arXiv:1612.05806v1 [cs.CR] 17 Dec 2016 euetedtcincpblt fteCCsres h latt The t servers. C&C techniques the of improved capability using detection the has or reduce that failure. architecture, network P2P distributed of unstructured a point resilient problem complete more this single the a to resorted a adopting compromised, have are Attackers as defeated. servers is act overlay C&C botnet servers the the architectur if C&C of this Hence, the aware botmaster in is that a disadvantage and is Bots and Major bots control. reachable structure. the be network for manages to responsible that servers exists entity these single to (C&C) connect a Command-and-Control are which servers in spam, centraliz theft, are networks Botnets data overlay cyber-espionage. personal and DDoS, mining as bitcoin such activities licious by activities illegal . b and perform sophisticated through to infrastructures these subverting attackers furth infrastructures 2014)(Bing- the (Chakravarty of servers, encouraged success used. proxy The actively 2013). VPN, Li are dong them, flowing from Among and traffic as the network. eavesdrop well the to as of through intend identities peers, who the adversaries their the hiding from for parties examples. responsible communicating VPN, other are system. few a systems are such I2P These JAP, of example Remailers, an servers, is Proxy a Onion acronym as the Tor, user for 2016) emerged GOLDBERG of and infrastructures (ALSABAH privacy solution. privacy the Hence, compromising information. thereby gover agencies by information ment informati exploiting selling companies, information, advertising personal to users on activitie prying illegitimate as open encouraged also the technologies, of flexibili nature communication the With of surveillance. advancement widespread and of particu individuals, case for in concern larly major a become has privacy eerht iiaeterssdet uhthreats. further and such for to discussed due scope is risks the the threats recommending mitigate these by to research of concludes severity paper a the the Additionally, presented. of promine most is assessment the Tor a subverting infrastructure, deve of with threats privacy were occur rising begins that that of infrastructures overview It threats privacy An infrastructures. critical the privacy of assess outline subverting and be to analyze activitie to due to illegitimate them perform consider proposes However, who to paper privacy. attackers resource users by exploitable infrastructur guarantee misused an privacy being to of are is development they purpose the main to whose led This widespread during lance. especially privacy, their protecting is uvyPpro iigTraso uvrigPiayInfras Privacy Subverting of Threats Rising on Paper Survey ont r eeal sdb takr opromma- perform to attackers by used generally are Botnets Internet, of development and usage rapid the to Due Abstract n ftemi hlegsfcdb srtoday user a by faced challenges main the of One — .INTRODUCTION I. ehaBalasubramanian Nethra surveil- .This s. such s otnets loped. brief by on ed n- nt er ty er es o n e - h rtclt fsc het ae niscpblte an capabilities its on based threats ass attacks. such and previous of infrastructures criticality these infrastructure subverting the we privacy of of paper, threats overview hidden this rising an as 2014).In describe servers briefly Miraglia C&C will and the (Casenove configure service services. the can of does location botmasters or address the and actual the which know in More to need services analysis. not traffic hidden through provides the Tor detection access over, avoid system to routing can encrypted created botmaster an is a and anonymously Tor, servers Through features C&C network. the Tor of advantage of taking by achieved was iaint h etnto yecytn h rfcbetwee traffic the encrypting by destination the to nication (VPN) Network Private Virtual 2013) the Li C. in (Bingdong Autonomous 2012) Attacks (Erdin an Correlation 2016) (Towards Network Mitigating Tor algorithm. for routing Monitor System free secur to most is which due resistant (MixMinion) III more Type (Mixmaster) is analysis, traffic and II to pools Type message keys, padding, includes lay public which multiple I PGP provides and Type through destination be- the types, to servers three it several sending to e- of fore messages in are forwards anonymity