 So I'm on the Dennis Grime. I'm here today to talk about resilient botnet command and control with Tor. I came up with this title while working on the CFP at the very end of the deadline and it's probably a bit dry. So I decided I should probably rename this talk to something a little more fun. So here's the new title screen. I think it's the point across about like Tor and hidden of paint. I'll take that as a compliment for my wonderful Photoshop skills. So who am I? I'm Dennis Brown, like I said. I'm a security researcher for our tenable network solutions which if anybody asks me if they've been asking all week that I'll just say I write and ask these plugins. It doesn't really matter what I do. So a few times at Torcon I spoke yesterday here at DEF CON about something about as far from this topic as you can get. So this is a nice change if you can follow me around. Thanks for being a groupie. I'm also a part of the Rhode Island DEF CON group DC 401. Anyone here from Rhode Island? Yes. That's all of us. So that's where I am. What I'm not in the disclaimer area is I'm not affiliated with the Tor project at all. I want to make that clear up front. I have nothing to really do with them at all. In fact I really want to say that I love Tor a lot. People might be thinking, oh you shouldn't be doing bad things without I agree. It's a really great tool. Most of the people that use it really aren't using it for bad purposes either. I don't know if any of you followed the stuff going on like people trying to get websites from China, Chinese trying to block Tor access and stuff like that. I know last year when I was following the election going on in Iran it was wonderful seeing people using Tor and other proxies to get the word out and get all kinds of information that's going on in the western world at least. So I really do love Tor. I don't want people to really think that I'm just trying to use it for my own evil purposes because I'm really not in trying to make us aware so we're not doing it for evil. But just like any good tool it can be abused. Just like anything else, anonymity is great for us. It's great for people who need it, for people who are oppressed, but it also is good for people who want to do bad things. So it's how it is. So here's a little overview of what we'll be talking about today or what I'll be talking about today. We're focusing on botnet command and control, specifically command and control, but a few other factors around it as well because there's a lot of interesting things we can do with this. I'll be doing a few case studies or a case study using Zeus or Zbot or whatever you may know it as. And talk about a few theoretical models inspired by some of the other big bots and worms and whatnot that we've seen over the last few years. I'm going to talk about a few techniques too to use a tour to anonymize your servers because that's really what this is all about. How many people here are actually familiar with hidden services with tour? That's one way I expected actually. It seems to be one of those features that just more people really need to know about. So you should learn about it. You'll learn all about it here. And the goal of this is actually to keep your servers up and keep your botnets alive because I'm sure we're all terrible people and have bad so and whatnot. So we're going to talk about the ways this is good, the ways this is bad, strengths, weaknesses, all stuff like that. So you may be asking yourself, well, why is this important to talk about? That sounds like it's just something terrible people shouldn't be doing or it's awesome. I'm going to go home and do it myself. There's been a lot of discussion over the years in various forums in the research community about people being a little worried that some malware might actually be using tour. I know there's been several discussions that I've been a part of that people are like, wow, if it really did that, this could be terrible. We would never be able to detect the traffic. I don't know if anything like this actually exists. If anyone does, I'd love to hear about it. I don't know how much research has been done either. I looked around and they didn't see much. So I'm hoping to shine a light on it here. There's a lot more work to be done in this space that I'm presenting today and it's really just right for the picking in my opinion. And what's great, well, what's terrible about it is there's a big potential for this devastating impact on networks and computers as we see them today. The technology for this is tour is free to download. Anybody can get it. Anybody can implement it however they want. It's very easy. I'm sure we've all used it at one point or another and know how easy it is to use tour. And it's really minimal effort and you get great anonymity with it as great as tour is. And I know there's a lot of people who use tour for all sorts of purposes every day and I've never heard of anyone actually having a problem with that unless they did something wrong themselves. And we're going to talk a bit about some safeguards that can be taken to detect this activity. And these have varying levels of complexity depending on the techniques you use, the approach you take and how you actually implement it all from end to end. So let's get on with some fun stuff here. Thank you, Spider-Man. So I don't know about anybody here actually have a botnet? Anybody? Yes. Thank you over there. If there's any feds, let's go over it that way. So I'm sure we all have though for real, but it sucks when your botnet gets taken down, right? Isn't that the worst thing that can happen? Really? You spend so much, it really comes down to time and money that you put into it to get it together and actually make it real and be able to make some money off of it. As far as like spending time on it, you have to spend a lot of time planning this. This isn't something you just spend up overnight and you want to have until they say, oh, I'm just going to drop my malware in a bunch of boxes