The worlds first Tor domain blacklist

We are publishing the worlds first Tor (.onion) blacklist: http://dev.virustracker.info/lists/tor blacklist.txt

You can use the blacklist just like normal domain blacklists to

  1. Detect infected machines on proxy level
  2. Prevent the malware from communicating to the C&C, sending stolen data and receiving commands

As Tor is usually running locally (not on a company wide proxy, which would decrease the security and the purpose of using Tor) this Tor domain list is rather useless other than for research purposes.

You can use this blacklist for free in your solutions (including commercial/proprietary ones). It mostly contains C&C domains (one is for an Android based botnet!) and also ransomware related domains where further action is required when a hit is detected. The format is CSV with the header ‘Domain, Trojan’.

.onion domains are not real domains which are present in the public DNS, rather they are actually public keys that are used in the Tor network. Therefore blocking or taking down Tor hidden services is a totally different topic than with normal domains and servers.

Tor functionality in Virus Tracker

One of the cool things of running your own company and being a programmer yourself is that you can develop your own tools – you do not have to rely on crappy Java based tools. We have developed our own directory buster tool that brute forces directories on web servers, which helps for example in determining what panel software a web server runs (if there’s a ZeuS panel, or a Blackhole panel etc).

Using Tor in your own program is easy, all you need to do is proxying the traffic through a Tor proxy. In our instance we have one Tor.exe process running and Privoxy which opens a HTTP proxy and tunnels it via Tor’s socket proxy to the Tor network. In theory you could instruct Windows to directly use the Tor socket proxy, which failed however in our tests.

Whether or not our program uses Tor for the connection it is easily determined by the URL (if has a .onion domain):

    if (strstr(Url, ".onion/"))
        Internet = InternetOpen(NULL, INTERNET_OPEN_TYPE_PROXY, L"http=http://127.0.0.1:8118", NULL, 0);
    else
        Internet = InternetOpen(NULL, INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);

In our tests we have encountered that massive parallel directory busting is very slow on the Tor network and returns very fast timeouts and thus incomplete results. This is because of certain Tor circuit limitations. Bypassing such limits could be done by opening multiple Tor processes and thus using multiple separate connections into the Tor network. A good idea would be also to use multiple IP addresses for those Tor connections.

Ddos attacks in Tor?

Tor hidden services have one big issue: Protecting against ddos attacks that come from the Tor network. Protecting against ddos attacks means you know what and how to block, i.e. specific IPs, protocols or on a higher level specific requests or request types etc. (besides doing load balancing as a ddos prevention which won’t work at all in Tor). In the Tor case, however, the attacker remains completely anonymous on the network level, thanks to Tor (therefore no network level filtering/blocking/logging). The only IPs you will see are those of Tor nodes.