[tor-talk] Botnets through Tor

survivd survivd at gmail.com
Sun Dec 9 01:04:57 UTC 2012 

I think some of the hysteria over this is overdone.

> - What can be done to stop botnets abusing Tor for concealing its
> infrastructure?

For unpublished nodes, nothing that I'm aware of.  Hidden services are
called that for a reason, and it's necessarily a dual-use technology.
You can't weaken it for botnet C&C servers without weakening it for
legitimate, vulnerable users.


> - What kind of impact would a large adoption by malware writers of Tor
> and Hidden Services have on the Tor network and its usability? Is it a
> serious threat to the project?

If they're using unpublished, non-public Tor infrastructure (which seems
to be indicated), nothing.  They're just using the software and the
protocol, but restricting their paths to nodes they control.

If this became wildly popular and all botnets start using public
infrastructure for C&C, I would speculate the amounts of traffic Tor
sees might be change somewhat (more routing to hidden services, less
traffic exiting to the open net).  I wouldn't expect to see more abuse
complaints or a big performance impact, because:

1) C&C traffic is typically very small -- IRC & occasional plaintext
updates pulled through http.

2) Since it would be getting routed to hidden services, nobody really
sees it as "bad" traffic.  It's not like the bots are actually launching
attacks through Tor: this would be a pretty poor strategy, since:

A:] it doesn't take advantage of the compromised host's full bandwidth, and

B:] the bot herder doesn't really care if Granny in Lithuania gets her
door kicked down because her IP was a part of a DDoS -- he only needs
anonymity for HIMSELF (not all of his bots -- just his C&C infrastructure)

That said, someone who has done more study on tor-internal traffic could
probably give a better answer on "how things could change" if C&C starts
all getting routed through Tor.


> - Is there something the security community and botnet researchers can
> do to help out?


Other than putting a lot of effort into trying to identify hidden
services hosts (which is dangerous for a number of reasons), I imagine
not much -- although if this becomes a huge trend and the security
community scrutinizes Tor, some new attacks against Tor might be found
(and patched).  As a "problem," this falls more to the A/V folks, since
this whole scheme revolves around spreading through client-side,
user-enabled exploitation via trojaned files, and their entire raison
d'etre is to prevent that.



-S

More information about the tor-talk mailing list