An Average of 900 Online Resources Are Active on TOR Daily

Mar 7, 2014 (Fri): In recent months Kaspersky Lab experts have been closely monitoring so-called Darknet resources, mostly the Tor network. And one thing that is immediately obvious is that the cybercriminal element is growing. Although the Tor infrastructure and cybercriminal resources are not on the same scale as the conventional Internet, the experts managed to find approximately 900 hidden services online at the current time.

TOR is primarily unrestricted, free software operating via the Internet. It has users who enter sites, exchange messages on forums, communicate in IMS, etc. – just like the “ordinary” Internet. But there’s one crucial difference. TOR is unique in that it allows its users to remain anonymous during their activity in the Net. Network traffic is completely anonymous: it is impossible to identify the user’s IP in TOR, making it impossible to determine who the user is in real life. Moreover, this Darknet resource utilizes so-called pseudo domains which frustrate any efforts to pick up the resource owner’s personal information.

Recently cybercriminals have started actively using Tor to host malicious infrastructure. Kaspersky Lab experts found Zeus with Tor capabilities, then they detected ChewBacca and finally analyzed the first Tor Trojan for Android. A quick look at Tor network resources reveals lots of resources dedicated to malware – C&C servers, admin panels, etc.

“Hosting C&C servers in Tor makes them harder to identify, blacklist or eliminate. Although creating a Tor communication module within a malware sample means extra work from the malware developers, we expect there will be a rise in new Tor-based malware, as well as Tor support for existing malware”, said Sergey Lozhkin, Senior Security Researcher, Global Research and Analysis Team at Kaspersky Lab.

The Onion Router

Tor, one of the resources on the Darknet, has been known for a long time. At first it was only known to experts and enthusiasts interested in the technical details of practical anonymity in the network, or fans of cryptography. However, after Edward Snowden’s revelations many Internet users started searching for this kind of online anonymity, resulting in a surge of interest in Tor.

What is TOR?

Tor is primarily unrestricted, free software operating via the Internet. It has users who enter sites, exchange messages on forums, communicate in IMS, etc. – just like the “ordinary” Internet. But there’s one crucial difference. Tor is unique in that it allows its users to remain anonymous while they are active on the Internet. Network traffic is completely anonymous: it is impossible to identify the user’s IP in Tor, making it impossible to determine who the user is in real life. Therefore, no action, for example, publication of posts in Tor, can be linked to a particular individual.

Just like the “ordinary” Internet, Tor also enables its users to create almost any resources (in February Kaspersky Lab experts managed to find approximately 900 currently operative hidden services online). However, contrary to the traditional Internet where the domain name of each site makes it possible to determine the owner of the site and its location, Tor utilizes so-called pseudo domains which frustrate any efforts to uncover the resource owner’s personal information.

How does Tor provide anonymity?

Creating anonymous resources is possible due to the distributed network of servers called “nodes” or routers that operate on the principle of onion rings (hence its name is The Onion Router). All network traffic (i.e. any information) is encrypted repeatedly as it passes through several network nodes on its way to Tor. In addition, no network node knows either the source of the traffic or his destination or its content. This ensures a high level of anonymity making it impossible to determine who is behind the network activity, i.e. a real person.

Who needs Tor?

Tor has become a helpful solution for those who, for some reason, fear of surveillance and the leakage of confidential information. But as well as legitimate users, this technology also attracts the attention of cybercriminals. The Tor network has long been known for hosting a large number of resources carrying out illegal activity.

Darknet Market Square

Cybercrimal forums and market places are familiar on the Internet. Recently, Tor emerged as an underground marketplace. It all started from the notorious Silk Road market and evolved into dozens of specialist markets: drugs, arms and, of course, malware.

Carding shops are firmly established in the Darknet. Stolen personal info is for sale with a wide variety of search attributes like country, bank etc. Offers for customers of this kind are not limited to credit cards. Dumps, skimmers and carding equipment are for sale too.

A simple registration procedure, trader ratings, guaranteed service and a user-friendly interface – these are standard features of a Tor underground marketplace. Some of the stores require sellers to deposit a pledge – a fixed sum of money – before starting to trade. This is to ensure that a trader is genuine and his services are not a scam or of poor quality.

Tor and Bitcoin

The development of Tor has coincided with the emergence of the anonymous crypto currency Bitcoin. A combination of anonymous money in an anonymous environment means cybercriminals can remain virtually untraceable.

Malware in Tor

Cybercriminals have started actively using Tor to host malicious infrastructure. Kaspersky Lab experts found Zeus with Tor capabilities and then detected ChewBacca and finally analyzed the first Tor Trojan for Android. A quick look at Tor network resources reveals lots of resources dedicated to malware – C&C servers, admin panels, etc.

Author: VSDaily Editor

Share This Post On