Tor botnets are not a totally new concept, as they have been talked about since Defcon 18. However, over the last year we have been able to confirm some interesting facts regarding the use of these ideas in real botnets. This hidden Tor service protocol allows users to develop services, typically web servers, that can only be accessed from the Tor network via a random hostname ending with the fake .onion domain extension.
One of these botnets that appeared were known as Atrax and Agent.PTA which use Web servers, not IRC, hidden in the Tor network for command and control purposes.
Tor Botnets Atrax and Agent.PTA
Atrax can download, run and inject malicious files into browser processes. Its functionality can be extended with plug-ins that are locally encrypted with an AES key generated with hardware parameters of each infected computer, it also comes with a Tor client component that manages to inject itself into the local browser to route the command and control traffic of the malware over the Tor network.
ESET researchers were able to trick the Atrax command-and-control server into sending two additional plug-ins to a malware-infected test system. One of them was designed to steal input information on Web forms and the other could steal passwords.
Agent.PTA is part of a malware family known since 2012, ESET researchers claimed. However the Tor functionality is a new added capability. In addition to being a Trojan with simple functions to intercept data from web forms and the ability to download additional functions. Furthermore, the Trojan can activate a proxy by SOCKS5 upon receiving a special command from the C&C.
These botnets have grown over time mostly because these types of botnets make it very difficult to investigate and track the location of the C&C.
Related topics:
Gafgyt is a botnet that uses Mirai DDoS modules
FreakOut – A Botnet targeting Linux
