Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Retrieving malware over Tor on Windows SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Retrieving malware over Tor on Windows

I found an easier way to retrieve malware over Tor on Windows, using free open-source software.

Tallow uses Tor and WinDivert to redirect network connections over the Tor network.

After starting Tallow, press the Tor button:

Then you can use wget on Windows:

DEBUG output created by Wget 1.11.4 on Windows-MSVC.

--2018-02-25 23:56:22--
Resolving seconds 0.00,
Caching =>
Connecting to||:80... seconds 0.00, connected.
Created socket 300.
Releasing 0x0142ea78 (new refcount 1).

---request begin---
GET / HTTP/1.0

User-Agent: Wget/1.11.4

Accept: */*


Connection: Keep-Alive


---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.0 200 OK

Cache-Control: max-age=604800

Content-Type: text/html

Date: Sun, 25 Feb 2018 22:56:24 GMT

Etag: "1541025663+gzip+ident"

Expires: Sun, 04 Mar 2018 22:56:24 GMT

Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT

Server: ECS (lga/1386)

Vary: Accept-Encoding

X-Cache: HIT

Content-Length: 1270

Connection: keep-alive


---response end---
200 OK
Registered socket 300 for persistent reuse.
Length: 1270 (1.2K) [text/html]
Saving to: `index.html'

     0K .                                                     100% 32.1M=0s

2018-02-25 23:56:23 (32.1 MB/s) - `index.html' saved [1270/1270]

Onion services can be accessed too:

By default, Tallow only allows TCP connections on port 80 and 443 (Force web-only). Disable this toggle if you need to access other ports.

Didier Stevens
Microsoft MVP Consumer Security


557 Posts
ISC Handler
Feb 25th 2018

Sign Up for Free or Log In to start participating in the conversation!