Silk Road forums

Discussion => Security => Topic started by: Bazille on September 05, 2013, 01:00 pm

Title: Malware botnet confirmed: Why Silk Road is down
Post by: Bazille on September 05, 2013, 01:00 pm
Quote
In recent days, we have indeed found evidence which suggests that a specific and rather unknown botnet is responsible for the majority of the sudden uptick in Tor users.
Quote
. It does however originate from a Russian spoken region, and is likely motivated by direct or indirect financial related crime.

http://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/

 Recently, Roger Dingledine described a sudden increase in Tor users on the Tor Talk mailinglist. To date there has been a large amount of speculation as to why this may have happened. A large number of articles seem to suggest this to be the result of the recent global espionage events, the evasion of the Pirate Bay blockades using the PirateBrowser or the Syrian civil war.

At the time of writing, the amount of Tor clients actually appears to have more than quintupled already. The graph shows no signs of a decline in growth, as seen below:

An alternative recurring explanation is the increased usage of botnets using Tor, based on the assertion that the increase appears to consist of mostly new users to Tor that apparently are not doing much given the limited impact on Tor exit performance. In recent days, we have indeed found evidence which suggests that a specific and rather unknown botnet is responsible for the majority of the sudden uptick in Tor users. A recent detection name that has been used in relation to this botnet is “Mevade.A”, but older references suggest the name “Sefnit”, which dates back to at least 2009 and also included Tor connectivity. We have found various references that the malware is internally known as SBC to its operators.



Previously, the botnet communicated mainly using HTTP as well as alternative communication methods. More recently and coinciding with the uptick in Tor users, the botnet switched to Tor as its method of communication for its command and control channel. The botnet appears to be massive in size as well as very widespread. Even prior to the switch to Tor, it consisted of tens of thousands of confirmed infections within a limited amount of networks. When these numbers are extrapolated on a per country and global scale, these are definitely in the same ballpark as the Tor user increase.

Thus one important thing to note is that this was an already existing botnet of massive scale, even prior to the conversion to using Tor and .onion as command and control channel.

As pointed out in the Tor weekly news, the version of Tor that is used by the new Tor clients must be 0.2.3.x, due to the fact that they do not use the new Tor handshake method. Based on the code we can confirm that the version of Tor that is used is 0.2.3.25.

The malware uses command and control connectivity via Tor .onion links using HTTP. While some bots continue to operate using the standard HTTP connectivity, some versions of the malware use a peer-to-peer network to communicate (KAD based).

Typically, it is fairly clear what the purpose of malware is, such as banking, clickfraud, ransomware or fake anti-virus malware. In this case however it is a bit more difficult. It is possible that the purpose of this malware network is to load additional malware onto the system and that the infected systems are for sale. We have however no compelling evidence that this is true, so this assumption is merely based on a combination of small hints. It does however originate from a Russian spoken region, and is likely motivated by direct or indirect financial related crime.

This specific version of the malware, which includes the Tor functionality, will install itself in:

%SYSTEM%\config\systemprofile\Local Settings\Application Data\Windows Internet Name System\wins.exe

Additionally, it will install a Tor component in:

%PROGRAMFILES%\Tor\Tor.exe

A live copy for researchers of the malware can be found at:

hxxp://olivasonny .no-ip .biz /attachments/tc.c1

This location is regularly updated with new versions.

Related md5 hashes:

2eee286587f76a09f34f345fd4e00113 (August 2013)
c11c83a7d9e7fa0efaf90cebd49fbd0b (September 2013)

Related md5 hashes from non-Tor version:

4841b5508e43d1797f31b6cdb83956a3 (December 2012)
4773a00879134a9365e127e2989f4844 (January 2013)
9fcddc45ae35d5cdc06e8666d249d250 (February 2013)
b939f6ef3bd292996f97aa5786757870 (March 2013)
47c8b85a4c82ed71487deab68de196ba (March 2013)
3e6eb9f8d81161db44b4c4b17763c46a (April 2013)
a0343241bf53576d18e9c1329e6a5e7e (April 2013)

Thank you to our partners for the help in investigating this threat.

