The Deep Web: Anonymizing Technology for the Good… and the Bad?


“Hi, I’m looking for someone who can hit this crook I know right where it hurts. Know anyone? ($100-$1000)”

This is an example of just one of the ads posted in a Deep Web marketplace. Within these hidden corners of the Web, one can find markets where hackers and assassins can be hired, and illegal goods such as drugs, paraphernalia, weapons, pornographic materials, and malware toolkits can be traded.

Just like an iceberg, a vast majority of the Internet is obscured from plain sight. For most users, the Surface, or Visible Web, is all that they'll ever need. It's that "tip of the iceberg" part of the Internet where anyone with a capable device and a connection can access or search for information, products, and services. But little is known about the Deep Web. What is it? How does it work? Is it legal? Is it real?

The Deep Web, which is the unindexed section of the Internet, is invisible to users because search engine spiders are not able to "crawl" them. To evade search engine crawlers, the most efficient method for malicious users is to use "darknets" or anonymizing networks that provide untraceable access to Web content and invisibility for a site. Such networks like TOR, Freenet, and i2P are essentially built to distribute files and set up sites.

Despite its reputation, these networks were primarily designed to provide a system for secure communications, where users can escape censorship and practice free speech. Unfortunately, these darknets are also widely popular among criminals who trade illegal products and services, mostly because of the anonymity that it provides. Additionally, the Deep Web is also filled with content and sites hosted on alternative top-level domains or “rogue TLDs” that aren't detectable to most of us. The infamous, and now shuttered Silk Road underground marketplace ran on TOR since its inception in 2011. However, it won’t be long before newer marketplaces emerge.

The Malware Connection

Recently, more malware incorporate the use of TOR and other darknets in their routines as a method of evasion. In the second half of 2013, cybercriminals used malware in TOR to hide their networking traffic. The Mevade malware and TorRAT malware used TOR for backup command and control (C&C) communication. TorRAT malware targeted bank accounts of Dutch users, while Mevade installed adware and hijacked search results. By the end of 2013, a ransomware variant called Cryptorbit would ask the victim to pay the ransom using a browser bundle pre-configured for TOR.  

As seen in the past, using TOR can be seen as a huge advantage for cybercriminals because of the anonymity it offers. Earlier this year, ransomware and targeted attacks were used by cybercriminals via the Deep Web. Of course, some things didn't change, particularly the need to hide C&C communications that allows attackers to conduct transactions without being seen or traced. Here are some notable cases where malware use TOR in one way or another:

Crypto-ransomware – in January of 2015, the Australia-New Zealand region was afflicted by variants of TorrentLocker, a ransomware variant that uses encryption to extort money from victims. The malware uses TOR for its payment page, so that transactions wouldn’t be hindered if authorities try to bring down their payment servers.

ZBOT – a well-known online banking malware that targeted 64-bit systems. The malware leverages TOR to evade C&C communications, including anti-malware solutions.

BIFROSE – known for its keylogging routines, BIFROSE is a variant of a backdoor malware that is capable of stealing far more information than just keystrokes. Known to be widely available in the cybercriminal underground, BIFROSE enables the attacker to log into internal systems and send messages to other users in the network.

Android ransomware – this malware shows a screen that notifies the user that their device has been locked down, and that they need to pay a ransom in order to recover their data. Failure to pay would result in the destruction of all data in the mobile device. Like the above-mentioned cases, it uses TOR to communicate with its C&C server.

The Deep Web: Good or Bad?

Technologies that offer anonymity were created for the genuine need to protect users against unwanted scrutiny. But over time, it has been abused by cybercriminals and other violators to perpetrate illegal activities and escape the law, muddling its original purpose. Consequently, the Deep Web has become the go-to place for users with nefarious motivations. While many privacy advocates deem the Deep Web as some sort of digital safe house or demilitarized zone, some security experts might have a different view, given its power to hold, and expedite criminal pursuits. As such, security researchers are encouraged to stay vigilant and to work on better ways to educate users about the Deep Web’s potential danger.  

Visit the Deep Web section of the Threat Intelligence Center for more on the Deep Web and the Cybercriminal Underground


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.