In deep space, no-one can see you surf
The web is often described as cyberspace. Hold that image, and then travel into deep space – the dark web. You might see what looks like Saturn, surrounded by rings. But look closer and you’ll find it’s a black hole protected by onion rings.
This is possibly the next step in the evolution of botnets. Blackhole is the cybercriminals’ exploit kit of choice. Botnets are used to drive victims to infected sites that host Blackhole. But botnet communications can be monitored and their controlling (C&C) servers located and taken down by the authorities – the Nitol botnet, taken down by Microsoft, is the latest example.
Enter Tor (the name is an acronym for ‘the onion ring’). It was developed to allow users to surf the internet in privacy, making it very, very hard for third parties – including law enforcement agencies – to monitor where you go.
There’s a logic behind criminals using Tor to protect themselves. Hence the blackhole surrounded by onion rings.
Now G-Data claims to have found an example. “The botnet owners placed their C&C server, which uses the common IRC protocol, as a hidden service inside of the Tor network.”
This has several advantages for the criminal. The service is anonymous, so even if the C&C server is found, it won’t reveal its owner – nor can it easily be taken down. And since the traffic itself is encrypted, it isn’t easily blocked by intrusion detection systems. The main disadvantage is that the problems inherent to Tor itself (latency and a degree of unreliability) are introduced to the botnet. But since the FBI has already said that it cannot track the deep space of the dark net, we may soon see, or not see, more of these hidden botnets.