Botnet Behind Mysterious Spike In Tor Traffic

  /     /     /  
Publicated : 22/11/2024   Category : security


Botnet Behind Mysterious Spike In Tor Traffic


Turns out the massive jump in millions of new Tor clients during the past month wasnt about the NSA, Syria, or Tor-based Pirate Bay bundles -- it was pure cybercrime



A massive spike of millions of new Tor clients during the past few weeks appears to be the handiwork of a botnet, not a post-Edward Snowden anonymity bump or the Syrian civil war fallout that some had suspected.
Researchers from Dutch security firm Fox-IT today said they have traced the Tor traffic to a botnet that dates back as far as 2009, known as SBC, using the Mevade.A or Sefnit malware families. SBC traditionally has used mainly HTTP for its command-and-control communications (C&C), but began using Tor for C&C around the time of the Tor spike.
The botnet appears to be massive in size as well as very widespread. Even prior to the switch to Tor, it consisted of tens of thousands of confirmed infections within a limited amount of networks,
blogged
Fox-ITs Yonathan Klijnsma.
[Gen. Keith Alexander aims to set the record straight on controversial NSA spying programs, calling out how leaked surveillance programs helped derail specific terror plots. See
NSA Director Faces Cybersecurity Community At Black Hat
.]
Fox-IT says the botnets mission is unclear, but it comes from a Russian-speaking region and is likely involved in financial cybercrime operations.
The Tor Project today also confirmed a botnet is likely behind the millions of new Tor clients -- and the numbers keep rising. Where do these new users come from? My current best answer is a botnet, Roger Dingledine, project leader, director, and researcher for The Tor Project, said in a blog post today.
That shoots down theories that the growth came from activists in Syria, Russia, or the U.S., or more journalists using the anonymous browsing service in the wake of NSA domestic spying programs leaked to the press by Snowden. Dingledine also dismissed the theory that the jump was due to large-scale adoption of the so-called Pirate Browser, a Tor-based bundled anti-censorship browser from Pirate Bay: ... weve talked to the Pirate Browser people and the downloads theyve seen cant account for this growth, he says.
The fact is, with a growth curve like this one, theres basically no way that theres a new human behind each of these new Tor clients. These Tor clients got bundled into some new software which got installed onto millions of computers pretty much overnight. Since no large software or operating system vendors have come forward to tell us they just bundled Tor with all their users, that leaves me with one conclusion: somebody out there infected millions of computers and as part of their plan they installed Tor clients on them, Dingledine says.
Tors Dingledine says the botnet appears to be running the C&C as a hidden service, and the new clients arent shooting out traffic to websites or other locations. That appears to eliminate DDoS attacks, for instance.
Why enlist Tor for botnet C&C?
Gunter Ollmann, CTO at IOActive, says this isnt the first time Tor has been exploited for botnets, but its mostly been for smaller ones. There have been a handful of botnets that have made use of Tor or onion routing for various parts of their network. They havent been very big botnets, Ollmann says.
Tor provides a way to obfuscate C&C traffic, he says. It can hide the final destination of their command-and-control servers. Its a way of helping to obfuscate or delay any takedowns for their command-and-control servers, he says.
Its also a way to drop bigger files onto victim machines, he says. Many of the botnets youll see using Tor or peer-to-peer networks will use those channels as a way for shipping bigger files to install on computers, especially in pay-per-install schemes, he says.
The Tor Project is asking for help from researchers to take down the botnet. Dingledine says he sees the botnet as more of an experiment at this point.
I still maintain that if you have a multimillion node botnet, its silly to try to hide it behind the 4000-relay Tor network. These people should be using their botnet as a peer-to-peer anonymity system for itself. So I interpret this incident as continued exploration by botnet developers to try to figure out what resources, services, and topologies integrate well for protecting botnet communications, he says. Another facet of solving this problem long-term is helping them to understand that Tor isnt a great answer for their problem.
The extra traffic incurred by the botnet hasnt caused any major problems yet, but Dingledine also laid out several options for Tor to sustain the traffic of the millions of new bot clients, which appear to be running the current version of the client,
he says
. Among the possible actions Tor could take: encourage users to upgrade to the new Tor 0.2.4 version that has stronger security and lower processing overhead, temporarily disable some features of the Tor client performance features, or reduce the network load.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Botnet Behind Mysterious Spike In Tor Traffic