Defending Against Tor-Using Malware, Part 2
Last week, we talked about what Tor is, how it works, and why system administrators need to be aware of it. Now the question is: should I block Tor, and if I do decide to do that, what can be done to block Tor?
Tor, by itself, is not inherently malicious. If a user wants to prevent any third party from finding out what sites they are visiting, Tor is an incredibly useful tool. For example, security researchers use Tor routinely to help investigate various online threats. Many dissidents use Tor to hide their traffic from repressive governments.
However, the same traits that make it useful for legitimate parties also make it attractive for cybercriminals. Particularly in an enterprise context, the idea of having completely anonymous traffic going to somewhere on the Internet is not only terrifying, it may even be an unacceptable risk. Blocking Tor is something that a network administrator must consider, but it is not malicious in and of itself.
If one does decide to block Tor traffic, how does one do this?
To block Tor, one has to try and block the connection from the client to Tor servers. These servers frequently listen on several specific ports: ports 80, 443, 9001 and 9030. Clients would try one port or another until it is able to connect to the Tor node(s).
Figure 1. Internet connection to a Tor node by malware
So Tor has a recognizable pattern that can be blocked on the network level. Broadly speaking, there are two possible ways to do this. One can attempt to control the traffic outbound to the Internet by the ports being used. For example, one can block outbound traffic to specific ports, or limit the allowed outbound traffic to certain ports.
Alternately, one can try to use application-level filters or other network inspection techniques to try and determine which is legitimate traffic and which is malicious traffic. For example, application-level filtering, an extension of stateful packet inspection (SPI), would be able to tell the difference between HTTP traffic (port 80) used for web browsing and traffic used for peer-to-peer networking.
For smaller networks – such as those in homes or small businesses – the best solution is to try and block Tor at the endpoint by detecting any malware that uses it. The inexpensive routers used in these situations are not set up by default to block outgoing traffic, nor do they have sophisticated network inspection tools. In addition, blocking some commonly used ports like port 80 (HTTP) or port 443 (HTTPS) would severely affect the user experience, so it’s not really an option either. That leaves endpoint protection as the best option.
For medium to large businesses, it would be a different story. These have the resources and the personnel to implement Tor detection at the network level. Ideally, rules regulating network traffic should already be in place – which may already cover both HTTP and HTTPS traffic.
So what specific steps should be done to guard against Tor-related network traffic?
A web application proxy with application control may be useful. Companies often need to control or scan Internet applications. A good way to do this would be to implement application control, which is more powerful than a simple allow-or-block option, although a combination can be applied:
- Step 1: implement a web proxy that can perform application control. This is usually implemented in a machine in a DMZ.
- Step 2: restrict all direct Internet access to just that web proxy.
Here’s an illustration of what such a setup would look like:
Figure 2. Network segmentation for larger networks
Aside from this, one should monitor firewall hits for outgoing traffic to ports 9001 and 9003. This kind of traffic is characteristic of endpoints trying to access the Tor network. Going through voluminous firewall logs may be daunting, but some firewalls allow logs to be forwarded to security information and event management (SIEM) software, where rules can trigger an automatic notification.
These recommendations allow a network administrator to tell what goes through port 80 and 443. This not only helps mitigate the effects of have a Tor-related malware, but also improves the overall security posture of the network. For one, this may allow a more proactive position in terms of network defense and countermeasures. This in better than just waiting for the offending piece of malware to reach the desktop and deal with the effects of infection (i.e., cleanup.)
Trend Micro offers InterScan Web Security that allows both application control and visibility that is essential to understanding ongoing network risks. Being able to sift through normal web traffic and identify Tor traffic through is as easy as allowing or denying it, as seen below:
Figure 3. Application Control Screen for Policy Creation
In addition, the Deep Discovery Inspector that allows network-wide visibility for Tor-related traffic:
Figure 4. Detection logs for Tor-related applications
Both of these products can be integrated with security information and event management (SIEM) software. The combination of these two security software (InterScan Web Security and Deep Discovery Inspector) as well as other firewall/unified threat management solutions working within a network, all tied to a SIEM product, is an important tool for a network administrator.
This allows him to visualize the events within a network, allowing him to defend the network against newer threats (such as Tor-related malware) and possibly making it easier to pinpoint devices that may be the cause of security alerts.