twitter facebook rss

TOR: blocking C&C servers and cybercriminals

Posted by on July 27, 2014.

torlogoTOR is increasingly being used by cybercriminals. Its ability to anonymize people and places makes it an attractive place to hide nefarious activity — and things like malware C&C servers. Just last week Kaspersky Lab warned that it had traced a new and sophisticated ransomware trojan (dubbed Onion for obvious reasons) to a lair in Tor.

What is a valuable defence for political activists has become an attack vector against the enterprise. But Tor was designed to hide rather than attack — and while it makes finding the criminals more difficult, it makes defending against them more easy. Tor is finite; and defending against a finite vector should be simpler than defending against the infinite internet.

Tor’s ‘weakness’ is its entry and exit points. While it is effectively (for companies at least) impossible to find the location of the criminals’ C&C servers, all communications with those servers must enter or leave the Tor maze via a relatively small and largely known number of locations. Put simply, if you can block those addresses, you can separate any infections from Tor-based criminal control.

David Harley

David Harley

Tor itself keeps and publishes a directory of Tor  servers. In theory, simply blocking all of these addresses at the firewall will break any connection between the trojan and its master. But as Tor gains in popularity and more and more liberty-minded people adopt and participate in the principle — if only to maintain their own privacy against increasingly intrusive government surveillance — then this will become more difficult.

And as ESET senior research fellow David Harley warns, it rather depends on all entry and exit points actually being known. “I’ve… heard that some entry relays are kept hidden,” he suggested. “I assume that refers to bridge relays that aren’t in the main Tor directory, so aren’t in a public list. You can use Tor tools to find those relays, of course, but I don’t know how feasible it would be to compile a complete list.”

Chester Wisniewski

Chester Wisniewski

Blocking Tor “is certainly a possibility,” adds Sophos senior security advisor Chester Wisniewski, “but doing it by IP would likely lead to a lot of tail chasing.” His advice is to block Tor’s access to the enterprise by closing the ports it uses.

“Typically Tor communicates on 9001, 9030, 80 and 443,” he told me. “The 9000 series ports should already be blocked, and through the judicious use of an application proxy for HTTP and HTTPS traffic (which you should already have in place) any disguised traffic should be blocked as not following the HTTP standards. Tor is valid TLS traffic, but will not pass through an application proxy expecting HTTP(s) traffic.”

Of course this does not solve the Tor-based malware problem. You can get infected from anywhere outside of Tor. All this would do is prevent the Tor-based criminal from activating it; and it should therefore be part of a multi-layered security posture.

There is, however, one fly in the ointment. If you get infected with Tor-controlled ransomware, you’re going to need to dismantle these defences if you decide to pay the ransom… Best keep your other defences up to date and make sure anything and everything important is properly backed-up.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: News, News_malware | Tags: , , , , , , , ,