Exploring Uncharted Waters: The Deep Web and Tor


New terminology floats around the ocean of the Internet in waves. Terms pop up on a near daily basis, and while some of them almost instantaneously disappear others enter popular usage even when most net citizens have no idea what they mean, let alone begin to grasp their technical inter-workings. This is a perennial problem in the world of information security.

As of late, you might have noticed that two of these terms are beginning to pop up in the news quite a bit. One is Deep Web, and the other is Tor. Both are terms that have actually been around for over a decade, but the general public’s increasing concern over digital security has recently placed them in the spotlight. With stories on the NSA making near daily headlines, and even ransomware Cryptolocker’s notable utilization of Tor, many are learning about these Internet undergrounds for the very first time. The terms Deep Web and Tor are finally starting to make a few ripples, and, for many, their territories represent completely uncharted waters.

What is the Deep Web?

The term “Deep Web” was first defined in 2001 by Bright Planet’s Michael K. Bergman but has origins as early as 1994, when Jill Ellsworth referred to an “invisible Web.” Today, the “Deep Web” refers to websites that are not indexed by major search engines such as Google, Bing, and Yahoo. Deep web websites exist beneath the surface of the known and indexed web, and in its entirety the Deep Web is actually orders of magnitude larger than the surface web. The Deep Web is massive, ever-growing, and not completely accessible. Not surprisingly,it is also a breeding ground for malware and criminal activity.

In all, the Deep Web is comprised of a number of subsections, one of which is the Tor Network. Tor is used by people who want to access the Internet anonymously, and the network has actually been around since 2002. Common knowledge of Tor has yet to be established, but usage of the term is no doubt growing,  and this is no doubt related to the media’s continual focus on Edward Snowden and the NSA. For this reason, the terms Tor and Deep Web often get confused and used interchangeably, but it is important to understand that this is not the case. The Tor Network is simply a piece of the Deep Web, and because it is freely accessible to anyone with a computer it is simply more well-known than other pieces.

Some Other Deep Web Territories

In addition to the Tor Network, The Deep Web is comprised of a number of known and unknown subsets. Listed below are just a few of the largest.

The Dynamic Web

The majority of the known, Deep Web is comprised of the dynamic content generated when users query databases and actually has nothing to do with underground criminal networks. Surface web webpages are surface level because they are static, relatively permanent, and therefore index-able. Dynamic webpages, on the other hand, only exist when they are generated by a specific user query, such as a search engine request or the submission of a form. This makes indexing dynamic webpages quite difficult from a technical standpoint, because dynamic webpages don’t always ‘exist’ and regularly change form.

The Private Web

The term Deep Web also applies to sites that exist only on a private Intranet (like you might have at work) and sites that exist on the regular Internet but are password protected. The privatized nature of both types of these websites prevents them from being accessed by web crawlers, the automated programs used by search engines to index the known and static web. Naturally, those who program and distribute malware create private Intranets and password protected websites on the regular Internet to collaborate covertly.

The Internet of Things

The Internet of Things (IoT) can also be considered a section of the Deep Web, although parts of it have been indexed by security firms like Shodan. The Internet of Things is essentially a subset of the Internet, by machines and for machines. It’s the Internet of smart refrigerators and automated thermostats, the Internet of motion sensitive street lights and industrial controls. Strictly speaking, the Internet of Things is an Internet of machine language data, and in addition to being un-indexed a good portion of it is also unsecured, which makes it a potential target for attackers.

Diving Deeper with Tor

One of the best ways to achieve a better understanding of any piece of technology is to play around with it. The same can be said for the Deep Web, and, more specifically, Tor. Tor is a web browser that allows its users to access the Internet anonymously; this includes the regular surface-level web of .COMs, .ORGs, .EDUs, and the like, but also .ONION websites that exist only on the Tor Network. That’s right: .ONION. T.o.r. is actually an acronym, and it stands for “The Onion Router” network. Tor is so named because of the way it enables online anonymity through a series of multilayered nodes that is structurally similar to an onion. Normally when you connect to a website, you’re going from point A to point B, and both points can be identified by their unique IP address. On Tor, visiting a website is more like a trip from point A to point Z, with stops at every point in between. This process is necessarily slower, but it does work to scramble the IP address of every point, or node, in the process – thereby ensuring the anonymity of every computer involved.