that Remailers (Cypherpunk) Hence achieved. trans- addresses. are the fake of mails with headers remaile e-mail node the particular, mitting in In without addresses the information. instructions, manipulate senders embedded the with revealing receives it messages Remailers 2013) B. Li (Bingdong 2012) To (Erdin the 2016) in Attacks Network Autonomous Correlation Mitigating an for (Towards Monitor proxy System information. and sensitive user at- network, obtain between An traffic and physical the attacks. the ISPs to monitor man-in-the-middle can the sent to tacker through is susceptible travel traffic it to making the has Before it traced. very be proxy, or not can IP is it attacked real because It easily the communication user. log anonymous of identity. not for information users prominent does device the server other hiding destination and thereby address the user this, real to rat and the Due identity server, servers of proxy and that the client than with the sent are between requests intermediary client an as acts Servers Proxy A. niepoysre,VNsre rvdsscrdcommu- secured provides server VPN server, proxy Unlike the destination to forwards which servers are Remailers it wherein web, the surfing for used is server proxy A I O II. EVE OF VERVIEW P RIVACY I NFRASTRUCTURES tructure her ess er rs s, d n e r - , the user and server. The traffic is encrypted irrespective of followed for messages sent to the client. The clients privacy the type of application being used, thus mitigating the risks is maintained,since without the ability to analyze traffic, of attacks such as man-in-the-middle. Even though it offers none of the relays can detect the corresponding message’s secured communication when compared to , sender and destination. Through the hidden services feature, users privacy is not guaranteed. There are many cases where services are accessible to anyone with a Tor client without VPN providers share users information for business profits. revealing any knowledge about the IP address or location (Erdin 2012) of the server.For additional security, the Tor client does not select same router or relays in the same /16 subnet to D. be in the same circuit. Tors telescopic approach to circuit It is the most prevalent design for low latency communi- establishment has two major benefits, one of which is that cations. The protocol consists of a structure similar to that perfect forward secrecy is achieved due to discarding the of an onion, where message is encapsulated with layer by session keys when circuit is closed. The other benefit is that, layer encryption. In this mechanism, there is a set of servers routers need not store the hashes of previously processed called onion routers that is responsible to relay traffic to onions to prevent replay attacks since replaying one side of the clients. Every node has a public and private key. The a Diffie- Hellman handshake results in a different key which public key is known to the client in order to set the path of is not of any use to the attacker. (Bingdong Li 2013) communication. Initially, the client constructs an encrypted tunnel called circuit using public-key cryptography. Once it E. Java (JAP) is set, symmetric key cryptography is used to transfer the JAP is a low latency mix cascades that uses the server data. This protocol has different variations such as Onion provided by volunteers to access the Internet. Several mixes Router(TOR) and Invisible Internet Project(I2P) (Erdin 2012) are used to encrypt the packet and maintain the rate of traffic 1) Invisible Internet Project (I2P): It is an alternative constant in order to avoid rate-based traffic analysis. The to TOR that supports all regular internet activities such as program can display all the active mixes from which user e-mail, web browsing. Unlike TOR, I2P is more focused can choose the JAP cascades. (Erdin 2012) JAP software is on accessing closed rather than the regular Internet available from many years and is second in popularity after websites. I2P offers anonymity services to identity-sensitive Tor. Commercially, it is called JonDonym. applications by building an overlay network of volunteer systems. It is strictly based on UDP, but security can be III. RISING THREATS OF SUBVERTING PRIVACY achieved by including the libraries that allow reliable stream INFRASTRUCTURE communication