Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - Botnet traffic using TOR InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Botnet traffic using TOR

Published: 2006-07-12
Last Updated: 2006-07-13 04:51:39 UTC
by Jason Lam (Version: 2)
0 comment(s)
A reader (AnthraX101) recently wrote to us about seeing botnet traffic leaving TOR network towards Internet. We are not sure at this point whether the botnets itself uses TOR or just a specific machine configured to route everything through TOR. Either way, if malware start using TOR to report back centrally, it might make detecting them more difficult. From an incident handler perspective, it makes pinpointing the victims more difficult.

For the Enterprise security folks, it might be time for you to consider blocking the use of TOR.


After working with REN-ISAC on this, we have determined this specific instance is not a TOR enabled botnet, the traffic likely was configured to flow thru TOR on the host.

0 comment(s)
Diary Archives