and collect data. And you have to spend a lot of time planning it, figuring out who you need to talk to for what services you need, how you're going to implement it all, and how you're not going to get caught. Setting up the servers themselves can take quite a bit of time. If you're buying some, posting from a bulletproof provider somewhere in Eastern Europe, you'll have to talk with them. If you don't speak the language, that's another hurdle you have to get over. And try to figure out how you're going to get the services from them and how you're going to get what you need on the service they give you. If you're doing another method, say you're compromising boxes after scanning for SSH passwords for forcing them, you're going to have to figure out how you set it up and not get caught that way too. So that's another method you could take to actually have a server to put your botnet on. Building the bot itself can be a whole lot of time. If you're coding it from scratch, that could take weeks, months, years to do it just right. If you're buying it, well, you're still going to have to figure out how to use it and how to deploy it. That's not the easiest thing in the world, but if you see one that you can actually just buy in a little bit here, then there's other things like crypting it so AVs don't pick it up, so you have a different binary every day so you can evade all kinds of detection, binding it, whatever else you want to do with it to make it undetectable or load other malware on it like fake antivirus to make some good scratch that way. And then spreading. Spreading through BitTorrent is a great way to get your malware out there initially if you make some cool hack for whatever, for Modern Warfare 2 or whatever, I don't know. Or then that's one approach you can take. That takes a while for it to see for people to get it, so it's a big time investment there. Or if you go say you want to do a drive-by download attack, you go do some SQL injection against some server, see what sticks and doesn't, well, it takes time for that to happen, time for it to get queued up in a search engine, and ultimately that's a lot of time you're waiting for it to actually impact to the point where you have a botnet of any kind of size as of interest. If you're doing spearfishing or any kind of spam campaign to spread it to, that's more time you're spending. And if you're not spending time, you're spending money. All these things are services you can buy. Like buying spam services, buying drive-by download services, just saying, hey, I have some malware here. I'd like to get it distributed to 10,000 hosts. Okay, well, pay me however much money that costs these days, and I'll get it out there for you. Next thing you know, some guy, some sketchy guy hasn't done for you, and you have a little botnet of your own. So each one of these things here, it's a lot of money, and you don't want to lose that monetary investment, even worse than losing the time investment a lot of ways, because then that's just a waste of everybody's time. And when you don't have a botnet at all, if it's actually gotten taken down, well, then you just lost all your income. To do spamming, sell spamming services, lease it out to other people who want to do these kind of activities, well, then if you're shut down, then you're not making money, and that's no good at all, although it actually is really good if you're on the defensive side, which is where I actually am. So how do they get taken down? There's a variety of ways. If you have a VGPD pairing, it seems to be the best way to get taken down. That's the ones that seem to be the most effective, and more or less. Some of the big examples, Mikolo in 2008 was taken down. They were really big in spamming. Actually, there was a short period where there was a big decrease in spam after Mikolo was taken down, while everybody was rushing to find new places to host their spamming. And they were also the host for the main command and control server for the AS Prox or AS Prox botnet, which once that was taken down, that botnet never really recovered quite the same. They tried to come back a few times, but not like the good old days of 2008. And then Triaco was a big one this year. These guys were interesting because they kept going down and coming back up and having this cat and mouse game between people trying to take them down and new hosting, or upstream providers that just said, yeah, come on, we'll host your stuff. We don't really know what you have. They were hosting a whole lot of Zeus command and control servers. I think it was something like, I forget the exact number. It was somewhere in the hundreds, I think, which is a pretty big distribution of Zeus command and control servers. That was interesting to see how that went off. Another way to, if you're just using some host you popped or something, or if you're using some free web hosting, I know almost all the HTTP botnets just use a PHP and MySQL interface of their command and control. There's a lot of free web hosting now like 110mb.com comes to mind, where they actually provide you PHP and MySQL. And a lot of people recommend just say, hop on there, get it set up, get it started, and then if you have something good, make some money and buy some real hosting so people are actually starting out with that stuff. And every so often, the people who are either running the servers that you may have gotten into or running these free hosting providers will clean up sometimes, hopefully. And you may just lose your botnet that way if that's your only place you're hosting it at. It's good to have redundant sites like you would with anything. And these guys know that, too. Having DNS revoked is another great way to take it down. I'm sure we've all read about Microsoft earlier this year, pretty much neutering the Walladeck spam botnet where they had to get a court order to remove, I think it was 277 domains that was being used with it. And then since it got down, I don't know if it's come back or not, but