Cybercriminals increasingly use the Tor network to control their botnets, researchers say

Researchers from ESET discovered two new malware threats that use control servers within the Tor anonymity network

By Lucian Constantin, IDG News Service |  Security

The ESET researchers were able to trick the Atrax C&C server into sending two additional plug-ins to a test system infected with the malware. One of them was designed to steal information entered into Web forms and the other was capable of stealing passwords.

The other threat identified in July, called Agent.PTA, is part of a malware family known since 2012, the ESET researchers said. However, the Tor functionality is a new addition to it, they said.

Like Atrax, Agent.PTA has form-grabbing capabilities and its functionality can also be extended through plug-ins. The malware connects to Web control servers operated as Tor hidden services.

"This year we had already detected TOR-based botnets but during the summer we have observed a growth in the numbers of malware families starting to use TOR-based communications," the ESET researchers said. "The TOR-based botnets make it really hard to pursue investigation and C&C location tracking."

However, even if locating the real IP addresses of the C&C servers is difficult when they are only accessible from within the Tor network, analyzing the malware's communication protocols and command and control traffic is still doable, the researchers said.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Ask a Question
randomness