In recent months Kaspersky Lab experts have been closely monitoring so-called Darknet resources, mostly the Tor network. And one thing that is immediately obvious is that the cybercriminal element is growing. Although the Tor infrastructure and cybercriminal resources are not on the same scale as the conventional Internet, the experts managed to find approximately 900 hidden services online at the current time.
TOR is primarily unrestricted, free software operating via the Internet. It has users who enter sites, exchange messages on forums, communicate in IMS, etc. – just like the “ordinary” Internet. But there’s one crucial difference. TOR is unique in that it allows its users to remain anonymous during their activity in the Net. Network traffic is completely anonymous: it is impossible to identify the user’s IP in TOR, making it impossible to determine who the user is in real life. Moreover, this Darknet resource utilizes so-called pseudo domains which frustrate any efforts to pick up the resource owner’s personal information.
Recently cybercriminals have started actively using Tor to host malicious infrastructure. Kaspersky Lab experts found Zeus with Tor capabilities, then they detected ChewBacca and finally analyzed the first Tor Trojan for Android. A quick look at Tor network resources reveals lots of resources dedicated to malware – C&C servers, admin panels, etc.
“Hosting C&C servers in Tor makes them harder to identify, blacklist or eliminate. Although creating a Tor communication module within a malware sample means extra work from the malware developers, we expect there will be a rise in new Tor-based malware, as well as Tor support for existing malware”, said Sergey Lozhkin, Senior Security Researcher, Global Research and Analysis Team at Kaspersky Lab.
Read more at securelist.com.
Read FAQ “Demystifying Tor” at Kaspersky Daily