icon-carat-right menu search cmu-wordmark

Malware's Abuse of Privacy Enhancing Technologies

Presentation
This presentation discusses the prevalence of malware using recently approved standards and the visibility losses associated with these standards. It also describes how malware is using censorship circumvention programs.
Publisher

Cisco Systems, Inc.

Topic or Tag

Abstract

Privacy enhancing technologies such as Tor play a critical role in enabling persecuted people to access the open Internet. These tools achieve their goals by obfuscating network-visible artifacts of flows. However, they can be abused by malicious actors to evade detection. We examine malware's abuse of privacy enhancing technologies specifically related to the Transport Security Layer protocol. We first review longitudinal trends in malware’s use of TLS, TLS 1.3, and DNS-over-HTTPS/TLS. We then review more advanced evasion strategies such as the general strategy of randomizing TLS ClientHello parameters to evade TLS fingerprinting and the use of three popular censorship circumvention tools: Tor, Psiphon, and UltraSurf. In many cases, these tools attempt to mimic popular TLS profiles, which has previously been shown to be difficult to achieve in practice. We quantify the ability of malware’s use of these tools to emulate common applications. Furthermore, we provide well-defined detection strategies implemented in our open-source network monitoring tool.

Part of a Collection

FloCon 2020 Presentations

This content was created for a conference series or symposium and does not necessarily reflect the positions and views of the Software Engineering Institute.