02:26 PM
Connect Directly

Botnet Behind Mysterious Spike In Tor Traffic

Turns out the massive jump in millions of new Tor clients during the past month wasn't about the NSA, Syria, or Tor-based Pirate Bay bundles -- it was pure cybercrime

A massive spike of millions of new Tor clients during the past few weeks appears to be the handiwork of a botnet, not a post-Edward Snowden anonymity bump or the Syrian civil war fallout that some had suspected.

Researchers from Dutch security firm Fox-IT today said they have traced the Tor traffic to a botnet that dates back as far as 2009, known as SBC, using the "Mevade.A" or "Sefnit" malware families. SBC traditionally has used mainly HTTP for its command-and-control communications (C&C), but began using Tor for C&C around the time of the Tor spike.

"The botnet appears to be massive in size as well as very widespread. Even prior to the switch to Tor, it consisted of tens of thousands of confirmed infections within a limited amount of networks," blogged Fox-IT's Yonathan Klijnsma.

[Gen. Keith Alexander aims to set the record straight on controversial NSA spying programs, calling out how leaked surveillance programs helped derail specific terror plots. See NSA Director Faces Cybersecurity Community At Black Hat.]

Fox-IT says the botnet's mission is unclear, but it comes from a Russian-speaking region and is likely involved in financial cybercrime operations.

The Tor Project today also confirmed a botnet is likely behind the millions of new Tor clients -- and the numbers keep rising. "Where do these new users come from? My current best answer is a botnet," Roger Dingledine, project leader, director, and researcher for The Tor Project, said in a blog post today.

That shoots down theories that the growth came from activists in Syria, Russia, or the U.S., or more journalists using the anonymous browsing service in the wake of NSA domestic spying programs leaked to the press by Snowden. Dingledine also dismissed the theory that the jump was due to large-scale adoption of the so-called Pirate Browser, a Tor-based bundled anti-censorship browser from Pirate Bay: "... we've talked to the Pirate Browser people and the downloads they've seen can't account for this growth," he says.

"The fact is, with a growth curve like this one, there's basically no way that there's a new human behind each of these new Tor clients. These Tor clients got bundled into some new software which got installed onto millions of computers pretty much overnight. Since no large software or operating system vendors have come forward to tell us they just bundled Tor with all their users, that leaves me with one conclusion: somebody out there infected millions of computers and as part of their plan they installed Tor clients on them," Dingledine says.

Tor's Dingledine says the botnet appears to be running the C&C as a hidden service, and the new clients aren't shooting out traffic to websites or other locations. That appears to eliminate DDoS attacks, for instance.

Why enlist Tor for botnet C&C?

Gunter Ollmann, CTO at IOActive, says this isn't the first time Tor has been exploited for botnets, but it's mostly been for smaller ones. "There have been a handful of botnets that have made use of Tor or onion routing for various parts of their network. They haven't been very big botnets," Ollmann says.

Tor provides a way to obfuscate C&C traffic, he says. "It can hide the final destination of their command-and-control servers. It's a way of helping to obfuscate or delay any takedowns for their command-and-control servers," he says.

It's also a way to drop bigger files onto victim machines, he says. "Many of the botnets you'll see using Tor or peer-to-peer networks will use those channels as a way for shipping bigger files to install on computers," especially in pay-per-install schemes, he says.

The Tor Project is asking for help from researchers to take down the botnet. Dingledine says he sees the botnet as more of an experiment at this point.

"I still maintain that if you have a multimillion node botnet, it's silly to try to hide it behind the 4000-relay Tor network. These people should be using their botnet as a peer-to-peer anonymity system for itself. So I interpret this incident as continued exploration by botnet developers to try to figure out what resources, services, and topologies integrate well for protecting botnet communications," he says. "Another facet of solving this problem long-term is helping them to understand that Tor isn't a great answer for their problem."

The extra traffic incurred by the botnet hasn't caused any major problems yet, but Dingledine also laid out several options for Tor to sustain the traffic of the millions of new bot clients, which appear to be running the current version of the client, he says. Among the possible actions Tor could take: encourage users to upgrade to the new Tor 0.2.4 version that has stronger security and lower processing overhead, temporarily disable some features of the Tor client performance features, or reduce the network load.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-11-24
Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.

Published: 2014-11-24
Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo.

Published: 2014-11-24
apparmor_parser in the apparmor package before 2.8.95~2430-0ubuntu5.1 in Ubuntu 14.04 allows attackers to bypass AppArmor policies via unspecified vectors, related to a "miscompilation flaw."

Published: 2014-11-24
The wordexp function in GNU C Library (aka glibc) 2.21 does not enforce the WRDE_NOCMD flag, which allows context-dependent attackers to execute arbitrary commands, as demonstrated by input containing "$((`...`))".

Published: 2014-11-24
OpenStack Neutron before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service (crash) via a crafted dns_nameservers value in the DNS configuration.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?