The dark web is well known as a space where anything can be bought or sold: guns, drugs, stolen data, and extreme pornography are all relatively easy to get hold of with a few clicks of a mouse. But anonymity networks such as Tor, as well as the hidden sites they facilitate, can also act as the infrastructure for malware. Used as such, they add another layer of protection to cybercriminals’ money-making schemes.
In November, Marco Balduzzi and Vincenzo Ciancaglini, researchers at cybersecurity company Trend Micro, will present a dark web analysis tool at the Black Hat Europehacking conference. As part of their presentation, they will detail an assortment of malware that takes advantage of the dark web in order to hide its tracks.
One of those is called SkyNet, a piece of malware that can be used for DDoS attacks and to mine bitcoins from a victim’s computer. The malware’s command and control (C&C) servers—the main hubs of the malware infrastructure—are based on Tor hidden services, also known as dark web sites.
Malware servers are given the same sort of protections as other dark web sites
This means the malware servers are given the same sort of protections as other dark web sites: the physical location of the servers is hidden, making it much more difficult for authorities to track them and their owners down. According to the researchers’ slides, the number of Tor-based SkyNet C&C servers shot up dramatically during September of this year.
“Malware today is network dependent,” Balduzzi told Motherboard in a phone interview. By that, he means that malware—software that targets a computer with malicious intent—relies on vast networks of computers in order to steal and spread data, as opposed to being stored on, say, a CD. So in order to keep this infrastructure up and running, some malware authors are pulling in Tor.
According to an earlier analysis of SkyNet, the creator said, “Everything operating tru [sic] TOR hidden service so no feds will take my servers down.”
Some other Tor-based malware is much more sophisticated. Balduzzi explained that the “Vawtrack” banking trojan, designed to gain access to victims’ financial accounts, relies on multiple layers of obfuscation to remain undetected: An innocent looking image is hosted on a dark web site, but hidden inside that file is the necessary information for the malware to connect to the control servers.
Malware that uses Tor could also target people who have never used the network themselves
Another example might even be powerful enough for espionage campaigns, Balduzzi said. NionSpy, which routes its traffic through the Tor network, can capture keystrokes, steal documents, and record video from a victim’s webcam and audio from their microphone.
It’s worth noting that this malware doesn’t specifically target users of the dark web, nor does it affect the anonymity protections awarded to Tor users. Malware that uses Tor could also target people who have never used the network themselves.
But malware isn’t just using Tor; at least one type also takes advantage of lesser-known anonymity network I2P. The “Dyre” banking trojan, Balduzzi explained, uses I2P sites—or ‘eepSites’, as they are called—as a sort of plan B, in case other approaches fall through.
“This type of malware is actually using I2P as a backup option for running the infrastructure, in case some of it is taken down by law enforcement,” he said.
This migration of some malware from the surface web to its dark counterpart might be the next step of malware evolution. In a similar way to how malware peddlers started using domain generation algorithms (DGA) a few years ago—where new domains are automatically generated by the malware, making it difficult to trace—the dark web offers an added layer of protection. Balduzzi says that more malware will likely make use of the dark web, and perhaps it will even become “one of the main techniques to run infrastructures.”