search menu icon-carat-right cmu-wordmark

Malware's Abuse of Privacy Enhancing Technologies

August 2020 Presentation

This presentation discusses the prevalence of malware using recently approved standards and the visibility losses associated with these standards. It also describes how malware is using censorship circumvention programs.





Privacy enhancing technologies such as Tor play a critical role in enabling persecuted people to access the open Internet. These tools achieve their goals by obfuscating network-visible artifacts of flows. However, they can be abused by malicious actors to evade detection. We examine malware's abuse of privacy enhancing technologies specifically related to the Transport Security Layer protocol. We first review longitudinal trends in malware’s use of TLS, TLS 1.3, and DNS-over-HTTPS/TLS. We then review more advanced evasion strategies such as the general strategy of randomizing TLS ClientHello parameters to evade TLS fingerprinting and the use of three popular censorship circumvention tools: Tor, Psiphon, and UltraSurf. In many cases, these tools attempt to mimic popular TLS profiles, which has previously been shown to be difficult to achieve in practice. We quantify the ability of malware’s use of these tools to emulate common applications. Furthermore, we provide well-defined detection strategies implemented in our open-source network monitoring tool.