Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Retrieving malware over Tor

Published: 2018-01-21
Last Updated: 2018-01-21 23:09:35 UTC
by Didier Stevens (Version: 1)
1 comment(s)

A couple of years ago, Lenny Zeltser wrote a diary entry on how to use curl to retrieve malware samples.

If you don't want to disclose your public IP address when retrieving malware, you can use proxies. One way to do this, is to use the Tor anonimity network.

On Linux and OSX, it's quite easy to do so.

You install the tor and torsocks packages for your distro, start tor, and then launch your curl or wget command via torsocks.

torsocks curl http://www.example.com/page -D headers.txt -o sample.vir

Mind you, the Tor network can be slow or unstable sometimes, which may interfere with the sample download. And Tor nodes might also be blocked in countries where you want to download samples from.

On Windows, you can use Tor but not torsocks.

For curl, that's not a problem. You just instruct curl to use the Tor socks proxy with option --socks5-hostname:

curl --socks5-hostname localhost:9050 http://www.example.com/page -D headers.txt -o sample.vir

For wget, it's a bit more complex, because wget can't talk to Socks directly. wget can talk to a HTTP/HTTPS proxy, so you can setup such a proxy between Tor and wget.

 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords:
1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

An RTF phish
Jan 20th 2018
1 day ago by DidierStevens (0 comments)

Followup to IPv6 brute force and IPv6 blocking
Jan 19th 2018
2 days ago by Jim (1 comment)

Comment your Packet Captures!
Jan 18th 2018
4 days ago by Xme (2 comments)

Reviewing the spam filters: Malspam pushing Gozi-ISFB
Jan 17th 2018
4 days ago by Brad (3 comments)

Decrypting malicious PDFs with the key
Jan 15th 2018
6 days ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

Work logs for hunting
created Jan 18th 2018
3 days ago by Anonymous (0 replies)

What is airbnb doing?
created Jan 9th 2018
1 week ago by Mike (0 replies)

Convert OST Emails to PST Files
created Jan 4th 2018
2 weeks ago by Anonymous (0 replies)

Windows Client what the hell is this?
created Jan 2nd 2018
2 weeks ago by Anonymous (0 replies)

My log Reports not displaying reported entries
created Dec 22nd 2017
1 month ago by Tony (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
6 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
5 months ago by Johannes (12 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 month ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
4 months ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
5 months ago by Xme (2 comments)