When we talk about malware, and their related command and control systems (the services/websites that deliver the components of the malware), we often state they are hosted on the dark web. It occurred to me that a lot of people don’t really know about the different layers to the Internet and part of the message is getting lost. This blog post will hopefully explain in simple terms what the dark web is all about.
What is the Surface, Dark and Deep Web
The Internet is basically split into three logical parts:
- The Surface Web
- The Dark Web
- The Deep Web.
This is typically described by an Iceberg. 90% of the iceberg is below water, with only 10% above water.
The Surface Web
The Surface Web is that part of the internet that is publicly indexed by search engines like Google. This is where you get to see your regular websites (shopping sites, blogs, etc.). This website exists on the surface web since it is publicly accessible via your regular search engines and it isn’t encrypted.
The surface web is what we are all used to, so I am not going to spend much time describing it. If you are accessing this website then you are on the surface web.
The Dark Web
The Dark web I suspect you have used without knowing it if you have accessed your employers network and highly likely if you have accessed it remotely via a VPN from home or a hotel while traveling. There is nothing suspicious about these networks except that they are kept private from the general public and is literally a set of websites and networks that have chosen not to be indexed, for example:
- Company Intranets and Extra-nets
- Private networks
- Private company VPN’s
- Utilities (energy, water)
- Military networks.
The Dark Web is so named because of the lack of indexing of its content and is therefore dark to anyone that hasn’t got the specific address and access requirements. These networks/websites are typically encrypted and will require special software to access them (e.g. a VPN), or a special login. We have probably all seen a company website with a ‘Login’ button somewhere in the site. Pages accessible via this login will not be indexed on search engines and will be served through internal services against strict authentication.
The Deep Web
The Deep Web is where you need to be the most cautious. The Deep Web is typically accessed via the TOR Network, and has given the TOR Network some bad press because of the takeover by the criminal element. It is a sub-region of the Dark Web.
As the Deep Web is typically accessed via the TOR Network exclusively, websites on the part of the web require a ‘.onion’ website address and you will need to know this address in order to access the website. There are some indexes on the Deep Web that provide these addresses, but you have to know where these indexes are and they are often not maintained. There isn’t a ‘Google’ for the Deep Web.
However, not all Deep Websites are criminal. For example:
- Facebook has a website on the Deep Web (see here)
- The BBC News Service is on the Deep Web
- Illinois Institute of Technology Tunnels
- American Journal of Freestanding Research Psychology
- WikiLeaks Upload.
To access all these websites you will need to have the TOR Browser and preferably be behind a TOR friendly VPN (e.g. NordVPN) before you access any of these. The BBC News service put their website on the Deep Web (it looks just like the regular BBC News website) so that people in restrictive/oppressive countries could get legitimate world news (whether you consider the BBC as impartial is up to you).
There are also a lot of private/anonymous messaging services that people can use to communicate privately, Protonmail being one of them.
However, not all is good as I have indicated above. A lot of criminal websites exist on the Deep Web and these will provide:
- Markets for the full range of illegal goods
- Criminal services (not going to explain here – you get the idea)
- Malware on Demand websites
- Cryptocurrency wallets that are used for paying ransoms for Ransomware attacks
- Command and Control (C2) services for malware
- Destinations for records resulting from data breaches, which are typically sold as an on-demand service
- Hacking discussion boards/forums discussing zero-days and other hacking techniques.
These Dark Web markets are repeatedly shutdown by law enforcement. However, due to the nature of the Web they just set up shop elsewhere. I have heard of a number of law enforcement initiatives to track down the owners of these deep web markets and prosecute them.
The deep web is not a place I would recommend you go. Law enforcement are also very active in tracking down these services and have set up a lot of honey pots to track people trying to access these nefarious sites. You may well get caught up in them.
If you stick to the Surface Web, you cannot go far wrong, although this is not a safe place to drop your guard as the various blogs on this site will testify.
You typically have no business going to anything on the Dark Web, unless you require specific access to do something, e.g. access your employers internal network remotely via a VPN.
Some Deep Websites are OK to visit, but the fact that you are going to a ‘.onion’ web address is going to raise alarm bells even in enlightened countries and cultures. Just using the TOR Browser may also raise alarm bells unless you are hidden behind a VPN.
Unless you have a real need to access deep websites to facilitate private communications, or you are in an oppressed country, then best not to venture into this area of the Web.
I’M SERIOUS – DON’T GO THERE!!!