​Spamhaus: Uptick in Tor-using botnets may force ISPs to block all Tor traffic

  • Liam Tung (CSO Online)
  • 24 January, 2017 07:20

2016 was the “year of extortion”, according to the non-profit spam-fighting project, Spamhaus, which saw unprecedented growth in servers dedicated to hosting ransomware.

The Locky, CryptoWall, TeslaCrypt and TorrentLocker variants of ransomware collectively had at least 1,162 command and control (C&C) servers used to communicate with networks of infected PCs, otherwise known as botnets, according to Spamhaus' figures for 2016.

These families’ infrastructure represented 16 percent of the 7,314 servers on the Spamhaus block list (SBL) in 2016, which contains internet protocol (IP) addresses it recommends not to accept email from. The list, comprised of hacked and dedicated cybercrime servers, is shared with ISPs, hosting providers and other large network operators to protect email users from major sources of spam. According to Spamhaus, the SBL shrank 14 percent, from 8,480 IP addresses in 2015, closer to the list’s total in 2014, at 7,182 IP addresses.

However, the group’s other database, the Botnet Controller List (BCL), which is comprised only of servers known to exclusively support cybercriminal activity, grew 12 percent in 2016 to 4,481, from 4,009 in 2015. The BCL is used to block all incoming and outbound traffic from malicious servers.

Besides ransomware, banking trojans dominated last year's malware, including the Zeus, Gozi and Dridex families. Appearing for the first time were 393 servers dedicated to controlling compromised Internet of Things devices, which were used to control compromised devices behind last year’s record-breaking distributed denial of service (DDoS) attacks attributed to Mirai malware.

A smaller SBL might indicate a shrinking cybercrime footprint, but Spamhaus contends the decline was due to botnet operators moving C&C servers to the dark web or hidden services, which are protected primarily by The Onion Router (Tor) anonymization network.

Using Tor to hide a botnet isn’t new, however it’s rising popularity among cybercriminals may soon threaten Tor's viability as a legitimate privacy tool, warns Spamhaus. Tor can be used to dodge surveillance efforts to track the IP address a person uses when accessing websites.

The problem, argues Spamhaus, is that it’s impossible for network operators to filter benign from malicious Tor traffic, so there may come a time when operators are forced to block all Tor traffic. This could impact privacy-focussed email providers like ProtonMail.

“Due to the nature of such anonymization networks, it is impossible to easily block certain content hosted in the dark web (e.g. botnet controllers), nor to identify the final target of a C&C communication (e.g. where the malware is sending the stolen data, such as credentials or credit card details, to),” writes the Spamhaus project.

“From the perspective of a network operator, the only way to prevent abuse from anonymization networks is to block them entirely, which can be a difficult choice as there are also legitimate uses for them. We believe that ISPs and hosting providers will be confronted in the near future with the question of whether to allow the use of anonymization services such as Tor or to block them completely, unless operators of anonymization services step up to stop abusers in a more effective way.”

According to Spamhaus, cybercriminals build C&C infrastructure through two main channels, including hacking web servers using flaws in web content management systems, such as WordPress and Joomla, as well as fraudulently signing up to ISPs or hosting providers in order to rent server capacity.

The provider hosting the most malicious servers in Spamhaus' database was French ISP OVH, with 395 C&C servers, followed by US hosting provider, GoDaddy, with 257. OVH also hosted the most servers that were acquired through fraudulent sign-ups throughout 2016.