Turns out the massive jump in millions of new Tor clients during the past month wasn't about the NSA, Syria, or Tor-based Pirate Bay bundles -- it was pure cybercrime

A massive spike of millions of new Tor clients during the past few weeks appears to be the handiwork of a botnet, not a post-Edward Snowden anonymity bump or the Syrian civil war fallout that some had suspected.

Researchers from Dutch security firm Fox-IT today said they have traced the Tor traffic to a botnet that dates back as far as 2009, known as SBC, using the "Mevade.A" or "Sefnit" malware families. SBC traditionally has used mainly HTTP for its command-and-control communications (C&C), but began using Tor for C&C around the time of the Tor spike.

"The botnet appears to be massive in size as well as very widespread. Even prior to the switch to Tor, it consisted of tens of thousands of confirmed infections within a limited amount of networks," blogged Fox-IT's Yonathan Klijnsma.

[Gen. Keith Alexander aims to set the record straight on controversial NSA spying programs, calling out how leaked surveillance programs helped derail specific terror plots. See NSA Director Faces Cybersecurity Community At Black Hat.]

Fox-IT says the botnet's mission is unclear, but it comes from a Russian-speaking region and is likely involved in financial cybercrime operations.

The Tor Project today also confirmed a botnet is likely behind the millions of new Tor clients -- and the numbers keep rising. "Where do these new users come from? My current best answer is a botnet," Roger Dingledine, project leader, director, and researcher for The Tor Project, said in a blog post today.

That shoots down theories that the growth came from activists in Syria, Russia, or the U.S., or more journalists using the anonymous browsing service in the wake of NSA domestic spying programs leaked to the press by Snowden. Dingledine also dismissed the theory that the jump was due to large-scale adoption of the so-called Pirate Browser, a Tor-based bundled anti-censorship browser from Pirate Bay: "... we've talked to the Pirate Browser people and the downloads they've seen can't account for this growth," he says.

"The fact is, with a growth curve like this one, there's basically no way that there's a new human behind each of these new Tor clients. These Tor clients got bundled into some new software which got installed onto millions of computers pretty much overnight. Since no large software or operating system vendors have come forward to tell us they just bundled Tor with all their users, that leaves me with one conclusion: somebody out there infected millions of computers and as part of their plan they installed Tor clients on them," Dingledine says.

Tor's Dingledine says the botnet appears to be running the C&C as a hidden service, and the new clients aren't shooting out traffic to websites or other locations. That appears to eliminate DDoS attacks, for instance.

Why enlist Tor for botnet C&C?

Gunter Ollmann, CTO at IOActive, says this isn't the first time Tor has been exploited for botnets, but it's mostly been for smaller ones. "There have been a handful of botnets that have made use of Tor or onion routing for various parts of their network. They haven't been very big botnets," Ollmann says.

Tor provides a way to obfuscate C&C traffic, he says. "It can hide the final destination of their command-and-control servers. It's a way of helping to obfuscate or delay any takedowns for their command-and-control servers," he says.

It's also a way to drop bigger files onto victim machines, he says. "Many of the botnets you'll see using Tor or peer-to-peer networks will use those channels as a way for shipping bigger files to install on computers," especially in pay-per-install schemes, he says.

The Tor Project is asking for help from researchers to take down the botnet. Dingledine says he sees the botnet as more of an experiment at this point.

"I still maintain that if you have a multimillion node botnet, it's silly to try to hide it behind the 4000-relay Tor network. These people should be using their botnet as a peer-to-peer anonymity system for itself. So I interpret this incident as continued exploration by botnet developers to try to figure out what resources, services, and topologies integrate well for protecting botnet communications," he says. "Another facet of solving this problem long-term is helping them to understand that Tor isn't a great answer for their problem."

The extra traffic incurred by the botnet hasn't caused any major problems yet, but Dingledine also laid out several options for Tor to sustain the traffic of the millions of new bot clients, which appear to be running the current version of the client, he says. Among the possible actions Tor could take: encourage users to upgrade to the new Tor 0.2.4 version that has stronger security and lower processing overhead, temporarily disable some features of the Tor client performance features, or reduce the network load.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights