Software Engineering Institute

Privacy enhancing technologies such as Tor play a critical role in enabling persecuted people to access the open Internet. These tools achieve their goals by obfuscating network-visible artifacts of flows. However, they can be abused by malicious actors to evade detection. We examine malware's abuse of privacy enhancing technologies specifically related to the Transport Security Layer protocol. We first review longitudinal trends in malware’s use of TLS, TLS 1.3, and DNS-over-HTTPS/TLS. We then review more advanced evasion strategies such as the general strategy of randomizing TLS ClientHello parameters to evade TLS fingerprinting and the use of three popular censorship circumvention tools: Tor, Psiphon, and UltraSurf. In many cases, these tools attempt to mimic popular TLS profiles, which has previously been shown to be difficult to achieve in practice. We quantify the ability of malware’s use of these tools to emulate common applications. Furthermore, we provide well-defined detection strategies implemented in our open-source network monitoring tool.