Android-targeting botnet creators jump on Tor source code

In order to avoid detection, botnet creators are exploiting surveillance-fighting tactics -- and now, this approach is being used in the mobile realm.
Written by Charlie Osborne, Contributing Writer

As technology evolves and network providers shore up their security, hackers -- as usual -- generally remain several steps ahead. Botnets, often used to force compromised slave computers to flood websites with traffic and bring them down in distributed-denial-of-service (DDoS) attacks or to send spam and phishing campaigns, are a common problem -- and may now be harder to track.

The creators of botnets use a number of different tactics to try and conceal the presence of their command and control (CnC) servers. As an example, Domain Generation Algorithms (DGA) dynamically create new CnC addresses that are pre-created by the botnet owners to alter the flow of traffic and avoid both detection and blocking, and the use of Tor is on the rise to further hide CnC centers.

Tor, an anonymity tool accused of being part of the hidden "dark web," relies on sets of relay points run by thousands of volunteers worldwide, making it difficult to identify a source of information or location of a user.

While many advances in botnets have been made based on desktop and Windows templates, a Trojan focused on the mobile Android operating system has been discovered. According to Roman Unuchek of Kaspersky, a Tor network client, Orbot, has been modified to act as a malicious bot -- using the Tor network's .onion proxy servers to disguise the origin and location of its command and control center.

The Android Trojan, Backdoor.AndroidOS.Torec., a.k.a Siempo -- according to Malwarebytes -- is able to receive a number of malicious commands, including:

  • Interception and concealment of incoming and outgoing messages;
  • The prevention and theft of outgoing messages;
  • Message sending from the device;
  • Sending the CnC telephone data including model, OS version, country, app installation list and IMEI;
  • Execution of codes remotely.

As noted by Malwarebytes, the current price for using the Slempo botnet is $1,000 up front and $500 for every month after. It is possible this Tor-based threat is an evolution of the "Stoned Cat" botnet.

While using Tor makes closing the CnC extremely difficult, if not impossible, these concealment methods require a lot more code, and so if an infected mobile device suddenly has an increase in data usage caused by the large and difficult to download bundle, a user is more likely to realize something is wrong.

Separately this week, cybersecurity firm Hold Security LLC said it has uncovered stolen credentials from some 360 million accounts that are available for sale on the black market, although it is unclear where they were stolen from and what they can be used to access.

Alex Holden, chief information security officer of the firm, said "the sheer volume" of stolen data for sale is "overwhelming." Such discovery of stolen login credentials could end up being more harmful to consumers as root access to corporate networks, health cords and online bank accounts may be far more damaging in the long run.

Editorial standards