Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:44 PM
Connect Directly

How The Massive Tor Botnet 'Failed'

The Tor-based 'LazyAlienBiker' -- a.k.a. Mevade -- botnet's attempt to evade detection using the anonymous Tor network ultimately exposed it

The decision by the operators of the so-called Mevade botnet to use the Tor network for masking their command-and-control (C&C) infrastructure actually backfired.

The botnet, which had been in operation since at least 2009, began moving its infrastructure en masse to Tor in mid-August, just after the start of the Edward Snowden leaks about the NSA's widespread spying operations and unrest in Syria. Millions of new Tor clients sparked speculation of a post-NSA anonymity bump or Syrian civil war fallout. But last week, The Tor Project confirmed that the major uptick in Tor traffic was due to a botnet.

[Turns out the massive jump in millions of new Tor clients during the past month wasn't about the NSA, Syria, or Tor-based Pirate Bay bundles -- it was pure cybercrime. See Botnet Behind Mysterious Spike In Tor Traffic .]

It was a big botnet even before going to Tor -- Damballa Security says there were anywhere from 1.4 to 5 million infected machines in the botnet, which it initially dubbed "LazyAlienBikers." The botnet is made up of infected machines in North America, Asia, and Africa, and encompasses mobile and nonmobile devices, according to the researchers, who saw infections hit more than 80 percent of enterprises it monitors.

Still unclear is just how Mevade or LazyAlienBikers initially infects machines. "One thing we are trying to identify is the infection vector," says Manos Antonakakis, chief scientist with Damballa.

Mark Gilbert, Antonakakis' colleague at Damballa, says the gang behind the botnet made a fatal error when it moved to Tor from SSH over Port 443. The uptick in Tor adoption only attracted unwanted attention when the group was looking for a way to hide its C&C traffic.

"In the security arms race, sometimes the bad guys screw up too. But you can be sure they've taken the lessons learned from this progression, and will continue to find new ways to remain more elusive going forward," says security researcher Gilbert in a post today.

"As the bot-herder, you can hide your control infrastructure at the expense of making your presence on an endpoint more obvious, and go with Tor (or freenet/i2p), which shifts attention from destination to source and may not work out in your favor," he said. "In this case, we watched a massive botnet go virtually undetected for months by the security community at large until the owner decided to switch over to Tor."

Yanathan Klijnsma, a cybercrime security specialist with Fox-IT, which also has been tracking the botnet, concurs that the move to Tor had the reverse effect on the botnet. "It is smart as in it will be harder to detect what type of malware it is in a network analyst point of view. But these guys have been running this botnet supposedly since 2009 ... they haven't got caught up till now, but the switch to 'anonymity' did get noticed," he says. "Tor traffic is easily detected on the network, so it becomes quite obvious that something is acting up inside the network. And the Tor metrics page was a good indicator."

The Tor Project late last week began updating the Tor browser and beta Tor Browser Bundles to help ease the traffic increase on the Tor network due to the botnet. Tor's operators have urged relay operators to upgrade: "Relay operators are strongly encouraged to upgrade to the latest versions, since it mostly has server-side improvements in it, but users will hopefully benefit from upgrading too. Please try it out and let us know," The Tor Project's Erinn Clark said a blog post.

Damballa, meantime, has been tracking 27 regular- and 69 dynamic-DNS domain names of the botnet, and recently tracked an infection at a Fortune 500 global manufacturing and technology customer site (PDF), where it detected the botnet exfiltrating megabytes per day of data from some endpoints.

The security firm is still researching the botnet operation to determine its mission, but Trend Micro says it appears to be conducting online ad fraud. The malware also comes with a backdoor and uses SSH to communicate with its hosts, so data-stealing is also a possible element of the attack, according to researchers at Trend Micro.

Researchers at Trend Micro spotted Mevade downloading a Tor module in August and early September, which provides stealthy cover for C&C servers, and makes taking down a Tor-based service nearly impossible, experts say. But the bad guys behind the botnet weren't so stealthy when it came to hiding themselves: "They operate from Kharkov, Ukraine and Israel and have been active since at least 2010. One of the main actors is known as 'Scorpion.' Another actor uses the nickname 'Dekadent.' Together, they are part of a well organized and probably well financed cybercrime gang" associated with adware scams and search result-hijacking, notes Feike Hacquebord, senior threat researcher with Trend Micro in a blog post.

Meanwhile, The Tor Project today also addressed questions raised by researchers about whether the NSA or U.K.'s spy agency have been able to crack Tor's encryption. "It's not clear what the NSA or GCHQ can or cannot do. It's not clear if they are 'cracking' the various crypto used in Tor, or merely tracking Tor exit relays, Tor relays as a whole, or run their own private Tor network," The Tor Project's Phobos said in a blog post. "What we do know is that if someone can watch the entire Internet all at once, they can watch traffic enter Tor and exit Tor. This likely de-anonymizes the Tor user."

More than likely, though, is that the spy agencies have "Tor flow detector scripts that let them pick Tor flows out of a set of flows they're looking at," Phobos says. "It's unlikely to have anything to do with deanonymizing Tor users, except insofar as they might have traffic flows from both sides of the circuit in their database. However, without concrete details, we can only speculate as well. We'd rather spend our time developing Tor and conducting research to make a better Tor."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/16/2013 | 2:02:07 PM
re: How The Massive Tor Botnet 'Failed'
Am I missing something? Tor gets most of its money from the US government, in light of recent NSA activities, why would anyone think a service financed by them would be a safe place to hide?
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I can't find the back door.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-25
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of Medi...
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the ...
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting