Over the past two weeks, the number of clients on the privacy network, Tor, climbed from 500,000 to 2.5 million.
Members of the Tor Project began looking into the spike in usage, trying to figure out why the network was suddenly gaining so many new users. After some digging, they came to the conclusion the millions of new Tor clients were part of a botnet whose owners decided to use the Tor network.
“The fact is, with a growth curve like this one, there’s basically no way that there’s a new human behind each of these new Tor clients. These Tor clients got bundled into some new software which got installed onto millions of computers pretty much overnight. Since no large software or operating system vendors have come forward to tell us they just bundled Tor with all their users, that leaves me with one conclusion: Somebody out there infected millions of computers and as part of their plan they installed Tor clients on them,” Tor officials wrote in a blog post.
“It doesn’t look like the new clients are using the Tor network to send traffic to external destinations (like websites). Early indications are that they’re accessing hidden services — fast relays see “Received an ESTABLISH_RENDEZVOUS request” many times a second in their info-level logs, but fast exit relays don’t report a significant growth in exit traffic. One plausible explanation is that it’s running its Command and Control (C&C) point as a hidden service.”
Researchers at Fox-IT, a security consulting and services company, looked at the spike in Tor clients as well, and said the botnet has been around for a while, but isn’t very well-known. The botnet has a few different names, including Mevade and Sifnit.
“Previously, the botnet communicated mainly using HTTP as well as alternative communication methods. More recently and coinciding with the uptick in Tor users, the botnet switched to Tor as its method of communication for its command and control channel. The botnet appears to be massive in size as well as very widespread. Even prior to the switch to Tor, it consisted of tens of thousands of confirmed infections within a limited amount of networks. When these numbers are extrapolated on a per country and global scale, these are definitely in the same ballpark as the Tor user increase,” the Fox-IT researchers said.
“The malware uses command and control connectivity via Tor .onion links using HTTP. While some bots continue to operate using the standard HTTP connectivity, some versions of the malware use a peer-to-peer network to communicate (KAD based),” they said.
The size of the botnet is considerable, but it’s not exactly clear what the creators are using the network for.
“It is possible that the purpose of this malware network is to load additional malware onto the system and that the infected systems are for sale. We have however no compelling evidence that this is true, so this assumption is merely based on a combination of small hints. It does however originate from a Russian spoken region, and is likely motivated by direct or indirect financial related crime,” the Fox-IT report said.
Tor officials have taken some steps to alleviate the effects of the botnet on the network, including urging users to upgrade to the newest version of Tor, which includes a new handshake feature, which Tor relays prioritize over the older handshake. That will move the newer, legitimate clients ahead of the older version that the botnet is using. They also are appealing to security researchers to look at the botnet and see if they can find a way to disable it.