Security researchers have identified a new botnet that is controlled by attackers from an Internet Relay Chat (IRC) server running as a hidden service inside the Tor anonymity network. Unable to determine its real location or sniff its encrypted traffic, law enforcement are going to have a tough time shutting it down.
Tor, or The Onion Router, is a free network that uses multiple layers (like an onion) to provide anonymity to users who proxy their Internet connection through it. Requests and network packets are routed through Tor nodes operated voluntarily by its users. In addition, requests running through the network are encrypted in a multi-layered fashion. Intrusion Detection Systems (IDS) often key on the traffic’s destination or content and thus, the random nature of the Tor node allocation and the encryption of its data make it impossible for an IDS to flag the traffic as “evil”.
In addition to providing anonymity for Tor users, Tor also allows users to run various types of services such as web servers or IM servers that can be accessed from within the Tor network. These services are accesses through an .onion address and not a real IP address. In effect, it makes the service anonymous too.
All of these unique attributes provide an excellent habitat for botnets that serve malware or are used and launch points for DDOS attacks. Botnets such as this one have been detected on Tor in the past. In this current case, an IRC-based botnet command and control application has been set up in the Tor network, as a hidden service, and uses IRC to communicate the botnet’s command and control signals. The botnet C&C cannot be taken down easily because it is anonymous. And since Tor encrypts all of its traffic, IDS systems cannot block it.
There’s no easy way out of this at this point. Tor is vital for users who need to remain anonymous on the Internet (e.g. citizens in countries where free speech is restricted). And whether or not you choose to act as a Tor exit point, entrance point, or just a node in the middle, everyday Joes are a part of a network infrastructure that serves a valid function.
Sources: PC World, CIO Magazine