THE BLOG

Demystifying TOR

11/03/2014 12:39 GMT | Updated 10/05/2014 10:59 BST

Tor (short for The Onion Router) is software designed to allow someone to remain anonymous when accessing the Internet. It has been around for some time, but for many years was used mainly by experts and enthusiasts. However, Edward Snowden's revelations have resulted in a surge of interest in Tor as more people seek online anonymity.

What is Tor?

Tor basically allows anonymous access to Internet services. Using Tor, 'normal' Internet activities such as web access, instant messages, forum posts and other online communications can't be traced back to the person in the way they can be when accessing the Internet by conventional means. It is impossible to identify someone's IP in Tor, making it impossible to determine who they are in real life or attribute information sent using Tor.

How does Tor provide anonymity?

Tor routes traffic through a distributed network of servers that form a series of 'onion rings' (hence the name, The Onion Router). All network traffic (i.e. all information) is encrypted repeatedly as it passes through each server on its way to Tor. In addition, none of the network nodes knows either the source of the traffic, its destination or the content. This ensures a high level of anonymity, making it impossible to determine who is generating the network activity.

Who needs Tor?

Tor has become a helpful solution for those who, for any reason, fear the surveillance and the leakage of confidential information. But as well as legitimate users, this technology understandably attracts the attention of cybercriminals, who also value the anonymity it offers. The Tor network has long been known for hosting a large number of resources carrying out illegal activity.

Malware in Tor

In 2013 we started to see cybercriminals actively using Tor to host their malicious malware infrastructure; and Kaspersky Lab experts have found various malicious programs that specifically use Tor. Investigation of Tor network resources reveals lots of resources dedicated to malware, including Control-and-Command servers, administration panels and more. By hosting their servers in the Tor network, cybercriminals make them harder to identify, blacklist and eliminate.

Darknet Market Square

Cybercriminal forums and market places have become familiar on the 'normal' Internet. Recently, a Tor-based underground marketplace has also emerged. It all started with the notorious Silk Road market and has evolved into dozens of specialist markets - for drugs, arms and, of course, malware.

Carding shops are firmly established in the Darknet, where stolen personal information is for sale, with a wide variety of search attributes like country, bank etc. The goods on offer are not limited to credit cards: dumps, skimmers and carding equipment are for sale too.

A simple registration procedure, trader ratings, guaranteed service and a user-friendly interface - these are standard features of a Tor underground marketplace. Some of the stores require sellers to deposit a pledge - a fixed sum of money - before starting to trade. This is to ensure that a trader is genuine and his services are not a scam or of poor quality.

Tor and Bitcoin

The development of Tor has coincided with the emergence of the anonymous crypto-currency, Bitcoin. Nearly everything on the Tor network is bought and sold using Bitcoins. It's almost impossible to link a Bitcoin wallet and a real person, so conducting transactions in the Darknet using Bitcoin means that cybercriminals can remain virtually untraceable.

The future of the Tor network

It's hardly surprising that the use of Tor has increased, given the growing concerns about the erosion of privacy on the Internet. It seems likely that Tor will become a mainstream feature of the Internet, as increasing numbers of ordinary people using the Internet seek a way to safeguard their personal information. But it's also an attractive mechanism for cybercriminals - a way for them to conceal the functions of the malware they create, to trade in cybercrime services and to launder their illegal profits. I'm sure that we've only seen the start of their use of Tor.