on top of the I2P network. It is a closed Among the privacy infrastructures mentioned, Tor pro- system in which traffic is routed through other peers and vides highest anonymity. The stealthiness and untraceability by announcing its peers, it enables new users to join the features of Tor motivated the attackers to take advantage of network. Many applications such as email, peer-to-peer, IRC this capability and develop Tor-based botnets. By placing interact with I2P but it is usually not preferred for low latency the botnet infrastructure in Tor, the Tor hidden services applications due to the lack of focus in end-to-end delay. provides anonymous C&C servers which is difficult to detect (Bingdong Li 2013) ( 2016) or destroy. Furthermore, attacking the server with DDoS 2) Onion Router (TOR) : Tor is a low latency anonymity seems unfeasible as it would result in the attack of complete overlay network that is known to be the most robust privacy Tor network. tool. It is helpful in preventing user discovery to any entities that are monitoring the network. When packets are trans- A. Tor-based Botnets [Past Work] mitted between the user and a destination host, a random The idea of hiding botnets in Tor was discussed in 2010, path with three nodes are used so that no single node is in particular at the DefCon18 (D.Brown 2010) where a C&C aware of the complete transmission process thereby provid- server anonymity implementation using Tor was shown by ing anonymity. Furthermore, TOR connections are encrypted DannisBrown. Later in 2012, Guarnieri in (Guarnieri 2012) using TLS protocol. However, connection between exit node detected and analyzed the first Tor-based botnet. The botnet and destination is not encrypted and hence exit nodes can was a modified version of Zeus consisting of DDoS, bitcoin observe the content of messages. (Bingdong Li 2013) mining and credential theft capabilities. The com- Functioning of TOR: The directory authorities in TOR prised of Zeus bot, Tor client, GMinerbitcoin mining tool, are centralized, trusted servers that track the complete TOR and few libraries for GPU hash cracking. The bots ran inside network. Nodes or routers are voluntary computers that are hidden services and all C&C communication was within the distributed and categorized based on their respective func- Tor network. The botmaster tried to reduce the traceability tionality and positions. Before transmitting the data packets by avoiding the use of exit nodes, and used IRC protocol to to the destination node, it is encrypted several times using communicate and issue commands to the bots. The botmaster public key cryptography. At every relay, one encryption layer also made the bots act as relays thereby exploiting and is decrypted, which reveals the IP address of the next relay enhancing the Tor network simultaneously. In 2013, due to that the packet needs to be forwarded to. This is done until a post on the Tor mailing list, Tor’s network usage and the the packet reaches the destination and the reverse process is number of users accessing grew rapidly. Researchers couldnt explain the reason at first but on analysis came to conclusion interaction for payment process.Cryptolocker and Cryptowall that it was due to a large botnet that suddenly switched to Tor. are two of the ransomwares mentioned in (Cygnus Business The botnet used centralized structure with HTTP protocol Media Inc. 2015).Furthermore, the report also states that and a preconfigured earlier version of Tor to connect to malware economy is ever growing and ransomware and the network. The significant increase in the amount of Tor cryptocurrency such as bitcoins are helping attacker monetize communication that was being established through relays their actions. resulted in the reduction of Tor systems responsiveness. (Casenove and Miraglia 2014) IV. THREAT ASSESSMENT Similarly,in the last few years, various types of botnets According to the survey of anonymity technologies in were found in (Constantin 2012) (Dunn 2013) (Gottesman (Bingdong Li 2013), newer systems such as Tor, I2P are 2014)that made use of Tor infrastructure. It provided a gaining popularity. Among the current anonymity systems, hideout for malware by deploying the command and control Tor networks have more number of volunteers than I2P. server as a hidden service with