About a week ago I turned on a new rule on our IPS system that is designed to detect (and block) users who are using TOR to make their activities on our network anonymous.  You can say that TOR is about protecting a user’s privacy all you want, but I’d argue that while using corporate assets you should have no expectation of privacy (at least in that sense) and that the use of anonymizers on a corporate network can typically be viewed as a sign that you are up to no good.  Almost immediately when I turned on this new rule, I began seeing associated events in the IPS console.  I decided that the best approach was to contact the user directly as they may be wondering why their Internet connection was no longer working.  I reached out to this particular user and explained that if this was the case, then it was because of the new IPS rule.  The solution was simple; just reconfigure his browser to no longer use TOR as the proxy.  But as I began this process, things started getting weird.

I began by telling the user to look for names like “TOR”, “The Onion Router”, and “Privoxy” in his Add & Remove Programs.  Strange….there was nothing there.  Then I asked him to check his Task Manager to look for a running process called “tor.exe” or similar.  Again, nothing.  I was at a loss.  I decided that this was something I needed to get my hands on to figure out so I scheduled some time with the user.

This morning when I sat with the user, I noticed little wrong with his system.  He had a few standard applications running, but nothing unusual.  I checked his process listing and saw nothing out of the ordinary.  I ran Hijack This! and that, too, looked pretty normal.  All this, yet in the meantime I continued to see alerts on the IPS system that his computer was using TOR.  Even when I was sitting at the console with NO browser activity.  So, to make a long story short, here’s how I finally figured out what was happening.  I checked the IPS system and came up with the source ports for the requests that I was seeing alerts on.  I then went on the system and ran a netstat -nao.  This listed all network connections on the users system along with the associated process.  I checked the list and found the entry that matched the port number I was seeing the alerts on.  I then ran the command tasklist /svc /FI “PID eq <process_num>”  This provided me with the name of the process that was running with this process ID which it turns out was “iexplore.exe”.  Wait.  Internet explorer isn’t even running on this computer.  Or is it?  Since the default process viewer in the Task Manager is pretty lame, I downloaded the Microsoft Sysinternals Process Monitor.  It’s a free tool available from Microsoft and provides a ton more information about running processes and allows you to see what they are doing in real time.  I used the Process Monitor to view these processes and focused particularly on the flags that were used when they started.  What I found was actually pretty startling.

Both of the Internet Explorer processes were started with a special flag that told them to start silently (ie. without the UI) in the background.  They also specified a flag similar to this:

–HiddenServiceDir “C:\Documents and Settings\<User_Name>\Application Data\tor\hidden_service” — HiddenServicePort “55080 127.0.0.1:55080”

Aha!  We found our culprit!  TOR was running as a hidden service out of the Application Data directory.  Once I found this, it was all over.  Scanning through the Application Data directory, I also found a file under “Enemvy\ugbie.exe” that was extremely suspect.  A later scan via Malwarebytes identified it as a variant of Trojan.ZbotR.  I deleted these directories and Malwarebytes found one registry key associated with the ugbie.exe file and deleted it.  All is good now and the system is no longer alerting about use of TOR.

So, what’s our lesson here?  The malware writers are getting sneaky.  They’ve realized that we’ve created blacklists of their servers and they need to be able to adapt around that.  Now, they are using anonymizers, like TOR, to get around these blacklists.  Apparently this isn’t the first use of TOR in malware either as I read about something called SkyNet that did something similar.  In any case, they would have gotten away with it if it weren’t for my IPS rule to detect TOR and a fair amount of persistence in finding the root cause.  If you’re not already detecting this on your network, I think that it’s about high time you did it.  You can thank me later.