Subscribe to our newsletters
Sign Up

The Hacker News — Cyber Security, Hacking, Technology News

Friday, March 07, 2014 Swati Khandelwal

Tor Network used to Host 900 Botnets and hidden Darknet Markets
Tor network offers users browse the Internet anonymously and is mostly used by activists, journalists to conceal their online activities from prying eyes. But it also has the Dark side, as Tor is also a Deep Web friendly tool that allows hackers and cyber criminals to carry out illicit activities by making themselves anonymous.

Kaspersky security researcher reported that Tor network is currently being used to hide 900 botnet and other illegal hidden services, through its 5,500 plus nodes i.e. Server relays and 1,000 exit nodes i.e. Servers from which traffic emerges.

These days, Cyber criminals are hosting malware’s Command-and-control server on an anonymous Tor network to evade detection i.e., difficult to identify or eliminate. Illegal use of the Tor network boosted up after the launch of the most popular underground Drug Market - Silk road that also offered arms and malware to their users against Bitcoin,one of the popular crypto currency.

ChewBacca, a point-of-sale keylogger was found to be used by them and the new Zeus banking malware variant with Tor capabilities, also the researcher has found the first Tor Trojan for Android as well.

With the use of ‘Darknet resources’, such as Tor network, cybercriminals are offered various advantages and the possibility of creating an abuse-free underground forum, market and malware C&C server is attracting more and more cyber criminals, who are increasingly moving towards the technology, according to Kaspersky Lab.
Tor Network used to Host 900 Botnets and hidden Darknet Markets
Hosting C&C servers in Tor makes them harder to identify, blacklist or eliminate," explained Sergey Lozhkin, a senior security researcher at Kaspersky Lab, “Although, creating a Tor communication module within a malware sample means extra work for the malware developers. We expect there will be a rise in new Tor-based malware, as well as Tor support for existing malware,” he added.

Tor network resources, including command-and-control servers, admin panels and other malware-related resources, ‘Carding’ shops are also waving on the Darknet. “Offers are not limited to credit cards – dumps, skimmers and carding equipment are for sale too,” said the researcher.

As you know, by browsing the web using Tor hides the users’ IP address, allows journalist, Internet activist to cyber criminals to maintain anonymity. In addition, this Darknet resource is resulting in financial fraud and money laundering.

Thursday, January 30, 2014 Swati Khandelwal

Tor-enabled Point of Sale (POS) malware stole credit card data from 11 Countries
After the massive data breaches at U.S retailers Target and Neiman Marcus in which financial credentials of more than 110 million and 1.1 million customers were compromised respectively, shows that the Point of Sale (POS) system has become a new target for the cyber criminals.

Despite the BlackPOS malware of Point of Sale (POS) system that comes out as the major cause of these data breaches, malware writers are upgrading and developing more Trojans to target POS system.

In December, the security researchers at anti-virus firm Kaspersky Lab discovered a Tor-based banking trojan, dubbed "ChewBacca", that was initially categorized as a Financial trojan, but recently security researchers at RSA have uncovered that 'ChewBacca' is also capable of stealing credit card details from point of sale systems.

ChewBacca’, a relatively new and private Trojan, used in the 11 countries as a POS malware is behind the electronic theft. ChewBacca communicates with its C&C (Command and Control) server over the Tor network obscuring the IP addresses of parties.

ChewBacca steals data from the POS system in two ways:
  • Generic keylogger that captures all the keystrokes.
  • Memory scanner that reads process memory and dumps the credit card details.
The botnet has been collecting track 1 and track 2 data of payment card since October 25, according to RSA.
During installation, ChewBacca creates a copy of itself as a file named “spoolsv.exe“and place it in the windows Start > Startup folder, so that it can automatically start-up at the login time. 

After installation, the keylogger program creates a log file called “system.log” inside the system %temp% folder that contains the keystroke events along with the window focus changes.
The ChewBacca Trojan appears to be a simple piece of malware that, despite its lack of sophistication and defense mechanisms, succeeded in stealing payment card information from several dozen retailers around the world in a little more than two months.”
Neither the RSA nor the Kaspersky descriptions explain how the ChewBacca bot is propagated, but the RSA investigation has observed it mostly in the US and also detected in 10 other countries, including Russia, Canada and Australia.
Tor-enabled Point of Sale (POS) malware stole credit card data from 11 Countries
The RSA has provided the data to the FBI on the ChewBacca operation, including the location of a command-and-control server used by the hackers.

They advised retailers to increase staffing levels and develop leading-edge capabilities to detect and stop attackers (comprehensive monitoring and incident response), encrypt or tokenize data at the point of capture and ensure that it is not in plain text view on their networks, thereby shifting the risk and burden of protection to the card issuers and their payment processors.

Wednesday, December 18, 2013 Mohit Kumar

Researchers spotted 'Chewbacca', a new Tor-based Banking Trojan
Cyber Criminal activity associated with the financial Trojan programs has increased rapidly during the past few months. However, the Tor-based architecture is the favorite one with online criminals, to hide their bots and the botnet's Command-and-Control real location from the security researchers.
Security Researchers at anti-virus firm Kaspersky Lab have discovered a new Tor-based banking trojan, dubbed "ChewBacca" ("Trojan.Win32.Fsysna.fej") ,that steal banking credentials and hosted on a Tor .onion domain.
This protects the location of a server as well as the identity of the owner in most cases. Still there are drawbacks preventing many criminals from hosting their servers within Tor. Due to the overlay and structure, Tor is slower and timeouts are possible. Massive botnet activity may influence the whole network, as seen with Mevade, and therefore let researchers spot them more easily.
ChewBacca malware is not first that adopt Tor for anonymity, recently a new Zeus Trojan variant was captured in the wild that also based on Tor network and aimed at 64-bit systems.

Researchers did not mention that how they discovered Chewbacca, or the extent to which it has spread, but they note that the Malware is compiled with Free Pascal 2.7.1.
After execution of malware on the victim's windows system, it drops as spoolsv.exe in the startup folder and also drops a copy of Tor 0.2.3.25, which runs with a default listing on "localhost:9050". The Trojan then logs all keystrokes and sends the data back to the botnet controllers via Tor anonymity network.

The Malware also enumerates all running processes and reads their process memory. According to the researchers, The Command-and-Control server is developed using LAMP, that is based on Linux, Apache, MySQL and PHP.
Chewbacca is currently not offered in public (underground) forums, like other toolkits such as Zeus. Maybe this is in development or the malware is just privately used or shared.
The botnet's Command-and-Control server login page have an image of a character (ChewBacca) from the film series Star Wars.

We are expecting more complex and TOR-based botnets in the future. Stay tuned to +The Hacker News - Stay Safe.

Newsletter Subscription

Subscribe to our newsletter and get all latest hacking news, free eBooks delivered to your inbox.

Join Over 450,000 Subscribers!