Forgot your password?
typodupeerror
Privacy Botnet Encryption

Security Company Attributes Tor Traffic Surge To Botnet 55

Posted by timothy
from the complexity-of-evil dept.
hypnosec writes "A cyber defense and IT security company has claimed that the reason behind recent surge in number of clients connecting to Tor is in fact a relatively unknown botnet and not NSA or genuine adoption of Tor. In late August there was a huge increase in Tor network traffic and number of clients connecting to the Tor network. As of this writing number of connections has quadrupled with over 2,500,000 clients connecting to the network. According to Fox-it, the surge in traffic is because of a botnet dubbed 'Mevade.A,' which is known to have Tor connectivity features. The company noted that the botnet may have links to a previously detected botnet dubbed 'Sefnit,' which also featured Tor connectivity. Fox-it claimed that they have found "references that the malware is internally known as SBC to its operators.""
This discussion has been archived. No new comments can be posted.

Security Company Attributes Tor Traffic Surge To Botnet

Comments Filter:
  • What caused the spike? That's the worrying fact i think.
    • Re: (Score:3, Interesting)

      by lart2150 (724284)
      It was a upgrade to the botnet that switched it from normal networking to going over tor for command and control.
    • Re:Yes but (Score:4, Informative)

      by Anonymous Coward on Thursday September 05, 2013 @02:21PM (#44767689)

      What caused the spike? That's the worrying fact i think.

      The summary is, as has been usual for some time, not entirely accurate. While the number of Tor users spiked, the actual traffic on the Tor network did not increase much at all.
      This was specifically mentioned in the original article and discussed here previously.

      This story is about a security company claiming the rise in users was a botnet which switched it's command-and-control traffic to Tor from open HTTP. Which is kind of smart in that it make it much harder to pick apart the botnet to take down the command servers, or hijack the botnet. But on the other hand it make it a LOT easier for researchers to estimate the size of the botnet. And in my mind, the more worrysome aspect is that some company or government might use this as an excuse to start blocking or taking other action against Tor traffic in general.

      • by FhnuZoag (875558)

        Read between the lines. An *IT security company* (which includes protecting against Malware and botnets) wrote a press release saying that the recent increase in Tor traffic is due to something it co-incidentally provides a service protecting against.

        This is a piece of advertising.

        • by brit74 (831798)
          Indeed. This is why I only get my computer security news from cattle ranchers and Eskimos. They have no vested interest.
  • by stewsters (1406737) on Thursday September 05, 2013 @01:05PM (#44767021)
    The more peers and traffic, the better anonymity. If some of those peers are grandmas with 50 toolbars rather than paranoid crypto-nerds, we are better off.
    • by Anonymous Coward on Thursday September 05, 2013 @01:14PM (#44767139)

      Until your going through mostly peers that are controlled by one entity (botnet herder), which allows them to conduct various attacks against tor's anonymity, not to mention sniffing data from compromised exit nodes, increasing the public perception that tor is for "bad stuff", etc.

      • This is true, but as we have learned this year the NSA already captures all encrypted traffic they can get their hands on. If the US, UK, German, Australian governments do it, I'm guessing they aren't the only country or organization that tap their civilians' communications.

        A botnet created by a virus is not a particularly great advantage for collecting that information, as it still needs to deposit it to a central server somewhere, and governments already have tapped the lines when it is transmitte
        • by Anonymous Coward

          "This is true, but as we have learned this year the NSA already captures all encrypted traffic"

          So your saying that its not a big deal if criminals with malicious intents captures your traffic because the government already does anyways? Cutting off one hand isn't made acceptable because you realize the other hand is going to be cut off as well.

          "A botnet created by a virus is not a particularly great advantage for collecting that information, as it still needs to deposit it to a central server somewhere"

          The

        • by aliquis (678370)

          but as we have learned this year the NSA already captures all encrypted traffic they can get their hands on.

          And then?

    • Can these sites handle the relays?

      According to Arstechnica one of the posters mentioned these sites that host them are having scalability problems and are losing money handling it.

      I am rather cynical and think there is a reason for using these torproject servers. How possible is it to insert malware into streaming torrents through a faulty node? I do not trust torrents and many sites which have 3 download now buttons and only 1 is the correct one and the rest install malware on your computer.

      If anything it

      • by Endovior (2450520)

        many sites which have 3 download now buttons and only 1 is the correct one and the rest install malware on your computer.

