Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:44 PM
Connect Directly

How The Massive Tor Botnet 'Failed'

The Tor-based 'LazyAlienBiker' -- a.k.a. Mevade -- botnet's attempt to evade detection using the anonymous Tor network ultimately exposed it

The decision by the operators of the so-called Mevade botnet to use the Tor network for masking their command-and-control (C&C) infrastructure actually backfired.

The botnet, which had been in operation since at least 2009, began moving its infrastructure en masse to Tor in mid-August, just after the start of the Edward Snowden leaks about the NSA's widespread spying operations and unrest in Syria. Millions of new Tor clients sparked speculation of a post-NSA anonymity bump or Syrian civil war fallout. But last week, The Tor Project confirmed that the major uptick in Tor traffic was due to a botnet.

[Turns out the massive jump in millions of new Tor clients during the past month wasn't about the NSA, Syria, or Tor-based Pirate Bay bundles -- it was pure cybercrime. See Botnet Behind Mysterious Spike In Tor Traffic .]

It was a big botnet even before going to Tor -- Damballa Security says there were anywhere from 1.4 to 5 million infected machines in the botnet, which it initially dubbed "LazyAlienBikers." The botnet is made up of infected machines in North America, Asia, and Africa, and encompasses mobile and nonmobile devices, according to the researchers, who saw infections hit more than 80 percent of enterprises it monitors.

Still unclear is just how Mevade or LazyAlienBikers initially infects machines. "One thing we are trying to identify is the infection vector," says Manos Antonakakis, chief scientist with Damballa.

Mark Gilbert, Antonakakis' colleague at Damballa, says the gang behind the botnet made a fatal error when it moved to Tor from SSH over Port 443. The uptick in Tor adoption only attracted unwanted attention when the group was looking for a way to hide its C&C traffic.

"In the security arms race, sometimes the bad guys screw up too. But you can be sure they've taken the lessons learned from this progression, and will continue to find new ways to remain more elusive going forward," says security researcher Gilbert in a post today.

"As the bot-herder, you can hide your control infrastructure at the expense of making your presence on an endpoint more obvious, and go with Tor (or freenet/i2p), which shifts attention from destination to source and may not work out in your favor," he said. "In this case, we watched a massive botnet go virtually undetected for months by the security community at large until the owner decided to switch over to Tor."

Yanathan Klijnsma, a cybercrime security specialist with Fox-IT, which also has been tracking the botnet, concurs that the move to Tor had the reverse effect on the botnet. "It is smart as in it will be harder to detect what type of malware it is in a network analyst point of view. But these guys have been running this botnet supposedly since 2009 ... they haven't got caught up till now, but the switch to 'anonymity' did get noticed," he says. "Tor traffic is easily detected on the network, so it becomes quite obvious that something is acting up inside the network. And the Tor metrics page was a good indicator."

The Tor Project late last week began updating the Tor browser and beta Tor Browser Bundles to help ease the traffic increase on the Tor network due to the botnet. Tor's operators have urged relay operators to upgrade: "Relay operators are strongly encouraged to upgrade to the latest versions, since it mostly has server-side improvements in it, but users will hopefully benefit from upgrading too. Please try it out and let us know," The Tor Project's Erinn Clark said a blog post.

Damballa, meantime, has been tracking 27 regular- and 69 dynamic-DNS domain names of the botnet, and recently tracked an infection at a Fortune 500 global manufacturing and technology customer site (PDF), where it detected the botnet exfiltrating megabytes per day of data from some endpoints.

The security firm is still researching the botnet operation to determine its mission, but Trend Micro says it appears to be conducting online ad fraud. The malware also comes with a backdoor and uses SSH to communicate with its hosts, so data-stealing is also a possible element of the attack, according to researchers at Trend Micro.

Researchers at Trend Micro spotted Mevade downloading a Tor module in August and early September, which provides stealthy cover for C&C servers, and makes taking down a Tor-based service nearly impossible, experts say. But the bad guys behind the botnet weren't so stealthy when it came to hiding themselves: "They operate from Kharkov, Ukraine and Israel and have been active since at least 2010. One of the main actors is known as 'Scorpion.' Another actor uses the nickname 'Dekadent.' Together, they are part of a well organized and probably well financed cybercrime gang" associated with adware scams and search result-hijacking, notes Feike Hacquebord, senior threat researcher with Trend Micro in a blog post.

Meanwhile, The Tor Project today also addressed questions raised by researchers about whether the NSA or U.K.'s spy agency have been able to crack Tor's encryption. "It's not clear what the NSA or GCHQ can or cannot do. It's not clear if they are 'cracking' the various crypto used in Tor, or merely tracking Tor exit relays, Tor relays as a whole, or run their own private Tor network," The Tor Project's Phobos said in a blog post. "What we do know is that if someone can watch the entire Internet all at once, they can watch traffic enter Tor and exit Tor. This likely de-anonymizes the Tor user."

More than likely, though, is that the spy agencies have "Tor flow detector scripts that let them pick Tor flows out of a set of flows they're looking at," Phobos says. "It's unlikely to have anything to do with deanonymizing Tor users, except insofar as they might have traffic flows from both sides of the circuit in their database. However, without concrete details, we can only speculate as well. We'd rather spend our time developing Tor and conducting research to make a better Tor."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/16/2013 | 2:02:07 PM
re: How The Massive Tor Botnet 'Failed'
Am I missing something? Tor gets most of its money from the US government, in light of recent NSA activities, why would anyone think a service financed by them would be a safe place to hide?
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Tough Love: Debunking Myths about DevOps & Security
Jeff Williams, CTO, Contrast Security,  8/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-21
Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user accou...
PUBLISHED: 2019-08-21
A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation. Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Le...
PUBLISHED: 2019-08-21
KBPublisher has SQL Injection via the admin/index.php?module=report entry_id[0] parameter, the admin/index.php?module=log id parameter, or an index.php?View=print&id[]= request.
PUBLISHED: 2019-08-21
A directory traversal vulnerability in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to write or delete files at any location.
PUBLISHED: 2019-08-21
Leakage of stack traces in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to gather information about the file system structure.