Cyber Crime and Cyber Terrorism

254
CHAPTER 17
Responding to cyber crime and cyber terrorism
In addition to the widespread use of encryption of communication channels, 
recently we have seen the spread of using social networks as part of a botnet. One 
of the primary intents of botmasters is to reach a wide audience of users, so it is 
natural that they are exploring the possibility to exploit social media platforms, 
for recruiting new zombies and controlling infected machines (typically creating 
fake accounts that send encrypted messages to malware on victims), since social 
networks have monopolized the majority of user’s internet experience. Botmasters 
have begun to exploit social network websites (e.g., 
Twitter.com
) as C&C head-
quarters, which turns out to be quite stealthy because it is hard to distinguish 
the C&C activities from the normal social networking traffic (
Kartaltepe et al., 
2010
). “UPD4T3” is an example of a fake Twitter account owned, of course, by a 
botmaster.
Moreover, we know that TOR is an anonymity network operated by volunteers 
which provides encryption and identity protection capabilities. Tor is a great tool that 
helps people all over the world to protect themselves from Internet censorship. It is 
widely used by anyone concerned about the privacy and safety of their communica-
tions. At the same time though, it does get abused a lot, as in the case we are going 
to describe.
The potential use of TOR in botnet infrastructure has been discussed several 
times in the past (e.g., at “Defcon 18 Conference” by Dennis Brown). In September 
2012 the German Antivirus vendor G-Data briefly described a similar case.
As we already know, hosting C&C infrastructure on “Internet servers” could ex-
pose the botnet. A much stronger infrastructure can be built just by utilizing Tor as the 
internal communication protocol and by using the Tor Hidden Services functionality.
Hidden services, introduced in 2004, permit the creation of completely anony-
mous and concealed services accessible through Tor only. An “onion” pseudo- domain 
is generated, which will then be used to resolve and contact the hidden server. It is 
very difficult to identify the origin of the hidden service and to revoke or take over 
the associated onion domain (
Figure 17.14
).

Download 5,67 Mb.

Do'stlaringiz bilan baham: