Attacks/Breaches
9/11/2013
03:44 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

How The Massive Tor Botnet 'Failed'

The Tor-based 'LazyAlienBiker' -- a.k.a. Mevade -- botnet's attempt to evade detection using the anonymous Tor network ultimately exposed it

The decision by the operators of the so-called Mevade botnet to use the Tor network for masking their command-and-control (C&C) infrastructure actually backfired.

The botnet, which had been in operation since at least 2009, began moving its infrastructure en masse to Tor in mid-August, just after the start of the Edward Snowden leaks about the NSA's widespread spying operations and unrest in Syria. Millions of new Tor clients sparked speculation of a post-NSA anonymity bump or Syrian civil war fallout. But last week, The Tor Project confirmed that the major uptick in Tor traffic was due to a botnet.

[Turns out the massive jump in millions of new Tor clients during the past month wasn't about the NSA, Syria, or Tor-based Pirate Bay bundles -- it was pure cybercrime. See Botnet Behind Mysterious Spike In Tor Traffic .]

It was a big botnet even before going to Tor -- Damballa Security says there were anywhere from 1.4 to 5 million infected machines in the botnet, which it initially dubbed "LazyAlienBikers." The botnet is made up of infected machines in North America, Asia, and Africa, and encompasses mobile and nonmobile devices, according to the researchers, who saw infections hit more than 80 percent of enterprises it monitors.

Still unclear is just how Mevade or LazyAlienBikers initially infects machines. "One thing we are trying to identify is the infection vector," says Manos Antonakakis, chief scientist with Damballa.

Mark Gilbert, Antonakakis' colleague at Damballa, says the gang behind the botnet made a fatal error when it moved to Tor from SSH over Port 443. The uptick in Tor adoption only attracted unwanted attention when the group was looking for a way to hide its C&C traffic.

"In the security arms race, sometimes the bad guys screw up too. But you can be sure they've taken the lessons learned from this progression, and will continue to find new ways to remain more elusive going forward," says security researcher Gilbert in a post today.

"As the bot-herder, you can hide your control infrastructure at the expense of making your presence on an endpoint more obvious, and go with Tor (or freenet/i2p), which shifts attention from destination to source and may not work out in your favor," he said. "In this case, we watched a massive botnet go virtually undetected for months by the security community at large until the owner decided to switch over to Tor."

Yanathan Klijnsma, a cybercrime security specialist with Fox-IT, which also has been tracking the botnet, concurs that the move to Tor had the reverse effect on the botnet. "It is smart as in it will be harder to detect what type of malware it is in a network analyst point of view. But these guys have been running this botnet supposedly since 2009 ... they haven't got caught up till now, but the switch to 'anonymity' did get noticed," he says. "Tor traffic is easily detected on the network, so it becomes quite obvious that something is acting up inside the network. And the Tor metrics page was a good indicator."

The Tor Project late last week began updating the Tor browser and beta Tor Browser Bundles to help ease the traffic increase on the Tor network due to the botnet. Tor's operators have urged relay operators to upgrade: "Relay operators are strongly encouraged to upgrade to the latest versions, since it mostly has server-side improvements in it, but users will hopefully benefit from upgrading too. Please try it out and let us know," The Tor Project's Erinn Clark said a blog post.

Damballa, meantime, has been tracking 27 regular- and 69 dynamic-DNS domain names of the botnet, and recently tracked an infection at a Fortune 500 global manufacturing and technology customer site (PDF), where it detected the botnet exfiltrating megabytes per day of data from some endpoints.

The security firm is still researching the botnet operation to determine its mission, but Trend Micro says it appears to be conducting online ad fraud. The malware also comes with a backdoor and uses SSH to communicate with its hosts, so data-stealing is also a possible element of the attack, according to researchers at Trend Micro.

Researchers at Trend Micro spotted Mevade downloading a Tor module in August and early September, which provides stealthy cover for C&C servers, and makes taking down a Tor-based service nearly impossible, experts say. But the bad guys behind the botnet weren't so stealthy when it came to hiding themselves: "They operate from Kharkov, Ukraine and Israel and have been active since at least 2010. One of the main actors is known as 'Scorpion.' Another actor uses the nickname 'Dekadent.' Together, they are part of a well organized and probably well financed cybercrime gang" associated with adware scams and search result-hijacking, notes Feike Hacquebord, senior threat researcher with Trend Micro in a blog post.

Meanwhile, The Tor Project today also addressed questions raised by researchers about whether the NSA or U.K.'s spy agency have been able to crack Tor's encryption. "It's not clear what the NSA or GCHQ can or cannot do. It's not clear if they are 'cracking' the various crypto used in Tor, or merely tracking Tor exit relays, Tor relays as a whole, or run their own private Tor network," The Tor Project's Phobos said in a blog post. "What we do know is that if someone can watch the entire Internet all at once, they can watch traffic enter Tor and exit Tor. This likely de-anonymizes the Tor user."

More than likely, though, is that the spy agencies have "Tor flow detector scripts that let them pick Tor flows out of a set of flows they're looking at," Phobos says. "It's unlikely to have anything to do with deanonymizing Tor users, except insofar as they might have traffic flows from both sides of the circuit in their database. However, without concrete details, we can only speculate as well. We'd rather spend our time developing Tor and conducting research to make a better Tor."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
gebuh
50%
50%
gebuh,
User Rank: Apprentice
9/16/2013 | 2:02:07 PM
re: How The Massive Tor Botnet 'Failed'
Am I missing something? Tor gets most of its money from the US government, in light of recent NSA activities, why would anyone think a service financed by them would be a safe place to hide?
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

CVE-2014-3372
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM reports interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90589.

CVE-2014-3373
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM Dialed Number Analyzer interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCup92550.

CVE-2014-3374
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM admin interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90582.

CVE-2014-3375
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM Service interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90597.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.