that was a great win for them to really stop that one right in its tracks. So that can be kind of hard to do, though, depending on how the registrar wants to work with you. If they're not too friendly, if they're not good to work with, then that might be almost impossibly untaken down, especially if they're ones focusing on providing services to people doing this kind of stuff. And that also would include things like no IP and other dynamic DNS posters. Those guys can be good to work with, too, because they can just go in and remove the entries they have. So if you have them as people come across the botnet using them, I encourage you to go talk to the people prior to the DNS there and get it removed. There's always a case, some jerk, someone takes it over, that happens. It gets taken down that way, it's valid. And then there's other cases where the IP of your command and control server just gets banned or blocked or something like that. This thing, I see, this also would include things like if your ISP shuts down your cable modem and you might think to yourself, well, that's awfully stupid, why don't you host your botnet on your cable modem at home or your FiOS router or something. And then there actually are people that do that. Anybody go to this site, hack forums and at any frequent basis, anybody like this site? I hope not. There's a pile of shit in that place. Absolutely disgusting. They post interesting things once in a while. Earlier this year there was someone on the Tweebot, I think it was the Twitter botnet command and control thing on there that made a lot of press bloggers posted about it. And it was terrible and that's really the best thing you get from here. And I love this one page right here I have an excerpt of. Visit the URL at the bottom for a good laugh, actually. This is instructions on how to set up the Medias Delphi DDoS client, which is pretty much what it sounds like. So DDoS botnet tool that you can just go make your botnet and part of the tutorial here says this is going to be based off of a Linksys router. If you don't have a Linksys, go to portforward.com and look for your router. So clearly these are people who are underskilled but if they actually follow this and no one pays attention then they can do some good damage, but hopefully they don't catch onto better ways to do that. So these guys are terrible. So this is what I think about people actually hosting off using that site and everything. Ali said my pen isn't a goat. That's not too funny, right? So we have all these ways I can get taken down. That's no good. What can we do about this? Well, let's see what we can do with Tor. I mentioned hidden services earlier. I'm going to explain them a little bit more here. So what is a hidden service? Well, they've been in Tor since 2004 and what they do is allow a user to run a server anonymously. When you do this through Tor you get a domain with a .onion TLB and the domain itself is just a randomly generated hash. There's more to it than that, but it's essentially a hash.onion is what you would see and that would be the URL for your server. And these are only routable through Tor. So if you try to go to it directly without Tor you obviously it won't resolve. If you go through Tor and use an HTTP proxy or some other ways then you'll actually have it. It'll actually resolve and you'll be able to catch the server just fine. Now what's a hidden service? It's a network where you can run Tor. So if you have a box that's natted behind something behind a firewall somewhere where it just can't be accessed from the internet directly, you can spin this up and actually get right through it because it goes directly through Tor. This means there's no need to expose anything to the network. If you have a web server on a box you don't need to open any ports or anything or have it even locally on the network you can block it off completely. Two catches with this. A lot of the web command control panels are kind of poorly written. A lot of them are just PHP applications and we all know there's not many problems with PHP. So there's a few bit of research done a couple months ago. I actually don't have notes on who did it. But it was about they actually founded several vulnerabilities in many of the web control panels for I think there were the web exploitation toolkits. I don't know if Eleanor was one of the things of that nature. If you're hosting something like that on a hidden service here, be careful because you may expose your IP inadvertently or if somebody can drop like a C99 shell on there and then you're really screwed. One thing I like to do when I'm doing things about hidden services is make sure my host box itself is behind a Tor transparent proxy. So if somebody does do something where they try to expose my IP, hopefully they're just going to get some Tor exit notes somewhere but that's a whole other thing. So hidden services, I'm not going to do them justice for how I could explain them. The Tor guys have this stuff, have excellent, excellent documentation on hidden services. So I really encourage you to go to the Tor project website. The URL is up there but it's really easy to find if you search for it and check it out. They have great documentation both on how it actually works in implementation and how to configure it. I'll give my two or three line explanation of it which probably isn't true. Essentially when you start a hidden service it advertises to the Tor network and uses a public key in order to communicate with relays. The first relay it communicates with will be this induction point to the network. Essentially what that means is if somebody wants to get to your box they have to get to him ultimately to get to your hidden service. If anybody connects to the Tor network they're going to go through and say hey I'm looking for this dot onion domain here. Ultimately someone will say I don't want to go. That's a really poor explanation but that hopefully gives you an idea of how this all kind of works. Not really