Researchers at Kaspersky Lab identified more malware utilizing Tor’s anonymity capabilities to shield their command and control infrastructure.
Known as ChewBacca – after the character in Star Wars and the name given to one of its functions – the malware drops the function ‘P$CHEWBACCA$_$TMYAPPLICATION_$__$$_INSTALL’ as ‘spoolsv.exe’ into the Startup folder and requests the public IP of the victim via a publicly accessible service.
Tor is dropped as ‘tor.exe’ to the user’s Temp folder and runs with a default listing on ‘localhost:9050.’
“Lately Tor has become more attractive as a service to ensure users’ anonymity,” blogged Kaspersky Lab researcher Marco Preuss. “Also criminals use it for their activities, but they are only slowly adopting this to host their malicious infrastructure.”
This was recently seen in a Zeus variant captured in the wild that also included functionality aimed at 64-bit systems. Other malware such as the CrimewareKit Atrax and the botnet built using the Mevade malware have been spotted using Tor as well.
Using Tor offers a level of protection that masks the location of a server. Still, there are drawbacks for attackers. For example, due to the overlay and structure, Tor is slower, Preuss explained. In addition, as seen with Mevade, a massive increase in botnet activity can affect the network and make such activity easy for researchers to spot.
“Tor is just one of many tricks in a good malware author’s – or gang’s – toolbox,” noted Richard Henderson, Security Strategist, FortiGuard Threat Research and Response Labs at Fortinet. “Tracking down command and control [C&C] can be difficult; other methods like…bouncing through C&C proxies, using [domain generation algorithms] and multiple C&C proxies, or using a P2P [peer-to-peer] C&C model…can make it difficult for researchers to track down the head of the beast in order to lop it off.”
Once running, ChewBacca logs all keystrokes to ‘system.log’, which is created by the malware in the local Temp folder. The Trojan also enumerates all running processes, reads their process memory and uses two different regular expression patterns to steal information.
Unlike Zeus, ChewBacca is currently not offered in public underground forums, according to Preuss.
