Tor Proxy for Malware Analysis

2012.10.16

I don’t know how You working,, but I usually work thru Tor – and thx for our Friends from TorProject for their effort in anonymity.

But – If You research malware thru it – there are issues that I learned by myself, and now centralizing it for those who also interested.

My twitt

 

was, as it appear, not 100% clear and create more mess than clear things up.

So – let’s structure it a bit 🙂

Major problems You may face when working with malware thru Tor network:

1. Many malware products declare in various ways, that they block access from Tor network. It’s not important, how this done and how effective it. If someone try to filter You out – he will success sometimes, and this may interrupt Your results or cause You to miss something important

2. Tor network not always 100% working, and there are errors in “TTL expired” or some timeouts, that after refresh fixed-up automatically, but for some tools those responses are critical!

3. Well, its often that modern malware use TDS and anti-forensics that will lead You to weaponized page only once per IP. So – in Tor exit points are limited (how many of them now – 700-800 or so) and You cannot know, if some other researcher already poked this particular infector from this IP. As a result – You got wrong response. Again )

4. Modern malware also capable of using GeoLoc databases, that detect from what Country You originally visit this page. And if You not in target list – You will not got infected page, but rather clean response from server. And even if You know, that MDS server is up, running and currently infecting systems, for researcher thru Tor network, that came from “BAD” countries (see explanation here) – again You’ll get clean page or wrong redirect.

So – If You use Tor for Your research, have any other way to review the result, double recheck it and always consider that Tor can add some random errors in Your research results:)

Stay safe

D.L.

Leave a comment