It’s become regular news: Cyber criminals are taking down company networks, stealing personal data, and holding hard drives hostage to extract ransoms from computer users. They’re activating stealthy botnets and hiding their identities by taking advantage of privacy infrastructures such as Tor. But what if the problem becomes even worse?

According to College of Computer and Information Science (CCIS) Professor Guevara Noubir and PhD student Amirali Sanatinia, this is likely to happen. They believe cyber criminals will develop more sophisticated botnets that are better able to evade detection. Meanwhile, the rise of cryptocurrencies such as Bitcoin makes it easier to hide financial transactions.

“Tor gives the privacy to browse the Internet or place a server somewhere without anyone knowing your location, but cyber criminals can also do this. With Bitcoin, criminals can shuffle money between each other and make it difficult to identify where it happened. Both botnets and Bitcoin can be used by malicious entities to get away with crime,” explains Noubir.

He and Sanatinia are seeking to preempt the potential impact of the next wave of botnets through research. They’re exploring what Noubir describes as a fundamental question: Is it possible to provide privacy for legitimate users without becoming subject to the abuses of cyber criminals? “We want to know the tradeoffs and find the sweet spot,” says Sanatinia, whose doctoral dissertation will focus on this topic.

To address the problem, the researchers needed to think like the cyber criminals. They set out to design a “super bot” that could hide in Tor and be resilient to current protection capabilities.

Noubir and Sanatinia gave their super botnet a name: the OnionBot, which reflects its ability to exploit a technique called onion routing. They determined that this type of botnet would be able to pass through the onion-like layers of encrypted messages without being detected, thanks to the anonymity Tor provides.

Though OnionBots are not yet in use, their primitive counterparts are already hiding behind Tor. And the researchers are confident they’re coming, believing the degree of anonymity and potential gains OnionBots offer are too tempting for cyber criminals to resist.

“These OnionBots can be quite powerful because it’s virtually impossible to track them to an IP [Internet protocol] address without breaking Tor,” Noubir says. “We created a very sophisticated design for the bots, but there is also a way to mitigate them.”

The technique they developed to protect against the botnet’s breach also has a name: SOAP, for Sybil Onion Attack Protocol. It “cleanses” a network of OnionBots by using their own attack methods against them. Instead of inserting malicious botnets, a soaping attack introduces benign ones that clone themselves and then surround, isolate, and neutralize the OnionBots. Noubir summarizes, “We used privacy capabilities to combat OnionBots.”

Sanatinia describes the next steps in the research: Consider even more sophisticated Super OnionBots and their likely behavior. Provide more advanced mitigation methods. Analyze or even redesign Tor to mitigate future abuses by cyber criminals.

Their efforts to date are already attracting worldwide notice, including coverage in the MIT Technology Review. Most recently, the paper Noubir and Sanatinia wrote about their research was accepted for publication in the proceedings of the 45^th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), a prestigious forum highlighting the best research, insights, and solutions related to challenging problems in dependable computing and security.

This is exactly the kind of attention they want to attract, hoping to ignite other ideas to address the dangers of next-generation botnets. Noubir says, “We encourage the research community to start thinking about the problem and solve it before it’s too late. Our goal is to be a step ahead of the attackers, to make sure that whatever they might think of, there’s a cure.”

– As seen in the February 2015 E-Newsletter –