ProtACT Team & InTELL Team
Title: Re: Malware botnet confirmed: Why Silk Road is down
Post by: eddiethegun on September 05, 2013, 04:24 pm
Those sneaky fucking Russians...
Title: Re: Malware botnet confirmed: Why Silk Road is down
Post by: Bazille on September 05, 2013, 04:40 pm
Btw when using Tor version 0.2.4 your connection will get a higher priority than the botnet connections (v0.2.3), if the relay uses the latest version of Tor.

https://blog.torproject.org/blog/how-to-handle-millions-new-tor-clients
Title: Re: Malware botnet confirmed: Why Silk Road is down
Post by: farmer1 on September 05, 2013, 06:27 pm
Too bad the bots aren't running as relays.
Title: Re: Malware botnet confirmed: Why Silk Road is down
Post by: Shaggy Shaman on September 06, 2013, 02:08 pm
Too bad the bots aren't running as relays.

I know, right!?!

SS
Title: Re: Malware botnet confirmed: Why Silk Road is down
Post by: SpaceAce on September 06, 2013, 04:56 pm
I guess the only time we can login is when they aren't attacking with the bots lol
Title: Re: Malware botnet confirmed: Why Silk Road is down
Post by: Bazille on September 06, 2013, 07:06 pm
Would be nice if the bots were running as relays, but then everyone would get ultra-paranoid. Because that would enable the owner of the botnet to do deanonymization attacks on Tor users.
Title: Re: Malware botnet confirmed: Why Silk Road is down
Post by: ~o~WaterWalker~o~ on September 06, 2013, 10:27 pm
besides anti-virus software, what is a way of noticing if a computer is part of a botnet?  Would digging with wireshark while no browser was open be a simple way?

Do bots only operate once your start a browser?

just wondering how out-to-lunch you have to be to not notice your computer is acting as a bot.. or if it is really tough to detect. 

Title: Re: Malware botnet confirmed: Why Silk Road is down
Post by: Mitch Kumstien on September 06, 2013, 11:26 pm
Thanks for the info Bazille I reposted it in a thread I had going.
Title: Re: Malware botnet confirmed: Why Silk Road is down
Post by: Bazille on September 07, 2013, 11:09 am
@WaterWalker
In the case of this specific botnet yes, you could use Wireshark and look for connections to the Tor network while you are not running Tor. The Tor circuits of the botnet are kept alive, even while it's not doing anything, so you should find it within 10-60 mins. Though to find out if your computer is infected by this botnet you could also simply look at the location where it stores its .exe file.
Title: Re: Malware botnet confirmed: Why Silk Road is down
Post by: ~o~WaterWalker~o~ on September 08, 2013, 01:11 am
@WaterWalker
In the case of this specific botnet yes, you could use Wireshark and look for connections to the Tor network while you are not running Tor. The Tor circuits of the botnet are kept alive, even while it's not doing anything, so you should find it within 10-60 mins. Though to find out if your computer is infected by this botnet you could also simply look at the location where it stores its .exe file.

thanks - I have a PC rig that I do most of my clearnet stuff on, and I swear that just about any site these days has some kind of malware shit on it.  I even saw my computer get a 'remote assistance' virus called backdoor or something (i forget the name).. it actually turns on remote assistance.. wtf, stay safe people

Title: Re: Malware botnet confirmed: Why Silk Road is down
Post by: dotgoat on September 08, 2013, 01:37 am
besides anti-virus software, what is a way of noticing if a computer is part of a botnet?  Would digging with wireshark while no browser was open be a simple way?

Do bots only operate once your start a browser?

just wondering how out-to-lunch you have to be to not notice your computer is acting as a bot.. or if it is really tough to detect.

