14 DAY TRIAL // Recently, some cybercriminals have moved the command and control (C&C) infrastructure of their botnet to Tor in an effort to make it more difficult to track. However, experts say this has been a bad decision.
According to researchers from Damballa, the cybercriminals behind the MEvade botnet, which they’ve dubbed LazyAlienBikers, did a pretty good job at keeping their operations under the radar. That was until they decided to move their infrastructure to the TOR anonymity network.
The existence of the MEvade malware family became known in late June when Microsoft distinguished it from other families. However, not many samples were known, so most security solutions didn’t identify the threat.
When they decided to move their infrastructure to Tor, the cybercriminals made the existence of the threat more obvious on endpoints.
“As the bot-herder, you can hide your control infrastructure at the expense of making your presence on an endpoint more obvious, and go with Tor (or freenet/i2p), which shifts attention from destination to source and may not work out in your favor,” Mark Gilbert, security researcher at Damballa, noted in a blog post.
In this particular case, when the number of Tor nodes suddenly increased by two million, experts immediately realized that something malicious was involved.
“The massive influx of Tor users drew tons of presumably unwanted attention, compared to when it was just SSH traffic exfiltrating data out over port 443,” Gilbert said.
“The SSH traffic over 443, through its very obscurity drew more attention than regular http(s) traffic would have from customers who, even when we detected the threat, might otherwise have written it off as ‘just another virus’.”
The expert believes that the unwanted attention will probably force the botnet operators to take more steps to hide their presence.
“In the security arms race, sometimes the bad guys screw up too,” Gilbert noted.
Damballa estimates that the botnet is comprised of as many as 5 million nodes.