specific onion address that the From previous attacks it is evident that, Botnet over Tor is other bots are configured with. Such botnets and referencing growing and among all the privacy infrastructures threats due the ones mentioned earlier as well, result in significant to subverting Tor will be highest. According to (Casenove degradation in the performance of Tor. One other example is and Miraglia 2014), even though botnets over Tor is good the spike caused by Mevade/Sefnit botnet in 2013. The spike solution it is still not perfect. They do not provide ultimate was close to 600% increase in the number of clients, causing resilience and even with Tor, a centralized botnet can have a network overload through C&C descriptors and creating vulnerability such as single point of failure. When a botnet circuit requests. (ALSABAH and GOLDBERG 2016) is integrated with the Tor infrastructure, a lot of attention is raised as it creates instability in a stable network such as Tor. B. OnionBots [Future Threat] Hence when a botnet comprising of millions of nodes joins According to (Sanatinia and Noubir 2015), onion bots are the Tor network in a short span, it can be easily detected. believed to be the next generation of resilient and stealthy Even from a client point of view, a botnet using Tor can botnets. It uses privacy infrastructures such as Tor to stay leave traces. A malware runs Tor client as external process undetected and decouple itself from the infected hosts. Since and if the client was not installed previously, exposure of onion bots are different from the peer-to-peer botnets, the malware activity would be trivial. By cross verifying the existing solutions that are used for the peer-to-peer bot are running processes, malware can be detected by identifying not applicable to onion bots. The design is also resilient the Tor client process. By using such detection techniques, to the current mitigation and analysis techniques such as the estimated threat due to the tor-based-botnets can be botnet mapping, hijacking and assessing the botnet size. greatly reduced. In case of OnionBot, the estimated level of Moreover, it is also proven to achieve low diameter, degree threat is very high due to its robust nature and anonymity. By and high resiliency and repair if any event of a take-down using the suggested mitigation technique Sybil Onion Attack of a fraction of botnet node occurs. Anonymity is achieved Protocol (SOAP), the botnets can be neutralized. This might through the periodically changing address of the bot during reduce the risk due to such bots but due to the continuous waiting stage. Unlike current botnets, secure communications development of various variants of such botnets, threats due is achieved by encryption in OnionBot through Tor and to these corresponding models also increases. Successful SSL. The threat environment will continue to grow due to removal of such threats may not be guaranteed but measures its capability to offer new services such as botnet-for-rent to reduce the threats effectiveness and mitigation of risks due and distribution computation platform for rent. By taking to such threats need to be addressed. advantage of payment through Bitcoins, Silk Road 2.0 in Tor business operations can be carried out and botnets can V. CONCLUSION be instructed to perform CPU intensive operations such In this paper, various kinds of privacy infrastructures are as bitcoin mining or password cracking. Furthermore, the discussed and the rising threats of subverting the privacy estimated threats due to OnionBots could be higher since infrastructure are analyzed.Since Tor is the most prominent they are robust to partitioning even when large fraction of privacy infrastructure, it is attracting more threats.Major these bots are taken down simultaneously. (Sanatinia and threat is due to botnet over Tor infrastructure which has been Noubir 2015) (Chaabane, Manils and Kaafar 2010) the basis for prominent botnet attacks since 2010.Severity of threats with respect to new variations of botnets such as C. Threats due to ransomware OnionBots are high due to its robustness and resiliency.Since According to (Cygnus Business Media Inc. 2015) ,threats research with respect to Onionbots propose effective mitiga- due to ransomware are one of the biggest threats. In ran- tion techniques such as