Using Tor from a Program

DZone 's Guide to

Using Tor from a Program

While Tor does have some good applications, it can also be used by bad actors during cyberattacks. Learn how in order to defend against such attacks.

· Security Zone ·
Free Resource

Using Tor from a program is more difficult than using from the command line, and there's really no easy way to do this. There's no library you can link to that gives you easy Tor support, as far as I can tell. And this explains why you don't see it more in malware today. After all, malware authors are under the same schedule constraints the rest of us are.

So how would you approach this?

Well, first, Tor is really just the Tor router and any kind of browser or similar application that uses it. And this is the best place to start.

The easiest approach is to take Tor and distribute the router with your malware. Once you've compromised a system, you can either run the router in process with your malware, in whatever process you've injected the malware code or into another process. This takes a little effort, but is absolutely doable - the Tor router source code is open and available.

Then, you route your HTTP requests and responses through the Tor router you've installed.

Now, this approach has a larger, more detectable footprint, in that the Tor router has ports open on the attacking system for both control and data transfer. A better approach would be to run the router and your C&C code in process. This would minimize the footprint of your malware, but is more difficult to implement. This would involve downloading, altering, and testing your own Tor router, based on the publically available Tor code.

This isn't always the best solution though - Tor traffic is detectable. While it does provide anonymity, it does so at a price, and, in many cases, it may be better to blend in with typical HTTP and HTTPS traffic than to stand out via Tor. Which leads to another possible use of Tor in C&C systems, but implemented between proxies rather than between a client and a proxy or a client and a server.

attack surface area, cyberattack, security, tor, web security

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}