Keeping their botnet’s C&C centers online is crucial for bot herders, so that they can keep taking advantage of the computers they zombified. But given that cyber security firms and law enforcement agencies have ramped up their efforts to take them down in the last couple of years, cyber crooks are looking for ways to thwart them.
A favorite with online criminals, the use of TOR allows them to hide their and the botnet’s C&C’s real location from researchers, and a successful example of this approach has already been discovered.
Other bot masters have obviously become intrigued with the idea, as ESET researchers have recently unearthed and have been analyzing two distinct TOR-based botnets.
For creating the first one, the bot master used an old form-grabber Trojan that has only recently acquired the capability of using the TOR hidden service protocol for communicating with its C&C panel and servers inside the TOR network.
The other one is a little more interesting, as it has been created very recently – earlier this month, to be exact.
The Atrax Trojan serves as a backdoor, steals information, is able to download additional files, malware and plugins, as well as to set up a TOR client on the target machine.
“When the first connection is made with the C&C, Atrax.A sends collected information about the infected system to an address inside the TOR network,” the researchers explain. “It isn’t possible to ascertain the original C&C IP address or domain with a TOR enabled connection but it is possible to use the address generated in the TOR network for analysis.”
And so they did, and they discovered a login panel for the C&C (and used the logo to name the malware):
“Win32/Atrax.A is interesting example of a TOR-based botnet with AES encryption for additional plugins and a unique encryption key dependent on hardware parameters of the infected machine for its generation,” they pointed out, and added that they continue to track its activity.
They also expect to see more TOR-based botnets in the future, as they have lately observed a growth in the numbers of malware families starting to use TOR-based communications.