Attacks/Breaches
9/5/2013
02:26 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Botnet Behind Mysterious Spike In Tor Traffic

Turns out the massive jump in millions of new Tor clients during the past month wasn't about the NSA, Syria, or Tor-based Pirate Bay bundles -- it was pure cybercrime

A massive spike of millions of new Tor clients during the past few weeks appears to be the handiwork of a botnet, not a post-Edward Snowden anonymity bump or the Syrian civil war fallout that some had suspected.

Researchers from Dutch security firm Fox-IT today said they have traced the Tor traffic to a botnet that dates back as far as 2009, known as SBC, using the "Mevade.A" or "Sefnit" malware families. SBC traditionally has used mainly HTTP for its command-and-control communications (C&C), but began using Tor for C&C around the time of the Tor spike.

"The botnet appears to be massive in size as well as very widespread. Even prior to the switch to Tor, it consisted of tens of thousands of confirmed infections within a limited amount of networks," blogged Fox-IT's Yonathan Klijnsma.

[Gen. Keith Alexander aims to set the record straight on controversial NSA spying programs, calling out how leaked surveillance programs helped derail specific terror plots. See NSA Director Faces Cybersecurity Community At Black Hat.]

Fox-IT says the botnet's mission is unclear, but it comes from a Russian-speaking region and is likely involved in financial cybercrime operations.

The Tor Project today also confirmed a botnet is likely behind the millions of new Tor clients -- and the numbers keep rising. "Where do these new users come from? My current best answer is a botnet," Roger Dingledine, project leader, director, and researcher for The Tor Project, said in a blog post today.

That shoots down theories that the growth came from activists in Syria, Russia, or the U.S., or more journalists using the anonymous browsing service in the wake of NSA domestic spying programs leaked to the press by Snowden. Dingledine also dismissed the theory that the jump was due to large-scale adoption of the so-called Pirate Browser, a Tor-based bundled anti-censorship browser from Pirate Bay: "... we've talked to the Pirate Browser people and the downloads they've seen can't account for this growth," he says.

"The fact is, with a growth curve like this one, there's basically no way that there's a new human behind each of these new Tor clients. These Tor clients got bundled into some new software which got installed onto millions of computers pretty much overnight. Since no large software or operating system vendors have come forward to tell us they just bundled Tor with all their users, that leaves me with one conclusion: somebody out there infected millions of computers and as part of their plan they installed Tor clients on them," Dingledine says.

Tor's Dingledine says the botnet appears to be running the C&C as a hidden service, and the new clients aren't shooting out traffic to websites or other locations. That appears to eliminate DDoS attacks, for instance.

Why enlist Tor for botnet C&C?

Gunter Ollmann, CTO at IOActive, says this isn't the first time Tor has been exploited for botnets, but it's mostly been for smaller ones. "There have been a handful of botnets that have made use of Tor or onion routing for various parts of their network. They haven't been very big botnets," Ollmann says.

Tor provides a way to obfuscate C&C traffic, he says. "It can hide the final destination of their command-and-control servers. It's a way of helping to obfuscate or delay any takedowns for their command-and-control servers," he says.

It's also a way to drop bigger files onto victim machines, he says. "Many of the botnets you'll see using Tor or peer-to-peer networks will use those channels as a way for shipping bigger files to install on computers," especially in pay-per-install schemes, he says.

The Tor Project is asking for help from researchers to take down the botnet. Dingledine says he sees the botnet as more of an experiment at this point.

"I still maintain that if you have a multimillion node botnet, it's silly to try to hide it behind the 4000-relay Tor network. These people should be using their botnet as a peer-to-peer anonymity system for itself. So I interpret this incident as continued exploration by botnet developers to try to figure out what resources, services, and topologies integrate well for protecting botnet communications," he says. "Another facet of solving this problem long-term is helping them to understand that Tor isn't a great answer for their problem."

The extra traffic incurred by the botnet hasn't caused any major problems yet, but Dingledine also laid out several options for Tor to sustain the traffic of the millions of new bot clients, which appear to be running the current version of the client, he says. Among the possible actions Tor could take: encourage users to upgrade to the new Tor 0.2.4 version that has stronger security and lower processing overhead, temporarily disable some features of the Tor client performance features, or reduce the network load.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8243
Published: 2014-11-01
Linksys SMART WiFi firmware on EA2700 and EA3500 devices; before 2.1.41 build 162351 on E4200v2 and EA4500 devices; before 1.1.41 build 162599 on EA6200 devices; before 1.1.40 build 160989 on EA6300, EA6400, EA6500, and EA6700 devices; and before 1.1.42 build 161129 on EA6900 devices allows remote a...

CVE-2014-8244
Published: 2014-11-01
Linksys SMART WiFi firmware on EA2700 and EA3500 devices; before 2.1.41 build 162351 on E4200v2 and EA4500 devices; before 1.1.41 build 162599 on EA6200 devices; before 1.1.40 build 160989 on EA6300, EA6400, EA6500, and EA6700 devices; and before 1.1.42 build 161129 on EA6900 devices allows remote a...

CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.