kind of. Just to show you how simple this is to set up. I have a couple lines from the Tor RC sample they provide that shows you all it takes to set up a hidden service. There's two parts. There's a hidden service directory which is important because that's where it gives you the actual hostname for your new hidden service server and the private key so people know to communicate with it, be able to trust it and be able to use it ultimately. The other line is the hidden service port. This is very simple. It's just like creating a firewall rule for many different firewalls out there. You provide it the port you want to run on. In this case they're using 80 so I can pretty much assume it's a web server and the web server itself on the system is running on local host port 5222. Once you just put those in your C file, restart Tor and then everything will work just fine. There's one paper I want to mention called Locating Hidden Services by I'm going to butcher their names Overlier and Cyberson. I'm sorry, I butcher them. I really recommend checking out this paper. It's a very good paper taught that they did a few years ago regarding introducing malicious Tor nodes into the network to try to actually expose the hidden services or the servers running hidden services directly. It's a pretty long paper I would actually encourage you to check it out if you plan on using hidden services just to be aware of the risks that actually could come into play. It's a few years old nodes, I'm not sure if it's all 100% accurate but I think it's still worth a look because it's probably not far from where we are today. If anyone knows any further on that and wants to correct me, please do because I haven't looked at that too much at all. I'm going to change gears here for a little bit. So I love this image because it pretty much sums up how I feel about when you combine Tor and Zeus. If you can't see it too well that's a skyscraper sized Chuck Norris fighting a equally huge Mr. T with the caption of God never intended for these two to meet. So just to give you a little background in case you're not familiar with Zeus or Zbot or WNS poem or whatever your AV company decides to call it. It truly is the number one crimeware toolkit in use today. Actually I'm going to go to my next slide early. Danchev made this great tweet the other day or last month actually saying that there's a monoculture in the cyber crime ecosystem thanks to Zeus and he's very much right. There's everything you see is Zeus and if it's not Zeus it's probably just cool face or one of the other big ones and then a whole bunch of random stuff. If you look at the volume of Zeus out there it's just absolutely ridiculous and the important part about it is it isn't a single botnet in itself it's a toolkit that's used by many people whether they purchase it directly from the Zeus authors, whether they've found a leaked or stolen version that they're using which is very popular by everybody setting up their own servers themselves their own command and control servers and making their own bots on their own and distributing these however they see fit. Often times when I read about like oh it's a new Zeus campaign there's a whole new group doing it. It's really hard to attribute who's doing what with the different Zeus campaigns going on out there because there's so many of them but I would say that outside of the few big ones we've heard of like the never botnet earlier this year which is just one organization's Zeus campaign and some of the other big ones whose names I don't really recall right now there's probably a lot more people doing it than it sounds like so I would really really pay attention to that when you're reading the news and be aware that there's more than just one net out there called Zeus but what it is is it's primarily focused on stealing banking info it can steal anything you want whenever I demo it I have it stealing a sock puppet hotmail account which works just fine it can configure it to steal from any website but pretty much everybody who uses it is trying to steal banking information and it's really easy to configure anybody who is familiar with HTML really can customize it to do whatever they want they have these things like a web inject so what it does is it intercepts the HTML being read so you can say oh well I see the Bank of America username and password throw in a field for the debit card number and the CVV so I can get that too so they can log in and it really just takes that data it looks seamless on the page and reports back to the user they do a lot of updates to make sure the stuff keeps working and works well and it really does it a lot of data is stolen through Zeus every day so to get back to more how we're going to be using this here's a sample configuration file from version of Zeus 1,2,4,2 it's a little older now but it's still pretty relevant there's four lines here that are of interest to us they're the URL lines config compip loader and server this is how you normally set it up for a normal Zeus configuration with the default parameters I'm using the domain of badguywallmart.com because that's where everybody goes to buy their malware and their toolkits and then we have a couple things in there the config.bin is the configuration file where the bot will go update itself and get more information for what it's supposed to do and gate.php is the actual command and control page where bots will check in and let the command and control server know I'm alive here I am here's my information here's some data stuff like that so we're just to our command let's get back to where we're supposed to be with this Zeus on its own doesn't support proxies we can't just say oh just go to the dot onion domain in our hidden service that doesn't work at all and it sues only allows for regular URLs pretty much anything you can hit normally with your web browser is what it's looking for it doesn't have any kind of proxy support not windows proxy or anything so we need a little intermediary