MEvade, the massive botnet using Tor as a communication protocol, may have moved operations to the network in order to hamper potential takedown efforts, but according to security researchers, the move just served to shine a spotlight on the botnet’s activities.
Rather than hide traffic from bots to command and control servers, moving to Tor by the millions just alerted researchers and Tor’s handlers that something was amiss. The botnet went undetected—possibly for years—and then suddenly because it caused a spike in Tor usage in a matter of days, the botnet was outed.
“A lot of other bot herders have used Tor in the past, but not this extent,” said Mark Gilbert, security researcher at Damballa Labs. “They probably think they were making the botnet safer, but maybe they were not sure of how massive it was or were connecting to Tor entry nodes more often than they should have.”
The attackers decided to hide their control infrastructure on Tor, yet at the same time made their presence on endpoints more obvious, Gilbert said.
“The massive influx of Tor users drew tons of presumably unwanted attention, compared to when it was just SSH traffic exfiltrating data out over port 443,” Gilbert said. “The SSH traffic over 443, through its very obscurity drew more attention than regular http(s) traffic would have from customers who, even when we detected the threat, might otherwise have written it off as ‘just another virus’.”
Gilbert said his company has been monitoring MEvade for most of this year and said its keepers are likely leasing out portions of the botnet for different purposes. Gilbert said the botnet, also known as LazyAlienBikers, isn’t sending out much spam; parts of it are generating revenue pushing adware however. There is also a data exfiltration capability to some of the malware it spreads, which makes sense given that it’s present in 80 percent of the enterprises in which Damballa has monitoring capabilities.
“What they seem to be doing is dividing the botnet for different purposes; the underground commerce seems to work out this way,” Gilbert said. “The malware author, botherder and ad affiliate are usually not the same person. One is good at coding while another is good at laundering money and another is good at identifying customers for stolen data. They build botnets and lease them out for what people are willing to pay.”
Damballa estimates there are as many as five million bots in LazyAlienBikers, most of them in North America, Africa and Asia. In June, Microsoft was among the first to develop a detection signature for MEvade and within two weeks, the attackers changed domain usage tactics, moving to dynamic DNS providers such as No-IP and ChangeIP, likely to support their use of SSH over HTTP ports for communication with command and control and dropping of additional malware.
But by Aug. 19, the botmaster had moved away from SSH over HTTP and onto the Tor network. Moving away from HTTP, Gilbert said, took the botnet off a protocol built for high performance and high traffic volumes, and onto a network with a much smaller number of exit nodes and relays.
“These are very smart guys, but they are misapplying themselves,” Gilbert said. “They’re not looking at the big picture from a business sense and putting themselves in a network engineer’s shoes and figuring out how to balance resilience with evasion.”
Gilbert said botnets, such as Kelihos which has been taken down numerous times by law enforcement and Microsoft, continues to pop up because it has a fallback where it can send out networks and maintain a much more resilient approach.
The botnet, meanwhile, continues to thrive on Tor, even though numbers have dropped a little.
“In the security arms race, sometimes the bad guys screw up too,” Gilbert said. “But you can be sure they’ve taken the lessons learned from this progression, and will continue to find new ways to remain more elusive going forward.”