Sign up to our newsletter
A lot of people associate online anonymity with Tor, however it is a much deeper issue than this and does not relate only to privacy while browsing. In this post, we will learn some of the key concepts to keep in mind when analyzing malware, because when we talk about anonymity, we need to understand the role played by proxy servers and certain protocols used for communication in such cases.
It’s important to be aware of these concepts, because when someone is trying to establish an anonymous connection these are the fundamental tools employed.
A proxy is nothing more than a tool allocated to act as an intermediary in communications. Depending on what type of proxy is used, it may be possible to identify the information sent by the user—and this may be recorded on some kind of equipment.
They can be used for a variety of purposes: managing bandwidth, applying restrictions on a network (for example on downloading applications or from websites), or blocking access to certain sites, just to name a few.
Basically, a proxy is situated between the client equipment and the destination equipment. The types seen frequently are:
Now that we are clear about the differences between these types of proxies, we need to look at what type of activity is going to be carried out, in order to know which proxy type is best suited to the needs of the investigation.
Protocols are sets of rules that enable communication between entities (client – service) in order to send information. The most frequently seen are HTTP, SOCKS4, and SOCKS5.
These are described in turn below:
It’s important to know what type of information you are sending when you are connecting and interacting with a piece of equipment directly.
Let’s suppose you are carrying out a security audit with the relevant authorities, in order to dismantle a network of cybercriminals—you will need to run a lot of processes that interact with the equipment they are using to carry out their attacks. This way, with anonymity, the investigator would disguise their identity (i.e. IP address) constantly, without exposing their real identity.
If your actions were discovered by the cybercriminals, they might find out that you were trying to make connections from a network belonging to a branch of the authorities, due to the availability of records and public information, including that held by registration organizations.
It’s also useful if the investigator has instructed a tool to automatically download samples of malicious code from websites. If you wish not to leave any type of record anywhere (whether for reasons of confidentiality, for personal reasons, or the requirements of the situation), having tools with this ability will be of great use to you as an investigator.
Let’s consider the example of investigating a botnet: after identifying the address where the botmaster’s control panel is located, if you try to access it to check whether it is active, there are two potential outcomes:
The main thing is to keep in mind the differences between HTTP, SOCKS4, and SOCKS5 In many cases of investigations, including security audits and malware analyses, it’s best to leave nothing to chance. Therefore, it’s necessary to consider what type of activity you are going to carry out, what type of anonymity you will need, and what type of connection you are going to use (although for better security, SOCKS5 is recommended).
Beyond the concept of anonymity, there are various other issues to keep in mind depending on the requirements of the situation. While Tor is a free network for browsing based on privacy, there are other tools such as Privoxy and ProxyChains, to name just two, which also help in maintaining privacy while using tools.
In the day-to-day running of an investigation, you have to constantly evaluate what type of activity you need to carry out, and whether or not it requires anonymity. If it does require anonymity, you need to analyze what level, and, of course, the higher the security of the connection, the better the conditions will be.
As investigators, it’s essential to understand how things work and not to limit yourself to one particular tool. This enables you to develop your own customized tools, and will help you in analyzing malware.
Image credits: ©Grant Hutchinson/Flickr
Author Ignacio Pérez, ESET