Title :
Botnet over Tor: The illusion of hiding
Author :
Casenove, Matteo ; Miraglia, Armando
Author_Institution :
Vrije Univ. Amsterdam, Amsterdam, Netherlands
Abstract :
Botmasters have lately focused their attention to the Tor network to provide the botnet command-and-control (C&C) servers with anonymity. The C&C constitutes the crucial part of the botnet infrastructure, and hence needs to be protected. Even though Tor provides such an anonymity service, it also exposes the botnet activity due to recognizable patterns. On the one hand, the bot using Tor is detectable due to the characteristic network traffic, and the ports used. Moreover, the malware needs to download the Tor client at infection time. The act of downloading the software is itself peculiar and detectable. On the other hand, centralized C&C servers attract a lot of communication from all the bots. This behaviour exposes the botnet and the anomaly can be easily identified in the network. This paper analyses how the Tor network is currently used by botmasters to guarantee C&C anonymity. Furthermore, we address the problems that still afflict Tor-based botnets. Finally, we show that the use of Tor does not, in fact, fully guarantee the anonymity features required by botnets that are still detectable and susceptible to attacks.
Keywords :
computer network security; invasive software; overlay networks; peer-to-peer computing; telecommunication traffic; Botnet command-and-control servers; Botnet infrastructure; C&C servers; P2P network; Tor network; anonymity service; centralised overlay networks; malware; network traffic characteristic; Encryption; Malware; Monitoring; Overlay networks; Protocols; Relays; Servers; Anonymity; Botnet; Command-and-Control; Malware; Resilience; Tor;
Conference_Titel :
Cyber Conflict (CyCon 2014), 2014 6th International Conference On
Conference_Location :
Tallinn
Print_ISBN :
978-9949-9544-0-7
DOI :
10.1109/CYCON.2014.6916408