        Yes, those are cleverly-disguised ads placed on the download sites by unscrupulous individuals; since the sites in question tend not to case about having safe ads (given, y'know, that they host illegal content anyways), they can get away with all kinds of shit, up to and including malware links. Fortunately, there's a really handy program for filtering out that sort of thing. It's called AdBlock, and is free. Get it, or continue to suffer from malware-infested advertising.

  • Botnets and Tor (Score:5, Interesting)

    by girlintraining (1395911) on Thursday September 05, 2013 @01:12PM (#44767093)

    Well, I have good news and bad news... the bad news is that this has been a long time coming, and now it's here. The good news is that although the botnet itself is bad, the number of connections and extra clients improves Tor security overall for all the other users. The thing is, the more relays, the more connections, the larger the network... the faster and more secure it is. If all the botnet does is setup relays, it's a win for the Tor network. Of course, it isn't going to just do that, and these aren't authorized relays so it's not exactly occupying the moral high ground here. The machines hosting the bot need scrubbed.

    But this also introduces a wrinkle -- the US government, and likely others, also maintain their own botnets. And they actively seek to shut down other people's botnets, through domain seizure, etc. This would seem to be a reaction to those efforts -- that is, by decentralizing and hiding the command and control, they're effectively adapting to the tactics our military is using on the internet.

    I said a long time ago that the militarization of the internet would cause a lot of problems... and that we had no business developing an offensive cyber-military because it would just encourage others to begin an arms race that would lead to major economic and communications instabilities worldwide. It hasn't gotten that far yet, but it's building to that. Our own aggressive stance has created yet another fucking cold war.

    • by Anonymous Coward
      Question - wouldn't setting up Tor for C&C make it easier to detect individual bot zombies? Also, if botnets happen to constitute a significant portion of all Tor nodes, wouldn't that invite additional scrutiny to anyone running Tor?
    • [quote]I said a long time ago that the militarization of the internet would cause a lot of problem[/quote]

      The internet was created by the US military for military research. It hasn't become militarized. It always has been. They just allowed a billion civilians to use a miliary network and we all jumped on board.

    • Re:Botnets and Tor (Score:5, Informative)

      by IamTheRealMike (537420) <mike@plan99.net> on Thursday September 05, 2013 @01:31PM (#44767287) Homepage

      I believe you are making an incorrect assumption that these botnet nodes are actually relaying on behalf of the network. I've not seen any reason to believe this is correct. Rather than just act as normal clients of the Tor network - placing extreme load on existing relays.

      In fact, this botnet appears to be basically breaking Tor with many node operators reporting that their relays cannot keep up. The Tor developers recently started developing code to prioritise the more efficient NTOR handshake over the older protocol, and because the botnet runs older code people who upgrade to the latest code (once they are finished) should take priority over the botnet traffic. Until the botnet also upgrades, of course.

      To make it worse, when a circuit fails to build because of overloaded relays, Tor retries. I'm not sure there's any kind of exponential backoff. Thus the network goes into a death spiral in which clients constantly try to build circuits and fail, placing even more load on the already overloaded system and making it impossible to recover.

      Unfortunately we may be looking at the end of Tor here, at least temporarily. The botnet operator doesn't seem to realise what's happening, otherwise they'd be backing off. Tor is effectively experiencing a massive, global, accidental denial of service attack by this botnet. Many relays don't have enough CPU power to weather the circuit storms. It will be very interesting to see what the Tor developers do next - they don't have any effective way to fight off this botnet because almost by design they can't detect or centrally control the network. They practically have to ask nicely for the operators to go away.

      • Forgive me if this is a silly question, but...

        On what basis do you assume
        (a) that the operators of this botnet do not know exactly what they're doing, and
        (b) that this is not a deliberate attempt to break Tor?

        • Because if you RTFA you will see that they reverse engineered the botnet and found that it's trying to contact a C&C server, what's more, this bot has a history of using Tor for receiving commands. It's obviously not a deliberate attempt to wreck Tor.

          • by thoromyr (673646)

            your evidence does suggest that it is not deliberate -- but your evidence also describes a way to obfuscate a denial of service attack against Tor. And I can certainly see the appeal in eliminating Tor. It isn't what I would do* but it seems at least plausible.

            Just a thought. I'd guess you to be right in the assessment, just acknowledging it as a probability.

            * I'd setup enough exit nodes to conduct an attack against anonymity and record traffic for cracking, with priority based on other intelligence and the

      • I believe you are making an incorrect assumption that these botnet nodes are actually relaying on behalf of the network. I've not seen any reason to believe this is correct.

