Massive spike of Tor users caused by Mevade botnet

When Project Tor director Roger Dingledine recently drew the public’s attention to the unusual and considerable rise in the number of Tor users, he invited people to speculate and share plausible explanations about it because, by his own admission, they were unable to find it out by themselves.

The theories put forward ranged from Pirate Browser publicity gone overboard and Russia’s recent Internet censorship efforts, to a reaction to NSA surveillance efforts.

On Thursday, Dingledine piped up again to say that the upward trend has continued, and that he’s betting his money on the reason behind it being a botnet.

“The fact is, with a growth curve like this one, there’s basically no way that there’s a new human behind each of these new Tor clients,” he wrote. “These Tor clients got bundled into some new software which got installed onto millions of computers pretty much overnight. Since no large software or operating system vendors have come forward to tell us they just bundled Tor with all their users, that leaves me with one conclusion: somebody out there infected millions of computers and as part of their plan they installed Tor clients on them.”

The theory, made more than plausible by the general lack of action from these new users, has been confirmed by Dutch-based security audit firm Fox IT.

“In recent days, we have indeed found evidence which suggests that a specific and rather unknown botnet is responsible for the majority of the sudden uptick in Tor users,” wrote security specialist Yonathan Klijnsma.

“A recent detection name that has been used in relation to this botnet is ‘Mevade.A’, but older references suggest the name ‘Sefnit’, which dates back to at least 2009 and also included Tor connectivity. We have found various references that the malware is internally known as SBC to its operators.”

So, the botnet is massive, and not new. Before adding Tor as a method of communication, the bots used HTTP and alternative methods to communicate with their C&C channel.

“As pointed out in the Tor weekly news, the version of Tor that is used by the new Tor clients must be 0.2.3.x, due to the fact that they do not use the new Tor handshake method. Based on the code we can confirm that the version of Tor that is used is 0.2.3.25,” he shared.

Fox IT researchers aren’t quite sure what the malware does, but they believe that it originates from a region where Russian is spoken, so they speculate that its likely motivated by direct or indirect financial related crime.

“Feedback provided by the Smart Protection Network shows that the Mevade malware was, indeed, downloading a Tor module in the last weeks of August and early September,” Trend Micro researchers added their two cents to the conversation.

They also added that the operators of the botnet have been tracked down to Kharkov, Ukraine and Israel, but are currently known only by their online handles. They have apparently been active since 2010, and seem to be a part of a “well organized and probably well financed cybercrime gang.” They say that they suspect the botnet is monetized by installing adware and toolbars onto compromised systems.

“It doesn’t look like the new clients are using the Tor network to send traffic to external destinations (like websites). Early indications are that they’re accessing hidden services — fast relays see “Received an ESTABLISH_RENDEZVOUS request” many times a second in their info-level logs, but fast exit relays don’t report a significant growth in exit traffic,” Dingledine noted. “One plausible explanation (assuming it is indeed a botnet) is that it’s running its Command and Control (C&C) point as a hidden service.”

Still, there is one thing that warmed his heart, and that is that the Tor network is still working despite the massive increase of Tor clients on it and the new circuits they’re making. “I guess all that work we’ve been doing on scalability was a good idea,” he concluded.

Nevertheless, a lot of the relays are now maxed out on CPU loads, and they could soon be overwhelmed, so he shared a list of likely actions for the Project to take in order to prevent that from happening now and in the future.

More about

Don't miss