- SMB Spotlight
Criminals plan to release a fresh wave of advanced cyber attack campaigns using the anonymising Tor network, according to Kaspersky Lab.
Kaspersky Lab senior security researcher Sergey Lozhkin issued the warning during a webinar attended by V3, citing the recently discovered ChewBacca and evolved Zeus Tor malware as proof of their claim.
"The Tor network started small but lots of hackers and cyber criminals have discovered the benefits of storing their communities and malware there. We've seen malware developers creating malware that communicates with the Tor network and passes its command-and-control servers (C&C) through it. This is because when you create a resource in Tor it's almost impossible to know who owns it or where it's hosted," he said.
"They're putting their C&C server inside the Tor network so no one can easily destroy it. Already we found ChewBacca and Zeus that uses a Tor module to interact with their C&C. [This means] the communication channel [between the infected system and the C&C] is encrypted and protected by Tor. They are creating malware to support the Tor network and this will continue to rise."
Tor is an anonymising network designed to help people hide their internet activity. It does this by directing internet traffic through a volunteer network of more than 5,000 relays to conceal the user's location.
Lozhkin said the company has already seen a marked increase in the number of "hidden services" running on Tor, which rose from 910 to 1,077 over the last month.
The services included a variety of different cyber rackets outside of basic malware hosting, ranging from digital black markets, such as the recently shut down Silk Road, to recruitment pages for hacker-for-hire groups.
"Malware isn't the only thing stored in Tor. You can find any resource in there now, be it a single hacker for hire or a full-on mercenary group. They offer everything," said Lozhkin.
"There are also a lot of trade places in Tor and the number is growing every month. We see lots of new things, like stores that sell botnets operating in it. Now you can go inside Tor and easily buy a botnet. You can buy it using Bitcoins and in two clicks become a botnet master."
Kaspersky Lab's senior security researcher Stefan Tanase said criminals' use of Tor is particularly dangerous as the NSA's PRISM campaign has driven many users with appropriate cyber skills to begin using it.
"With recent goings on in the cyber world and people realising how much cyber espionage is happening, people are beginning to use Tor. In the last year, we've seen services like Tor are becoming more and more used and popular around the world and the number of users is always increasing," he said.
PRISM whistleblower Edward Snowden listed Tor and tools such as end-to-end communications encryption as key ways people can protect themselves from mass surveillance operations such as PRISM, during a privacy discussion at the SXSW conference.