There has been an unusual and considerable rise in the number of Tor users over the past few weeks and the reason behind it appeared to be a botnet, but no one was positive.
“In recent days, we have indeed found evidence which suggests that a specific and rather unknown botnet is responsible for the majority of the sudden uptick in Tor users,” said Fox-IT security specialist Yonathan Klijnsma.
“A recent detection name that has been used in relation to this botnet is ‘Mevade.A’, but older references suggest the name ‘Sefnit’, which dates back to at least 2009 and also included Tor connectivity. We have found various references that the malware is internally known as SBC to its operators.”
So, the botnet is massive, and not new. Before adding the privacy network Tor as a method of communication, the bots used HTTP and alternative methods to communicate with their C&C channel.
“As pointed out in the Tor weekly news, the version of Tor that is used by the new Tor clients must be 0.2.3.x, due to the fact that they do not use the new Tor handshake method. Based on the code we can confirm that the version of Tor that is used is 0.2.3.25,” he said.
Fox-IT researchers aren’t quite sure what the malware does, but they believe it originates from a region where Russian is spoken, so they speculate that it’s likely motivated by direct or indirect financial related crime.
“Feedback provided by the Smart Protection Network shows that the Mevade malware was, indeed, downloading a Tor module in the last weeks of August and early September,” Trend Micro researchers said.
They also added the operators of the botnet are in Kharkov, Ukraine and Israel, but researches only know them by their online handles. They have apparently been active since 2010, and seem to be a part of a “well organized and probably well financed cybercrime gang.” They said they suspect the botnet gains revenue by installing adware and toolbars onto compromised systems.
“It doesn’t look like the new clients are using the Tor network to send traffic to external destinations (like websites). Early indications are that they’re accessing hidden services — fast relays see “Received an ESTABLISH_RENDEZVOUS request” many times a second in their info-level logs, but fast exit relays don’t report a significant growth in exit traffic,” said Project Tor director Roger Dingledine. “One plausible explanation (assuming it is indeed a botnet) is that it’s running its Command and Control (C&C) point as a hidden service.”