In the wake of the revelations surrounding the NSA’s domestic surveillance and intelligence-gathering operations, security experts said there would likely be a natural uptick in the usage of privacy focused tools such as Tor, PGP and other encryption services. In the case of Tor, there has been more than a slight increase–the number of Tor clients has more than quintupled in the last two weeks alone. But it appears that spike isn’t related to users trying to hide from the NSA, but rather is the work of a botnet.
In the last few months, the number of Tor clients online has remained relatively steady, at around 500,000. But two weeks ago, the numbers suddenly began to climb, and quickly. Within a week, the number of clients had tripled, and by the beginning of September, there were 2.5 million Tor clients. Members of the Tor Project began looking into the spike in usage, trying to figure out why the network was suddenly gaining so many new users. They checked with OS vendors to see whether any of them had started bundling Tor with their offerings and came up empty. They also considered the possibility that the sudden increase could be due to more journalists, activists and other typical Tor users adopting the technology after the revelations in recent months about NSA surveillance, but decided that wasn’t enough to account for the increase.
After some more digging, they came to the conclusion that the millions of new Tor clients were part of a botnet whose owners had recently decided to use the Tor network for some reason.
“The fact is, with a growth curve like this one, there’s basically no way that there’s a new human behind each of these new Tor clients. These Tor clients got bundled into some new software which got installed onto millions of computers pretty much overnight. Since no large software or operating system vendors have come forward to tell us they just bundled Tor with all their users, that leaves me with one conclusion: somebody out there infected millions of computers and as part of their plan they installed Tor clients on them,” Tor officials wrote in a blog post analyzing the incident.
“It doesn’t look like the new clients are using the Tor network to send traffic to external destinations (like websites). Early indications are that they’re accessing hidden services — fast relays see “Received an ESTABLISH_RENDEZVOUS request” many times a second in their info-level logs, but fast exit relays don’t report a significant growth in exit traffic. One plausible explanation (assuming it is indeed a botnet) is that it’s running its Command and Control (C&C) point as a hidden service.”
Researchers at Fox-IT, a security consulting and services company, looked at the spike in Tor clients as well, and said that the botnet has been around for a while, but isn’t very well-known. The botnet has a few different names, including Mevade and Sifnit.
“Previously, the botnet communicated mainly using HTTP as well as alternative communication methods. More recently and coinciding with the uptick in Tor users, the botnet switched to Tor as its method of communication for its command and control channel. The botnet appears to be massive in size as well as very widespread. Even prior to the switch to Tor, it consisted of tens of thousands of confirmed infections within a limited amount of networks. When these numbers are extrapolated on a per country and global scale, these are definitely in the same ballpark as the Tor user increase,” the Fox-IT researchers wrote.
“The malware uses command and control connectivity via Tor .onion links using HTTP. While some bots continue to operate using the standard HTTP connectivity, some versions of the malware use a peer-to-peer network to communicate (KAD based).”
The size of the botnet is considerable, but it’s not exactly clear what the network is being used for.
“it is possible that the purpose of this malware network is to load additional malware onto the system and that the infected systems are for sale. We have however no compelling evidence that this is true, so this assumption is merely based on a combination of small hints. It does however originate from a Russian spoken region, and is likely motivated by direct or indirect financial related crime,” the Fox-IT report says.
Tor officials have taken some steps to alleviate the effects of the botnet on the network, including urging users to upgrade to the newest version of Tor, which includes a new handshake feature, which Tor relays prioritize over the older handshake. That will move the newer, legitimate clients ahead of the older version that the botnet is using. They also are appealing to security researchers to look at the botnet and see if they can find a way to disable it.
“In parallel, it would be great if botnet researchers would identify the particular characteristics of the botnet and start looking at ways to shut it down (or at least get it off of Tor). Note that getting rid of the C&C point may not really help, since it’s the rendezvous attempts from the bots that are hurting so much,” the Tor officials said.
Image from Flickr photos of Simon Cockell.