a command and control infrastructure.
Researcher Sergey Lozhkin, a senior researcher with Kaspersky Lab, said his work investigating criminals’ use of darknets turned up 900 Tor hidden services and 5,500 nodes.
“The possibility of creating an anonymous and abuse-free underground forum, market or malware C&C server is attracting more and more criminals to the Tor network,” Lozhkin said. “Hosting C&C servers in Tor makes them harder to identify, blacklist or eliminate.”
Lozhkin said Tor underground markets aren’t set up much differently than legitimate ecommerce sites; most include some sort of registration process, offer buyers ratings on traders, and familiar interfaces through which purchases are made. Criminals are selling everything from money laundering services, credit cards, skimmers, carding equipment and more. And most of it is sold using Bitcoin.
Yesterday, Microsoft published new details on Sefnit’s Tor components and configuration data, the domains it was in contact with and how it communicates over Tor.
Read more: http://threatpost.com/shedding-new-light-on-tor-based-malware/104651
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}