How The Massive Tor Botnet Failed

  /     /     /  
Publicated : 22/11/2024   Category : security


How The Massive Tor Botnet Failed


The Tor-based LazyAlienBiker -- a.k.a. Mevade -- botnets attempt to evade detection using the anonymous Tor network ultimately exposed it



The decision by the operators of the so-called Mevade botnet to use the Tor network for masking their command-and-control (C&C) infrastructure actually backfired.
The botnet, which had been in operation since at least 2009, began moving its infrastructure en masse to Tor in mid-August, just after the start of the Edward Snowden leaks about the NSAs widespread spying operations and unrest in Syria. Millions of new Tor clients sparked speculation of a post-NSA anonymity bump or Syrian civil war fallout. But last week, The Tor Project confirmed that the major uptick in Tor traffic was due to a botnet.
[Turns out the massive jump in millions of new Tor clients during the past month wasnt about the NSA, Syria, or Tor-based Pirate Bay bundles -- it was pure cybercrime. See
Botnet Behind Mysterious Spike In Tor Traffic
.]
It was a big botnet even before going to Tor -- Damballa Security says there were anywhere from 1.4 to 5 million infected machines in the botnet, which it initially dubbed LazyAlienBikers. The botnet is made up of infected machines in North America, Asia, and Africa, and encompasses mobile and nonmobile devices, according to the researchers, who saw infections hit more than 80 percent of enterprises it monitors.
Still unclear is just how Mevade or LazyAlienBikers initially infects machines. One thing we are trying to identify is the infection vector, says Manos Antonakakis, chief scientist with Damballa.
Mark Gilbert, Antonakakis colleague at Damballa, says the gang behind the botnet made a fatal error when it moved to Tor from SSH over Port 443. The uptick in Tor adoption only attracted unwanted attention when the group was looking for a way to hide its C&C traffic.
In the security arms race, sometimes the bad guys screw up too. But you can be sure theyve taken the lessons learned from this progression, and will continue to find new ways to remain more elusive going forward, says security researcher Gilbert in a post today.
As the bot-herder, you can hide your control infrastructure at the expense of making your presence on an endpoint more obvious, and go with Tor (or freenet/i2p), which shifts attention from destination to source and may not work out in your favor, he said. In this case, we watched a massive botnet go virtually undetected for months by the security community at large until the owner decided to switch over to Tor.
Yanathan Klijnsma, a cybercrime security specialist with Fox-IT, which also has been tracking the botnet, concurs that the move to Tor had the reverse effect on the botnet. It is smart as in it will be harder to detect what type of malware it is in a network analyst point of view. But these guys have been running this botnet supposedly since 2009 ... they havent got caught up till now, but the switch to anonymity did get noticed, he says. Tor traffic is easily detected on the network, so it becomes quite obvious that something is acting up inside the network. And the Tor metrics page was a good indicator.
The Tor Project late last week began
updating the Tor browser
and beta Tor Browser Bundles to help ease the traffic increase on the Tor network due to the botnet. Tors operators have urged relay operators to upgrade: Relay operators are strongly encouraged to upgrade to the latest versions, since it mostly has server-side improvements in it, but users will hopefully benefit from upgrading too. Please try it out and let us know, The Tor Projects Erinn Clark said a blog post.
Damballa, meantime, has been tracking 27 regular- and 69 dynamic-DNS domain names of the botnet, and recently tracked an infection
at a Fortune 500 global manufacturing and technology customer site
(PDF), where it detected the botnet exfiltrating megabytes per day of data from some endpoints.
The security firm is still researching the botnet operation to determine its mission, but Trend Micro says it appears to be conducting online ad fraud. The malware also comes with a backdoor and uses SSH to communicate with its hosts, so data-stealing is also a possible element of the attack, according to researchers at Trend Micro.
Researchers at Trend Micro spotted Mevade downloading a Tor module in August and early September, which provides stealthy cover for C&C servers, and makes taking down a Tor-based service nearly impossible, experts say. But the bad guys behind the botnet werent so stealthy when it came to hiding themselves: They operate from Kharkov, Ukraine and Israel and have been active since at least 2010. One of the main actors is known as Scorpion. Another actor uses the nickname Dekadent. Together, they are part of a well organized and probably well financed cybercrime gang associated with adware scams and search result-hijacking, notes Feike Hacquebord, senior threat researcher with Trend Micro
in a blog post
.
Meanwhile, The Tor Project today also addressed questions raised by researchers about whether the NSA or U.K.s spy agency have been able to crack Tors encryption. Its not clear what the NSA or GCHQ can or cannot do. Its not clear if they are cracking the various crypto used in Tor, or merely tracking Tor exit relays, Tor relays as a whole, or run their own private Tor network, The Tor Projects Phobos said in a blog post. What we do know is that if someone can watch the entire Internet all at once, they can watch traffic enter Tor and exit Tor. This likely de-anonymizes the Tor user.
More than likely, though, is that the spy agencies have Tor flow detector scripts that let them pick Tor flows out of a set of flows theyre looking at, Phobos says. Its unlikely to have anything to do with deanonymizing Tor users, except insofar as they might have traffic flows from both sides of the circuit in their database. However, without concrete details, we can only speculate as well. Wed rather spend our time developing Tor and conducting research to make a better Tor.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ New threat discovered: Mobile phone ownership compromised. ◂
Discovered: 23/12/2024
Category: security

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
How The Massive Tor Botnet Failed