A few thoughts on Tor-augmented malware

Malware using Tor for communication with C&C servers is a novelty; it may not make the malware itself more dangerous, but eradicating it becomes a much more serious problem.

Back in July, Kaspersky Lab reported on a new strain of Ransomware which used anonymous network Tor (“The Onion Router”) to hide its malicious nature and make it hard to track the actors behind this ongoing malware campaign.

This is actually not the first time our researchers observed malware that uses Tor – and it certainly won’t be the last.

Until recently, it wasn’t too widespread: Only a few banking malware families such as 64-bit ZeuS Trojans used Tor connections.

For what? Does using Tor make the malware more dangerous than it is right now?

Well, the answer is somewhat ambiguous. Both 64-bit ZeuS Trojans and the new ransomware, which Kaspersky Lab called “Onion”, by the way, use Tor to conceal the C&C-servers in order to complicate the search for the malware operators. In a nutshell, this works. Tor’s architecture makes it next to impossible to de-anonymize its users, even if illegitimate tools are used. And while it was devised to battle censorship, cybercriminals unsurprisingly employ it.



At the same time Onion doesn’t become more dangerous just because its C&C infrastructure is now hidden well. It is a problem for IT security experts, not for the businesses that are the primary target for the malware itself.

Even without any Tor beef-ups, Onion is dangerous as hell. A direct “heir” to dreaded CryptoLocker, CryptoDefence/CryptoWall, ACCDFISA and GpCode, it is yet another ransomware that encrypts all the files it can reach, then demands a ransom.

The cybercriminals claim there is a strict 72-hour deadline to pay up, or all the files will be lost forever, which is likely true: Onion uses the asymmetric cryptographic protocol known as ECDH – Elliptic curve Diffie–Hellman (to read technical details please follow this link to Securelist).

In short, the encrypted file cannot be decrypted without the master-private key owned by the criminals. And if it is stored just for 72 hours, as the attackers claim, there is absolutely no way to recover the encrypted files.

Creators of Onion take no chances in their game. There’s next to no way to trace the C&C servers, no way to decrypt the files without the master-private key. Furthermore, the propagation method is also very unorthodox. Kaspersky Lab’s researchers established that the bot Andromeda (detected as Backdoor.Win32.Androm by Kaspersky Lab products) receives a command to download and run another malicious program from the Email-Worm.Win32.Joleee family to the victim computer. The latter is primarily a malicious tool for sending spam emails, but it can also execute a number of commands from the cybercriminals, including the command to download and launch an executable file. So it is actually Joleee that downloads the encryptor to the infected computer and launches it.

Why so complex? – It’s a matter for speculation.

What is certain is that this threat must be dealt with at a local level. If the critical data is backed up and stored in safety, an encryptor is a mere nuisance that may cost a business just a few hours at worst.

But backup should be performed regularly and, moreover, copies need to be created on a storage device that is accessible only during this process (e.g., a removable storage device that disconnects immediately after backup). Failure to follow these recommendations will result in the backed-up files being attacked and encrypted by the ransomware in the same way as the original file versions.

The security solution used should be turned on at all times and all its components should be active. The solution’s databases should also be up to date.

Kaspersky Lab products detect Onion based on its signature with the verdict Trojan-Ransom.Win32.Onion. All possible unknown modifications are detected heuristically with the verdict HEUR:Trojan.Win32.Generic, or proactively with the verdict PDM:Trojan.Win32.Generic.

In addition, Kaspersky Lab solution incorporates the Cryptomalware Countermeasures technology which is capable of protecting user data even from yet-unknown encryptors for which there are still no signatures or cloud-based data available. This technology is based on the principle of creating protected backup copies of personal files as soon as a suspicious program attempts to access them.

The technology will automatically restore the file even if it is encrypted by malware. For this technology to operate, the System Watcher component must be enabled in the Kaspersky Lab product settings.

Using Tor may become commonplace for criminals, especially those who operate botnets or encryptors – i.e. anything that needs command and control servers.

If your house is infested by domestic ants, the only way to exterminate them is to kill the queen which resides in a deep-hidden nest; sometimes it is almost unreachable directly, so poisons must be used to destroy the colony.

The only sure way to dismantle a botnet is to “destroy the nest” by bringing down its C&C servers (and – preferably – apprehend the “ant queens”, i.e. the botnet’s owners).

But if (or when) the criminals take their botnet’s C&C infrastructure to Tor it will be infinitely difficult to unroot such a malicious network with a “single blow”, such as Operation Tovar and other similar botnet-busting. And this, in turn, means that the only way to battle such a botnet is to have a rock-solid local protection that won’t allow any malware through.

In other words, if/when controlling malware via Tor becomes mainstream, ensuring cybersecurity becomes “everybody’s own business” more than ever before.