solution here and there is one that is free and works pretty well it's called tor2web at tor2web.com what this is, it's not a part it's not affiliated with the tor project at all it's a third party tool put up by some individuals whose names I've neglected to include on the slide they're at the bottom of the web page if you want to check it out and what it is is a web page that will redirect requests made to tor2web.com with the right dot onion hash and they'll send it along through tor themselves and return you the results just like any other proxy and it also provides scripts so you can set one up on your own so if you say well I like tor2web but I don't trust them I'm going to stand up my own and do all this myself it's pretty easy to do it's just a couple of configuration options Friboxy, Squid, Tor obviously and one script they provide and that's about it so what we're going to be doing using this is we're going to be doing the command to control over tor2web so what we want to do in the Zeus configuration we just saw a couple slides ago is configure the bot to connect to that URL there so what you'll see is the first part of it is the hash from the dot onion domain tor2web.com so that would be if that's the right hash that would be your command to control server so what will happen is the bot will connect to tor2web because it just sees it as a regular URL and then be directed through them to the hidden service at the dot onion domain which is our command to control server very simple and very effective so as I mentioned here's the main script they have and all it really does is they request to Squid saying hey where it says tor2web.com make that dot onion and go through Tor and then when it gets the results it returns it right back to you really simple, the configuration for it is really hardly more than this script alone so very nice so I'm going to attempt a live demo of how this works I've been fighting with this all day today so I'm not too confident that it will actually work so what pretend it does if it fails I just want to tell you about the setup I'll be using I think that's the right version which is from about mid 2009 give or take it's an older version now but it's one that's been leaked and it's easy to find on the internet so you can just go and find a copy and make your own botnet that's nice and convenient for the command to control server I'm just using a regular Ubuntu server setup with the lint package installed I'll be running a hidden service on port 80 nothing too special just like any other web server for the host I'll be building and executing I'll be using windows XP sp2 I'll just go through the configuration files on there and if this all happens we'll log into the control panel and see a bot that has gone through, tore through, tore to web to get there so I expect this to fail but we'll see so here's that I have to get on the network first this is where I've been having problems all day as I've been disconnected from the network I've been having big problems getting everything to work right so bear with me for a moment here this is really exciting if I don't connect in a full short time we'll just pretend it all worked and in the meantime I'll show you the configuration file so this is the configuration file hopefully we'll be using is that okay? that's probably a bit big alright so here we have the same thing we saw before with the config and server but what we have here is simply just putting in the tore to web URL nothing too fancy, nothing that exciting but it's effective and am I connecting at all? so what I've done earlier is I've actually built the right version this is the Zeus builder for version 1242 it was off by one the current versions look very similar to this if you hadn't seen it before this is what they're paying for a brand for this is in the web control panel it's a nice thing too where if you actually have Zeus installed on the system which they consider spyware you can click a button and remove it right from the system but I'm clean fortunately and this is the builder very easy, you just click build config and that builds the config file which we saw in the configuration file just load that up onto the Zeus command and control server I've done that ahead of time but it needs that to know where to go download it doesn't even have to be on the same site that you're actually hosting the control panel on it just has to be available somewhere for it to download on another box somewhere and put your config file there as long as you have the right URLs it will know where to go to pick it up and then when you build the loader this actually builds the bioexecutable itself oh I'm on the network let's see if we can do this so as you see here it's probably really hard to read but we have the URL config and the URL comp.IP where we have the torto web URLs we saw before so it knows where it's going to work so I'm going to execute the bot now so you can confirm where the builder says oh we have version 1, 2, 4, 2 installed fancy that we'll go into Firefox and see if we can get to the control panel if we do then there's probably a good chance this worked if we don't then it will so we'll give this a moment so it is ultimately going through Tor so it isn't the fastest in the world Tor has gone a lot better recently if you haven't used it much you're still giving a performance overhead but really the way I look at it is there's a risk to pay for actual anonymity and definitely worthwhile this will probably work best if you're using a smaller botnet maybe a couple hundred hosts but if you have a much larger one then this probably won't work out to you where you have a single host hosting all your bots so we'll give that a moment and see if that works probably not actually we'll just come back to that later we'll move on I'm sure that will fail when we go back to it but let's assume it did work for now so there's strengths and weaknesses to this approach the strengths are like I said, how high is the command