SOAP,risk due to the exploitation of somware, the user machine is infected and files and ap- these threats can be reduced but not completely avoided. plications are held hostage until a fee is paid. The threat Moreover, the severity of threats is still high. With the is very high because ransomware is an automatic customer rapid development of various robust botnet variants, design service-type model where the malware will install and then mitigation strategies need to be implemented rapidly and victim can pay through bitcoins. It doesnt involve any human effectively. Further research is recommended to achieve effectiveness in detection and mitigation of threats due to these infrastructures.

REFERENCES [1] ALSABAH, MASHAEL, and IAN GOLDBERG. ”Performance and Security Improvements for Tor: A Survey.” ACM, November 2016. [2] Bingdong Li, Esra Erdin,Mehmet Hadi Gunes,George Bebis,Todd Shipley. ”An overview of anonymity technology usage.” ScienceDi- rect, 2013. [3] Casenove, Matteo, and Armando Miraglia. ”Botnet over Tor: The Illusion of Hiding.” IEEE, 2014. [4] Chaabane, Abdelberi, Pere Manils, and Mohamed Ali Kaafar. ”Dig- ging into Anonymous Traffic: a deep analysis of the Tor anonymizing network.” IEEE, 2010. [5] Chakravarty, Sambuddho. ”Traffic Analysis Attacks and Defenses in Low Latency Anonymous Communication.” PhD Thesis, Graduate School of Arts and Sciences, COLUMBIA UNIVERSITY, 2014. [6] Constantin, Lucian. ”Tor network used to command Skynet bot- net.” December 2012. http://www.techworld.com/ news/security/tor- network-used-command-skynet-botnet-3415592/. (accessed December 2016). [7] Cygnus Business Media Inc. ”Hacker tactics becoming much more sophisticated, report finds.” ProQuest, 2015. [8] D.Brown. ”Resilient Botnet Command and Control with Tor.” Defcon 18. 2010. http://www.defcon.org/images/defcon-18/dc- 18- presentations/D.Brown/DEFCON-18-Brown-TorCnC.pdf. [9] Diaz, Jesus, David Arroyo, and Francisco B. Rodriguez. ”Fair anonymity for the Tor network.” arXiv, Dec 2014. [10] Dunn, John. ”Mevade botnet miscalculated effect on Tor network, says Damballa.” September 2013. http://www.techworld. com/news/security/mevade-botnet-miscalculated-effect-on-tor- network-says-damballa-3468988/ (accessed December 2016). [11] EDMAN, MATTHEW, and BU LENT YENER. ”On Anonymity in an Electronic Society: A Survey of Anonymous Communication Systems.” ResearchGate, 2009. [12] Erdin, Esra. ”Anonymous Communication Systems: Usage Analysis and Attack Mechanisms.” Thesis, Department of Computer Science, University of Nevada, Reno, 2012. [13] Gottesman, Yotam. ”RSA Uncovers New POS Malware Oper- ation Stealing Payment Card & Personal Information.” January 2014. ://blogs.rsa.com/rsa-uncovers-new-pos-malware-operation- stealing-payment-card- personal-information/. (accessed December 2016). [14] Gro, Stjepan, Marko Salkic , and Ivan ipka. ”Protecting TOR exit nodes from abuse.” IEEE, May 2010. [15] He, Gaofeng, Ming Yang, Junzhou Luo, and Xiaodan Gu. ”A novel application classification attack against Tor .” IEEE, July 2015. [16] Johnson, Beverly. ”THE ADVANTAGES AND DISADVANTAGES OF THE DEEP WEB, TOR NETWORK, VIRTUAL CURRENCIES AND THE REGULATORY CHALLENGES THEREOF.” Capstone Project, Master of Science in Economic Crime Management, Utica College, 2014. [17] KATE, ANIKET, GREG M. ZAVERUCHA, and IAN GOLDBERG. ”Pairing-Based Onion Routing with Improved Forward Secrecy.” ACM, 2010. [18] Khandhar, Pallav. ”Banking Botnets Persist De- spite Takedowns.” SecureWorks,Inc. April 22, 2015. https://www.secureworks.com/research/banking-botnets-persist- despite-takedowns (accessed December 17, 2016). [19] Sanatinia, Amirali, and Guevara Noubir. ”OnionBots: Subverting Pri- vacy Infrastructure for Cyber Attacks.” IEEE, June 2015. [20] ServiceObjects. ”Tor: The good. The bad. The anonymous.” ServiceObjects. December 2013.https://www.serviceobjects.com/resources/articles- whitepapers/tor-network-whitepaper (accessed December 2016). [21] Syverson, Paul, and Griffin Boyce. ”Genuine onion: Simple, Fast, Flexible, and Cheap Website .” (ResearchGate) Junw 2015. [22] Tails. Tails. 2016. https://tails.boum.org/doc/anonymous internet/i2p/index.en.html. [23] Towards an Autonomous System Monitor for Mitigating Correlation Attacks in the Tor Network. PhD Thesis, Department of Social Informatics, Kyoto University, arXiV, 2016.