About a week ago I turned on a new rule on our IPS system that is designed to detect (and block) users who are using TOR to make their activities on our network anonymous.\u00a0 You can say that TOR is about protecting a user’s privacy all you want, but I’d argue that while using corporate assets you should have no expectation of privacy (at least in that sense) and that the use of anonymizers on a corporate network can typically be viewed as a sign that you are up to no good.\u00a0 Almost immediately when I turned on this new rule, I began seeing associated events in the IPS console.\u00a0 I decided that the best approach was to contact the user directly as they may be wondering why their Internet connection was no longer working.\u00a0 I reached out to this particular user and explained that if this was the case, then it was because of the new IPS rule.\u00a0 The solution was simple; just reconfigure his browser to no longer use TOR as the proxy.\u00a0 But as I began this process, things started getting weird.<\/p>\n
I began by telling the user to look for names like “TOR”, “The Onion Router”, and “Privoxy” in his Add & Remove Programs.\u00a0 Strange….there was nothing there.\u00a0 Then I asked him to check his Task Manager to look for a running process called “tor.exe” or similar.\u00a0 Again, nothing.\u00a0 I was at a loss.\u00a0 I decided that this was something I needed to get my hands on to figure out so I scheduled some time with the user.<\/p>\n
This morning when I sat with the user, I noticed little wrong with his system.\u00a0 He had a few standard applications running, but nothing unusual.\u00a0 I checked his process listing and saw nothing out of the ordinary.\u00a0 I ran Hijack This! and that, too, looked pretty normal.\u00a0 All this, yet in the meantime I continued to see alerts on the IPS system that his computer was using TOR.\u00a0 Even when I was sitting at the console with NO browser activity.\u00a0 So, to make a long story short, here’s how I finally figured out what was happening.\u00a0 I checked the IPS system and came up with the source ports for the requests that I was seeing alerts on.\u00a0 I then went on the system and ran a netstat -nao<\/em>.\u00a0 This listed all network connections on the users system along with the associated process.\u00a0 I checked the list and found the entry that matched the port number I was seeing the alerts on.\u00a0 I then ran the command tasklist \/svc \/FI “PID eq <process_num>”<\/em>\u00a0 This provided me with the name of the process that was running with this process ID which it turns out was “iexplore.exe”.\u00a0 Wait.\u00a0 Internet explorer isn’t even running on this computer.\u00a0 Or is it?\u00a0 Since the default process viewer in the Task Manager is pretty lame, I downloaded the Microsoft Sysinternals Process Monitor<\/a>.\u00a0 It’s a free tool available from Microsoft and provides a ton more information about running processes and allows you to see what they are doing in real time.\u00a0 I used the Process Monitor to view these processes and focused particularly on the flags that were used when they started.\u00a0 What I found was actually pretty startling.<\/p>\n Both of the Internet Explorer processes were started with a special flag that told them to start silently (ie. without the UI) in the background.\u00a0 They also specified a flag similar to this:<\/p>\n –HiddenServiceDir “C:\\Documents and Settings\\<User_Name>\\Application Data\\tor\\hidden_service” — HiddenServicePort “55080 127.0.0.1:55080”<\/i><\/p><\/blockquote>\n Aha!\u00a0 We found our culprit!\u00a0 TOR was running as a hidden service out of the Application Data directory.\u00a0 Once I found this, it was all over.\u00a0 Scanning through the Application Data directory, I also found a file under “Enemvy\\ugbie.exe” that was extremely suspect.\u00a0 A later scan via Malwarebytes identified it as a variant of Trojan.ZbotR.\u00a0 I deleted these directories and Malwarebytes found one registry key associated with the ugbie.exe file and deleted it.\u00a0 All is good now and the system is no longer alerting about use of TOR.<\/p>\n So, what’s our lesson here?\u00a0 The malware writers are getting sneaky.\u00a0 They’ve realized that we’ve created blacklists of their servers and they need to be able to adapt around that.\u00a0 Now, they are using anonymizers, like TOR, to get around these blacklists.\u00a0 Apparently this isn’t the first use of TOR in malware either as I read about something called SkyNet<\/a> that did something similar.\u00a0 In any case, they would have gotten away with it if it weren’t for my IPS rule to detect TOR and a fair amount of persistence in finding the root cause.\u00a0 If you’re not already detecting this on your network, I think that it’s about high time you did it.\u00a0 You can thank me later.<\/p>\n","protected":false},"excerpt":{"rendered":" About a week ago I turned on a new rule on our IPS system that is designed to detect (and block) users who are using TOR to make their activities on our network anonymous.\u00a0 You can say that TOR is about protecting a user’s privacy all you want, but I’d argue that while using corporate […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[508,70,28],"tags":[513,515,483,484,415,510,511,514,506,509,512],"class_list":["post-529","post","type-post","status-publish","format-standard","hentry","category-malware-security","category-networking","category-security","tag-hidden_service","tag-iexplore-exe","tag-ips","tag-malware","tag-monitor","tag-onion","tag-privoxy","tag-process","tag-router","tag-tor","tag-zbot"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-8x","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/529","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=529"}],"version-history":[{"count":4,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/529\/revisions"}],"predecessor-version":[{"id":533,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/529\/revisions\/533"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=529"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=529"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=529"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}