of control server the only way you're going to find that out is if you can actually use some sort of attack like presenting that paper I referenced earlier or have some way to get into the server itself make it expose its IP which that's going to be pretty hard to do I think it'll be really hard to track down as a result you won't know where you're looking for it so with this being the case hopefully the command of control server is virtually immune to being taken down I'm sure you've all thought about this ahead of time it's really easy to filter this traffic if you have any kind of HTTP filter or even block the IPs that are hosting it at you're not going to be able to use this method this is going to be really easy to get to take it out and also trust, like I mentioned you don't know what they're logging at if they're logging anything I would hope they're not by the way they're presenting their service but you don't know that you probably don't want someone knowing where all of the bots in your botnet are coming from really easily and running your own toward a web proxy is definitely a better option it's not really hard to do but you need to have some place to run it if I had some bulletproof hosting somewhere and I wanted to do this that's probably where I'd consider running it and probably not anywhere else because I'd still have to give it a domain or at least have an IP to point at and that's still a single point of failure it could be taken down and then you're back to square one but you would have seen if this worked with the Zeus control panel saying we have one bot but just pretend that's the case I apologize for that, it works much better when I'm on a more stable network but with this technique I want to rate this as I'm happy with it I think it's a good solution especially if you're using a toolkit where you can't really control what's going on but I'm not going to let you know I'm happy it's okay, it's not a great solution you can do much better than that if you try something around with this the next thing that popped into my head was well, what if I use the Windows proxy settings that'll be pretty easy I can just load Tor onto the system in a polipo or whatever you want to use per voxy and pretty much drop it on like you would any other piece of malware along with my fake antivirus I'll just drop Tor on there and run it however I need it to be run and then just set the Windows configuration to use a proxy we have the registry keys right there and then we have the port and you get to go the problem with this is this is going to be very obvious to the user the first time they go to Google they're probably going to end up at the Czech Google or the German Google and they're going to be like I don't understand this language that's not good call up their ISP, something's wrong that would be terrible, you'll be found in no time so this idea I just tabled really quick do not want at all so what's the best solution here the best solution is to actually do some work I don't know any bots today or any malware in general that actually supports using proxies if you know of any I'd love to know at any toolkits especially because it'd be great to use an example for this but we need to have some way to resolve the .onion domains so they can connect directly to the hidden service so a few ways you can resolve the .onion domains actually we would have to load Tor like we saw in the previous example and yeah you could load per voxy or pull it if you wanted to there's a functionality called map address which is a I don't know if it's still a considerable experimental option in Tor but it wasn't all the documentation I saw where you can put into your the option map address give it a local IP like 10.0.0.10 and the onion URL you want it to go to and then you can just reference that local IP and go to it directly so you don't need to have any kind of middleman to actually resolve the .onion domains for you so you'll probably want to be accessing a limited amount of .onion domains as it is anyways so what we'll have to do in order to make our bots do this is add in at least Sox 5 support or I guess you could use Sox 4a if you really wanted to and that'll be a bit of work it's not trivial but it's not too hard to add in so the bot authors will have to step up their game a bit and actually provide this kind of support into their bots and that's what I like about this the traffic is going directly from the host to the destination and tour there's no middleman like we saw with Torta Web there's nothing you have to worry about there it's going to go straight from your browser to the tour proxy to the rendezvous point to the hidden service and right to the web server itself you're not using exit nodes you're not involving anything else where your data could be sniffed so it's going to be very hard for IDS to pick this up and this works for more than just HTTP where Torta Web was really just for this will work for IRC, this will work for pretty much any protocol you can think of if you want to roll your own custom command control protocol this will work just fine and I think this would be very hard to stop I was trying to cope with what the options for this would be and I really only came up with two won't it be just to block tour traffic like we see some countries trying to do and I don't think that will actually work too well with this I just don't see there'll be a lot of rules being in place a lot of people trying to block tour I just don't see people wanting to do that this would be considering tour to be a virus I actually ran the tour binary through a virus tour we'll see if anybody was doing this about a month ago and no one was so that's good because it isn't a virus but I wouldn't be shocked if a result of that if some people aren't now I haven't checked since then but I just want to see either one of those happening on a large scale to have any kind of impacts where a bot that would still be reachable or possibly able to check in with their