• United States



Open-source tool to ease security researchers’ quest for secrecy

Jul 16, 20132 mins
Application SecurityCybercrimePrivacy

To be presented and released at Black Hat, CrowdStrike's Tortilla delivers to researchers much-needed anonymity on Windows machines

Security startup CrowdStrike plans to release this month an open-source tool that makes it easier for researchers to secretly monitor malware communications with a command-and-control server.

Called Tortilla, the tool will be available for free on CrowdStrike’s Website July 31, the day it is presented by developer Jason Geffner at the Black Hat USA conference in Las Vegas, Nev. The release will include the source code and an executable.

Tortilla corrects the unique hurdles in using Windows workstations for clandestine malware research. The problem stems from Windows’ limitations in supporting Tor, an online anonymity network.

Researchers use Tor to hide their computers’ IP addresses while monitoring communications between malware and a C&C server and observing the malicious payloads uploaded by the latter.

Anonymity is important because researchers do not want to tip off criminals or hackers working for nation states that they are being watched. Doing so could lead to the subjects denying access to the server, feeding false information to the researcher or taking down the server completely.

“They can do anything they want to misdirect us or mislead us,” Geffner said.

The malware creators, who are often tied to organized crime groups, could also trace the IP address directly to the researcher, if he’s using a home computer, or the company he works for.  

[Also see (premium): Black Hat targets the C-level]

“The more that we keep secret, the better,” Geffner said.

The problem researchers face on Windows stems from the operating system’s lack of native support for Socket Secure (SOCKS), which is the Internet protocol Tor uses to route network packets through proxies in order to hide the originating computer. 

To get around the problem researchers will use other hardware or run the malware on a different operating system running on a virtual machine. VMs are often used to run malware in order to seal it off from the rest of the computer and its software.

Tortilla enables the researcher to use Tor on any Windows computer running XP or later without jumping through hoops. In addition, researchers can use any browser or plugin and any networking software. Tor normally supports only a special version of Firefox.

CloudStrike plans to provide Tortilla with no strings attached, Geffner said. “[Researchers] are free to use it as they like.”