Retrieving malware over Tor - SANS Internet Storm Center

Retrieving malware over Tor
A couple of years ago, Lenny Zeltser wrote a diary entry on how to use curl to retrieve malware samples. If you don't want to disclose your public IP address when retrieving malware, you can use proxies. One way to do this, is to use the Tor anonimity network. On Linux and OSX, it's quite easy to do so. You install the tor and torsocks packages for your distro, start tor, and then launch your curl or wget command via torsocks. torsocks curl http://www.example.com/page -D headers.txt -o sample.vir Mind you, the Tor network can be slow or unstable sometimes, which may interfere with the sample download. And Tor nodes might also be blocked in countries where you want to download samples from. On Windows, you can use Tor but not torsocks. For curl, that's not a problem. You just instruct curl to use the Tor socks proxy with option --socks5-hostname: curl --socks5-hostname localhost:9050 http://www.example.com/page -D headers.txt -o sample.vir For wget, it's a bit more complex, because wget can't talk to Socks directly. wget can talk to a HTTP/HTTPS proxy, so you can setup such a proxy between Tor and wget. Didier Stevens Microsoft MVP Consumer Security blog.DidierStevens.com DidierStevensLabs.com	DidierStevens 650 Posts ISC Handler Jan 21st 2018
Thread locked Subscribe	Jan 21st 2018 4 years ago
torrc: VirtualAddrNetworkIPv4 10.192.0.0/10 AutoMapHostsOnResolve 1 SocksPort 127.0.0.1:9050 TransPort 127.0.0.1:9040 DNSPort 127.0.0.1:9053 ControlPort 9051 DisableDebuggerAttachment 0 ExitNodes {US} StrictNodes 1 set ExitNodes country codes for geolocked sites (http://www.b3rn3d.com/blog/2014/03/05/tor-country-codes/) all scripts use '$1" as site ie "wgettor www.google.com". I usually use a single quote like: wgettor 'https://badsite[.]com' wgettor (grab single file) torsocks wget --max-redirect 100 --no-check-certificate -S -U 'Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko' "$1" wgettordir (grab entire directory) torsocks wget --recursive --no-parent --no-check-certificate -R index.html* -S -U 'Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko' "$1" wgettornoua (useful for malware that detects UA or use a keep-alive only type of request) torsocks wget --max-redirect 100 --no-check-certificate -S -U "" "$1" wgettorref (useful for malware that looks for a referer, use as wgetttorref "referer" "site") torsocks wget -S --referer="$1" -U 'Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko' --header="Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5" --header="Accept-Language: en-us,en;q=0.5" --header="Accept-Encoding: gzip,deflate" --header="Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7" --header="Keep-Alive: 300" "$2"	James 35 Posts
Quote	Jan 22nd 2018 4 years ago
Thanks!	DidierStevens 650 Posts ISC Handler
Quote	Jan 23rd 2018 4 years ago

A couple of years ago, Lenny Zeltser wrote a diary entry on how to use curl to retrieve malware samples.

If you don't want to disclose your public IP address when retrieving malware, you can use proxies. One way to do this, is to use the Tor anonimity network.

On Linux and OSX, it's quite easy to do so.

You install the tor and torsocks packages for your distro, start tor, and then launch your curl or wget command via torsocks.

torsocks curl http://www.example.com/page -D headers.txt -o sample.vir

Mind you, the Tor network can be slow or unstable sometimes, which may interfere with the sample download. And Tor nodes might also be blocked in countries where you want to download samples from.

On Windows, you can use Tor but not torsocks.

For curl, that's not a problem. You just instruct curl to use the Tor socks proxy with option --socks5-hostname:

curl --socks5-hostname localhost:9050 http://www.example.com/page -D headers.txt -o sample.vir

For wget, it's a bit more complex, because wget can't talk to Socks directly. wget can talk to a HTTP/HTTPS proxy, so you can setup such a proxy between Tor and wget.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

650 Posts
ISC Handler

Jan 21st 2018

torrc:
VirtualAddrNetworkIPv4 10.192.0.0/10
AutoMapHostsOnResolve 1
SocksPort 127.0.0.1:9050
TransPort 127.0.0.1:9040
DNSPort 127.0.0.1:9053
ControlPort 9051
DisableDebuggerAttachment 0
ExitNodes {US}
StrictNodes 1

set ExitNodes country codes for geolocked sites (http://www.b3rn3d.com/blog/2014/03/05/tor-country-codes/)

all scripts use '$1" as site ie "wgettor www.google.com". I usually use a single quote like: wgettor 'https://badsite[.]com'

wgettor (grab single file)
torsocks wget --max-redirect 100 --no-check-certificate -S -U 'Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko' "$1"

wgettordir (grab entire directory)
torsocks wget --recursive --no-parent --no-check-certificate -R index.html* -S -U 'Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko' "$1"

wgettornoua (useful for malware that detects UA or use a keep-alive only type of request)
torsocks wget --max-redirect 100 --no-check-certificate -S -U "" "$1"

wgettorref (useful for malware that looks for a referer, use as wgetttorref "referer" "site")
torsocks wget -S --referer="$1" -U 'Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko' --header="Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" --header="Accept-Language: en-us,en;q=0.5" --header="Accept-Encoding: gzip,deflate" --header="Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7" --header="Keep-Alive: 300" "$2"

James

35 Posts

Thanks!

DidierStevens

650 Posts
ISC Handler