command and control server now I do see some weaknesses with this too it's going to require code to be added to bots so say take Zeus for example they're not just going to be able to plug it in right away they're going to have to probably build in as a new feature request for a new version and do it that way so and this isn't really accessible to people who are buying it today either if you're just buying the kit you have no idea how to code most likely or if you do it's not in C or whatever language Zeus has actually coded in and like I said earlier we're going to have to load tour on the system and run it where that's not hard to do it's still another step that will have to be taken in order for it to actually work so it's another thing to have to worry about if you're not loading the malware on yourself if you're paying someone to do it well you're going to have to bundle things up nicely and see if they will do it for you properly and then probably the biggest weakness with this would be if you're looking for any kind of anomalies in your network or looking for traffic changes because while you won't be able to see the actual command and control traffic itself you're probably going to notice some bandwidth utilization increases on servers that are actually doing it and whatnot so that's probably a that would probably be the best way to pick it up I don't know how many people are actually doing this today I know a lot of large corporations are and a lot of them are so it's probably a hit or miss way to check it out and some of the changes if you're doing let's just say using a hidden service for a spearfishing campaign and you're using a service and size of network that you don't actually have access to it might be such a little volume you would never really get picked up so that could be a problem so for this solution I give this my favorite image where it's just complete overjoyed Pokemon hugging crying they're so happy so I would say if you try to take this approach you'll have a very low risk of being taken down probably close to none unless people are just extremely attentive to their own networks so that's how much I love it that's us hugging in happiness so one thing I didn't want to get into too much here but it still is worth mentioning our private tour networks setting up a private tour network is pretty neat it's a bit of an involved process right now you have your own directory authority and a whole lot of other stuff but it's great if you're really paranoid and want to stay off the public tour network if you're afraid someone somewhere might figure out what you're doing the nice thing about this too is it can actually be significantly faster than the public tour network as well you can track the hosts you're infecting looking for how their bandwidth is you can just do simple checks maybe some of those speed tests you can find out how good a connection is that can be one of my relays and keep your network nice and performing really well as a result of that and also blocking a private network will be significantly harder there's no list of exit nodes that will be polished there's nothing that people will know unless they actually go and investigate the network themselves so it'll be significantly harder to take down I don't see how a smaller network like this unless somebody went after it directly and really paid a lot of attention to what you're doing to actually be able to take it down and talk about some other features that hidden services give us that actually makes this a really nice way to manage your command and control server so as we mentioned much earlier tour uses public keys to communicate so let it know where to let the tour network know how to get to the server when it does that it creates a private key on the server as well as the hostname for the .onion domain and puts that on the system that the hidden service is running on so what's nice about this is these are just files on the system you can copy these and move these wherever you want and make it so if the server actually goes down for some reason you can re-attribute it to another and another nice thing too is you can generate a lot of these keys up front if you're on a script and just say hey, keep clearing out that directory and keep restarting tour it'll just keep creating new keys for you until you have as many as you like so would this be the case so like we saw earlier in the tour to web example that should have worked we had the one hash that was the hidden service .onion domain itself so what we could do with this is easily move this from one server to another we could just copy the files, move it from the hidden service directory on one server to another restart tour and now we have the bots don't know any difference but they're still communicating with a new server so that's pretty nice this allows us to keep our bot up and running much, much longer than we would otherwise and while there's a chance that if we move it and if we move it frequently we might lose some data that was captured that we never actually recovered from one host that we moved from and that's a really small price to pay in order to keep the bots phoning home and actually communicating with you and another nice thing too would be to issue multiple onion domains for your command and control or presumably set up multiple command and control servers in order for tour to connect back to it and not have to worry if one gets taken down and isn't able to reach that day but this also could be a nice misdirection technique where you could give the appearance that the botnet is significantly larger than it is especially if you swap domains in and out we saw something like this with the ASprox botnet like I mentioned earlier where every few days or so they would swap in a new domain for their command and control and age older ones out because the older ones if they weren't taken down by the registrar themselves sometimes they were taken over sometimes they just didn't work functional anymore