It depends on the purpose but usually you'll suddenly notice something messed up.  Like browsing around the internet is slow and you keep loosing connections to things (means the bot is sending a lot of network traffic), everything loads slowly (it's using up a lot of cpu, like that botnet that is/was doing bitcoin mining).  But it could also be dormant most of the time and just connecting to this C&C server through tor every so often.

I have noticed with the new version of tor that building the initial circuit to a site is really slow, times out, etc.  But once it does finally connect it's actually quite responsive.
Title: Re: Malware botnet confirmed: Why Silk Road is down
Post by: holamigo on September 08, 2013, 02:35 am
I was told that last week some secretary in an office was complaining that her computer was slow and stuff. Tech guy found tor.exe as a running process. It was installed and running as a Windows service. He did something like sc delete "tor" or "tor service", whatever the service was called, and did a general malware cleanup of course.

But yes, tor is getting installed on the computers of people who don't have any idea what tor is, and would never understand what it is.
Title: Re: Malware botnet confirmed: Why Silk Road is down
Post by: dotgoat on September 08, 2013, 08:10 am
I was told that last week some secretary in an office was complaining that her computer was slow and stuff. Tech guy found tor.exe as a running process. It was installed and running as a Windows service. He did something like sc delete "tor" or "tor service", whatever the service was called, and did a general malware cleanup of course.

For me "general malware cleanup" is reinstall the OS... Can never be 100% sure everything is off as most of those bots usually make some attempt to hide themselves. Especially if it was just a secretary I imagine you could wipe the computer and get probable email, calendar, and office installed in like an hour.  But I also know how "only takes an hour" can become an all day thing.
Title: Re: Malware botnet confirmed: Why Silk Road is down
Post by: Isobetadine on September 11, 2013, 12:32 am

For me "general malware cleanup" is reinstall the OS... Can never be 100% sure everything is off as most of those bots usually make some attempt to hide themselves.

THIS!
If you were infected with a virus,even when it is one your antivirus accually noticed and deleted you should never again trust it for important things like banktransfers or whatever..
You'll never get a garanteed 100% secure after an infection unless you reinstall the whole thing.

***tails-tails-tails-tails    tails-tails-tails-tails tudu-tuduuuuuu tuduuuuuuuuuuuu : TAILS***
Title: Re: Malware botnet confirmed: Why Silk Road is down
Post by: HeatFireFlame on September 13, 2013, 08:55 pm
Would be nice if the bots were running as relays, but then everyone would get ultra-paranoid. Because that would enable the owner of the botnet to do deanonymization attacks on Tor users.
This is true, Why does the government not just decide to create a botnet such as this one then in order to deanonymize some main targets, Im sure they could shout national security and get away with it no problem.
Title: Re: Malware botnet confirmed: Why Silk Road is down
Post by: chevelle on September 14, 2013, 02:16 am
It has now been confirmed that the FBI is behind these attacks. Check out hacker news to get caught up.
Title: Re: Malware botnet confirmed: Why Silk Road is down
Post by: Railgun on September 14, 2013, 02:37 am
I'm so glad I don't deal with .exe files directly. I don't miss it at all.
Title: Re: Malware botnet confirmed: Why Silk Road is down
Post by: P2P on September 14, 2013, 03:03 am
So how does this connect with SR being down?
Title: Re: Malware botnet confirmed: Why Silk Road is down
Post by: eddiethegun on September 14, 2013, 03:17 am
It has now been confirmed that the FBI is behind these attacks. Check out hacker news to get caught up.

Negative. The recent article is about the FBI conceding to being behind the Freedom Hosting exploit, NOT the Tor botnet.
Title: Re: Malware botnet confirmed: Why Silk Road is down
Post by: kybzmsrf on September 14, 2013, 07:46 pm
Quote from: http://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/
Previously, the botnet communicated mainly using HTTP as well as alternative communication methods. More recently and coinciding with the uptick in Tor users, the botnet switched to Tor as its method of communication

Stopped reading. Don't get why people write about stuff when they actually have no clue.
The above is like saying "I used to ride a bike. Now I use the street." -_-