Android-targeting botnet creators jump on Tor source code

Summary:In order to avoid detection, botnet creators are exploiting surveillance-fighting tactics -- and now, this approach is being used in the mobile realm.

it-security

As technology evolves and network providers shore up their security, hackers -- as usual -- generally remain several steps ahead. Botnets, often used to force compromised slave computers to flood websites with traffic and bring them down in distributed-denial-of-service (DDoS) attacks or to send spam and phishing campaigns, are a common problem -- and may now be harder to track.

The creators of botnets use a number of different tactics to try and conceal the presence of their command and control (CnC) servers. As an example, Domain Generation Algorithms (DGA) dynamically create new CnC addresses that are pre-created by the botnet owners to alter the flow of traffic and avoid both detection and blocking, and the use of Tor is on the rise to further hide CnC centers.

Tor, an anonymity tool accused of being part of the hidden "dark web," relies on sets of relay points run by thousands of volunteers worldwide, making it difficult to identify a source of information or location of a user.

While many advances in botnets have been made based on desktop and Windows templates, a Trojan focused on the mobile Android operating system has been discovered. According to Roman Unuchek of Kaspersky, a Tor network client, Orbot, has been modified to act as a malicious bot -- using the Tor network's .onion proxy servers to disguise the origin and location of its command and control center.

Read this

The Mt. Gox bitcoin debacle: Bankruptcy filed, customer bitcoin lost

UPDATE: Mt. Gox has closed the bitcoin exchange and filed for bankruptcy in Japan.

The Android Trojan, Backdoor.AndroidOS.Torec., a.k.a Siempo -- according to Malwarebytes -- is able to receive a number of malicious commands, including:

  • Interception and concealment of incoming and outgoing messages;
  • The prevention and theft of outgoing messages;
  • Message sending from the device;
  • Sending the CnC telephone data including model, OS version, country, app installation list and IMEI;
  • Execution of codes remotely.

As noted by Malwarebytes, the current price for using the Slempo botnet is $1,000 up front and $500 for every month after. It is possible this Tor-based threat is an evolution of the "Stoned Cat" botnet.

While using Tor makes closing the CnC extremely difficult, if not impossible, these concealment methods require a lot more code, and so if an infected mobile device suddenly has an increase in data usage caused by the large and difficult to download bundle, a user is more likely to realize something is wrong.

Separately this week, cybersecurity firm Hold Security LLC said it has uncovered stolen credentials from some 360 million accounts that are available for sale on the black market, although it is unclear where they were stolen from and what they can be used to access.

Alex Holden, chief information security officer of the firm, said "the sheer volume" of stolen data for sale is "overwhelming." Such discovery of stolen login credentials could end up being more harmful to consumers as root access to corporate networks, health cords and online bank accounts may be far more damaging in the long run.

Topics: Security

About

Charlie Osborne, a medical anthropologist who studied at the University of Kent, UK, is a journalist, freelance photographer and former teacher. She has spent years travelling and working across Europe and the Middle East as a teacher, and has been involved in the running of businesses ranging from media and events to B2B sales. Charli... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.