I don't know if the people running the botnet actually took them down themselves or not really quickly and the older ones were pretty worthless after a couple weeks so we could do a similar thing here where we can leave people long saying here's our command and control and then every few days put in a new den on your domain and inform the bots here's where you're connecting now and since we can generate as many as we want we don't have any limitations like doing with registrars or anything, we can just generate tons and tons of these, roll them all out maybe only use a couple but then people have to watch them all and be aware of what's going on similar to how we saw our configure work and only a couple of them will be registered maybe not even every day and be used to communicate so we can do it in a nice similar scenario like that with this here pretty much for free so we talked about having your bots running toward themselves in the best case scenario so if we have to our on there we could do a lot more interesting stuff like running hidden services locally if you were familiar with Zeus's back connect model this allows people to connect back to an effective Zeus host over IP, remote desktop, VNC you can even run a web server if you wanted to and have it behind a hidden service on the infected box what's nice with this is you can have it do a whole lot of things with the Zeus back connect model they use that to connect to a host that's been infected in order to make use of certificates in the browser for online banking so what they do is they'll have people log into a remote desktop on a host and say okay well I know I can log into your bank account if I have you using my password then it really doesn't matter your bank is going to accept me as it is so and also another nice thing you can do is actually use this to distribute updates for your botnet if every host you have infected is a web server and hidden behind a hidden service you can just say okay well here's the news of the hidden services to have the updates we're going to have you connect out to these guys get your update and with that update we'll have more hosts that are doing it providing updates for tomorrow or the next update whenever that may be so it's a nice way you could actually model your botnet around Tor itself and use the hidden services to your advantage and ultimately like I mentioned earlier NAT is of no concern here if you have a host infected behind a browser or a firewall or whatever if it's talking on Tor it doesn't matter it can do this so a few other thoughts since we're all running Tor how would it be to turn them all into relays? this is just something to pose out there to see what people think there's an increased bandwidth in Tor overall especially if you have a pretty sizable botnet I don't know if it'd be worth it or not but it could be pretty interesting to see and this could have really positive effects for your botnet if you can actually increase the speed of Tor in any significant way that'd be an awfully large botnet but that could be a neat project to do if you actually have that kind of resource available and on the other side how about turning them all into exit nodes I thought about this for quite a while to say okay this actually makes sense it could be cool if you have a majority of Tor exit nodes and actually be able to control traffic or sniff the traffic going through so a few years ago with the people finding embassy emails and other documents by sniffing Tor exit nodes which is of course a bad thing to do I wouldn't encourage it but it's probably not a good idea as in tasting as that may be for what you may learn you'll be exposing the identities of your bots so I would really recommend against that you don't want them popping up on the Tor exit node list and having a lot of attention being drawn to you as a result especially if they all start to go up with a pan that really takes off one day your botnet increases by a couple thousand hosts and this happens to be a couple thousand exit nodes that stand up that day it'd be pretty obvious I don't think that's a very good idea so get to the conclusion here as we almost saw with the live demo it's pretty trivial to get existing HTTP bots working with Tor there's a risk to it but if you're really desperate and you really want to keep the host of command and control server hidden it's a pretty easy one to set up too if you're able to get Tor up and running on your server and it's possible to get a lot more protection easily if you actually have the source to the bots by adding in sock support so it's just really a nice alternative to have this of course isn't really something everybody's going to do but if you can do it it would be really nice to have so you can protect yourselves keeping a command and control server up is easier if you do this hopefully having it anonymous would mean you're less of a target or if you are a target you're less of a chance of finding and taking you down and actually controlling bots with a hidden service like we talked about with the back connect stuff would be pretty beneficial this would be something that I think a lot of bot authors out there would be interested in providing for really no additional cost so and on the other side defense is this I hope that you can see that they do exist it might involve looking at your network and looking at your data more than before or a little differently than before and it's probably not going to be easy to find this stuff finding the Tor to Web stuff will be easy but finding you probably won't be so I would actually advise you to check things out keep your eye open for this stuff and if you actually find anything let's talk about it let's see what happens and try to find out how people are actually doing this stuff so that's all I have here I'll be happy Q&A I don't have much time left here I'll be in the room across the hall definitely and if you want to contact me otherwise there's my contact info and that's all I've got