Attacks/Breaches
9/5/2013
02:26 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Botnet Behind Mysterious Spike In Tor Traffic

Turns out the massive jump in millions of new Tor clients during the past month wasn't about the NSA, Syria, or Tor-based Pirate Bay bundles -- it was pure cybercrime

A massive spike of millions of new Tor clients during the past few weeks appears to be the handiwork of a botnet, not a post-Edward Snowden anonymity bump or the Syrian civil war fallout that some had suspected.

Researchers from Dutch security firm Fox-IT today said they have traced the Tor traffic to a botnet that dates back as far as 2009, known as SBC, using the "Mevade.A" or "Sefnit" malware families. SBC traditionally has used mainly HTTP for its command-and-control communications (C&C), but began using Tor for C&C around the time of the Tor spike.

"The botnet appears to be massive in size as well as very widespread. Even prior to the switch to Tor, it consisted of tens of thousands of confirmed infections within a limited amount of networks," blogged Fox-IT's Yonathan Klijnsma.

[Gen. Keith Alexander aims to set the record straight on controversial NSA spying programs, calling out how leaked surveillance programs helped derail specific terror plots. See NSA Director Faces Cybersecurity Community At Black Hat.]

Fox-IT says the botnet's mission is unclear, but it comes from a Russian-speaking region and is likely involved in financial cybercrime operations.

The Tor Project today also confirmed a botnet is likely behind the millions of new Tor clients -- and the numbers keep rising. "Where do these new users come from? My current best answer is a botnet," Roger Dingledine, project leader, director, and researcher for The Tor Project, said in a blog post today.

That shoots down theories that the growth came from activists in Syria, Russia, or the U.S., or more journalists using the anonymous browsing service in the wake of NSA domestic spying programs leaked to the press by Snowden. Dingledine also dismissed the theory that the jump was due to large-scale adoption of the so-called Pirate Browser, a Tor-based bundled anti-censorship browser from Pirate Bay: "... we've talked to the Pirate Browser people and the downloads they've seen can't account for this growth," he says.

"The fact is, with a growth curve like this one, there's basically no way that there's a new human behind each of these new Tor clients. These Tor clients got bundled into some new software which got installed onto millions of computers pretty much overnight. Since no large software or operating system vendors have come forward to tell us they just bundled Tor with all their users, that leaves me with one conclusion: somebody out there infected millions of computers and as part of their plan they installed Tor clients on them," Dingledine says.

Tor's Dingledine says the botnet appears to be running the C&C as a hidden service, and the new clients aren't shooting out traffic to websites or other locations. That appears to eliminate DDoS attacks, for instance.

Why enlist Tor for botnet C&C?

Gunter Ollmann, CTO at IOActive, says this isn't the first time Tor has been exploited for botnets, but it's mostly been for smaller ones. "There have been a handful of botnets that have made use of Tor or onion routing for various parts of their network. They haven't been very big botnets," Ollmann says.

Tor provides a way to obfuscate C&C traffic, he says. "It can hide the final destination of their command-and-control servers. It's a way of helping to obfuscate or delay any takedowns for their command-and-control servers," he says.

It's also a way to drop bigger files onto victim machines, he says. "Many of the botnets you'll see using Tor or peer-to-peer networks will use those channels as a way for shipping bigger files to install on computers," especially in pay-per-install schemes, he says.

The Tor Project is asking for help from researchers to take down the botnet. Dingledine says he sees the botnet as more of an experiment at this point.

"I still maintain that if you have a multimillion node botnet, it's silly to try to hide it behind the 4000-relay Tor network. These people should be using their botnet as a peer-to-peer anonymity system for itself. So I interpret this incident as continued exploration by botnet developers to try to figure out what resources, services, and topologies integrate well for protecting botnet communications," he says. "Another facet of solving this problem long-term is helping them to understand that Tor isn't a great answer for their problem."

The extra traffic incurred by the botnet hasn't caused any major problems yet, but Dingledine also laid out several options for Tor to sustain the traffic of the millions of new bot clients, which appear to be running the current version of the client, he says. Among the possible actions Tor could take: encourage users to upgrade to the new Tor 0.2.4 version that has stronger security and lower processing overhead, temporarily disable some features of the Tor client performance features, or reduce the network load.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3587
Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.