Tor is therefore an excellent tool for anyone who wants to protect their personal privacy, malicious computer programmers and other criminals included. For example, Tor can be used by political journalists or whistle-blowers to speak out against the injustices of an oppressive government, but it can also be used by terrorists to communicate anonymously. Even worse, Tor can be used to buy and sell weapons, drugs, or other illegal goods. At its darkest, Tor can even be used to distribute illegal pornography. With all of this in mind, you might be wondering why you’d ever want to explore Tor and why we’d even recommend doing so. No doubt it sounds like a dangerous place, populated by criminals and hackers, and it is certainly portrayed by the media as such. What complicates matters further is that Tor domains are essentially obfuscated to the human eye. In addition to ending in .ONION, most Tor domains are written as a random series of numbers and letters, producing web addresses that look like this:


That means that when users encounter a link to a new .ONION domain, they really have no way of knowing where it will lead, and clicking on it could very well take them somewhere they really don’t want to go. Nevertheless, exploring Tor can be an educational experience. At the very least, a trip through Tor can illustrate just how little of which the web the typical Internet user is aware and just how dangerous the Internet can actually be – much like a walk through a rougher part of town can be a real eye opener.

Fittingly enough, Tor exploration really only has one rule: download Tor from the official Tor website. And, if-and-when you start exploring, click at your own risk.

Deep Web Dangers and Deep Web Malware

Criminal Activity

It is true that criminals use Tor, but not everyone who uses Tor is a criminal. People who use the Tor browser simply want to protect their online identity. Remember, Tor is a browsing application and you can use it to surf the regular surface level web as well as the Deep Web Tor Network. You may encounter and/or witness criminal activity in either environment, but the truth is that most serious criminals take additional efforts to mask their activities from average citizens.

Deep Web Malware

Most people worry: Can my computer get infected just by going on the Tor Network?

The short and simple answer to this question is: Yes – but, not because of anything specific to Tor. Your computer can become infected with malware through the Tor Network for the exact same reason it can get infected with malware through Internet Explorer while browsing the surface web: Attackers host malware on domains. One would of course think that an attacker has more incentive to host malware on a .ONION domain because their identity is anonymized; however, you are actually more likely to encounter malware on the surface web, simply because more people use it and because the average malware author is a financially motivated being who wants to infect as many computers as possible.

The Deep Web and Tor are not malware insignificant, though. Much as they do for any other criminal, the Deep Web and Tor enable anonymity, which is highly attractive to malware authors and distributors who want to collaborate anonymously with their team.

Perhaps most interestingly, Tor can also allow attackers to connect infected users to an anonymous Command and Control server through the surface web! This third possibility is performed through a manipulation of the svchosts.exe file, which controls how your computer connects to the Internet. Essentially, this technique relies on a covert installation of the Tor web browser, and then a reconfiguration of the svchosts.exe file so that your computer covertly connects to a malicious server on the Tor Network. Such a connection can be used to command, control, and/or monitor your computer anonymously or connect it to a botnet.

Deep Web Scams

Lastly, anyone venturing into any region of the Deep Web needs to be wary of getting scammed. Whether you’re exploring Tor or simply interacting with someone on an un-indexed Intranet or password protected website, it is crucial to remember that that interaction is practically untraceable. That means if you decide to transfer funds or personal information, the other party can scam you and walk away scot-free.

Deep Web Protection: Emsisoft’s Shield and The Double Edged Sword

Despite the aura of dangerousness surrounding the Deep Web, it can be explored safely. Emsisoft Anti-Malware protects users from malware no matter where they encounter it. Deep Web malware uses the same signatures and displays the same behavioral patterns as surface web malware; it is simply located in a different environment. The true dangers of the Deep Web are those that exist beyond the realm malware. The Deep Web is deep and dark, and for every positive use it provides it also enables a criminal activity. Sadly, this is true of most technology throughout human history: it is a double-edged sword.

Perhaps the most important takeaway from this Deep Web primer is to remember that is exactly that – a primer. Tor is simply a subsection of a truly massive amount of information that exists and is growing beneath the surface level web as we know it. Exploring this subsection is completely optional, but recognizing its existence is mandatory for anyone who wants to maintain comprehensive digital security. Utilizing the benefits of Tor can also allow one to browse the surface web in anonymity and maintain their personal privacy; and, yet, it is really only one of many ways to do so.

As the ocean of our Internet continues to grow, so will opportunities to connect to new people, be they friendly, malicious, or neutral. Regardless, new territories call for new language, and we hope that at the very least you can now understand what people mean when they use the terms Deep Web and Tor. A connected world should be a Malware-Free World, and knowledge of that world is half the battle.

As for you brave explorers ready to dive deep into the heart of the onion…Bon voyage!