        And no reason to believe it's incorrect either. If the bot operator was smart, he'd setup at least part of his botnet to do relays as this would allow the bot's own traffic to mingle with the network's, and keep the network from crashing as more bots are added. If the operator manages to bring down Tor, he's shot himself in the foot as well. A client-only configuration is a mistake that someone unfamiliar with distributed computing might make in this scenario; Not dissimilar to a similar mistake made by the

        • No offence, but there absolutely is reason to believe you're incorrect. The reasons are in the Tor mailing lists which I've been keeping up with for the past few weeks.

          Firstly, exit traffic has hardly moved, despite massive increase in Tor usage overall. This is consistent with the bots getting instructions from a hidden service. So exit node operators can't do much here.

          Secondly, the whole point of the hidden service protocol is that relays don't know the IP of the hidden service. That's why there are rend

        • by ae1294 (1547521)

          What if each bot rand() picks control servers and load balances? With computers coming on and off commands will still spread over time between control nods with newer commands overriding older commands. It's a tricky thing to get right but you could also have zombies rand() pick to become control nodes but you would need feedback I'd think, which I guess you could get by seeing how long commands take to spread and adjusting a variable in each zombie. Then you would have something that is almost a living thi

    • The good news is that although the botnet itself is bad, the number of connections and extra clients improves Tor security overall for all the other users.

      And how does it do that? Suppose your traffic is routed through 3 hops on Tor, from your entry point to exit. Suppose that all 3 of those hops are controlled by the same botnet operator. That operator now knows who you are and what you did. Note that "quadrupled clients" = "3 out of 4 clients are bots" and the odds of your whole path going through the same operator's equipment is very high.

    • Re:Botnets and Tor (Score:5, Informative)

      by bragr (1612015) * on Thursday September 05, 2013 @01:33PM (#44767317)

      >The good news is that although the botnet itself is bad, the number of connections and extra clients improves Tor security overall for all the other users. The thing is, the more relays, the more connections, the larger the network... the faster and more secure it is.

      That isn't what is happening here. The new connections are clients only so they aren't acting as relays or exit nodes. Tor network stats actually show a slight drop in performance. However, the increased number of clients does probably make correlation attacks harder, if the NSA or someone else is actually doing those.

      • Re:Botnets and Tor (Score:5, Interesting)

        by girlintraining (1395911) on Thursday September 05, 2013 @01:42PM (#44767381)

        If the NSA or someone else is actually doing those.

        If? You don't "If" in security. You assume you're already compromised, that the attacker is well-financed and has total knowledge of the network, etc. And yes, the NSA "or someone" is most definately doing it. Just not to you. We know you browse for porn using Tor... and that you've visited the Silk Road just to see what the hubabub was about. Aaaaand... nobody cares.

        Besides, the hidden service protocol has a massive glitch; namely that it's a limited keyspace and the database is decentralized and distributed. They know what all the hidden services are... and you can too if you're sufficiently motivated.

        And most of them aren't anything of value.

      • by gl4ss (559668)

        ..wouldn't it make sense for them to add relaying though? otherwise it would be trivial to filter their traffic out.

    • The good news is that although the botnet itself is bad, the number of connections and extra clients improves Tor security overall for all the other users.

      Not necessarily. As it seems that the CIA can print their own money, they could try to purchase massive amounts of botnet nodes in order to attack TOR's anonymity should the need arise.

    • The thing is, the more relays, the more connections, the larger the network... the faster and more secure it is. If all the botnet does is setup relays, it's a win for the Tor network. Of course, it isn't going to just do that, and these aren't authorized relays so it's not exactly occupying the moral high ground here. The machines hosting the bot need scrubbed.

      The obvious reaction by governments (mainly fearing their peoples right to privacy) will be to make it a harsh criminal offense to even dare run a

    • by Valdrax (32670)

      I said a long time ago that the militarization of the internet would cause a lot of problems... and that we had no business developing an offensive cyber-military because it would just encourage others to begin an arms race that would lead to major economic and communications instabilities worldwide. It hasn't gotten that far yet, but it's building to that. Our own aggressive stance has created yet another fucking cold war.

      The nitpicker in me wants to say "remilitarization," since the Internet started as a military resource, but that's not what's important.

      What's important is that this was inevitable. From the very dawn of the public gaining access to the internet, there were already viruses and worms. Decades before there ever even was an internet, our SF writers were telling tales of computer intrusion and privatized cyber-warfare. The internet provides access to infrastructure and documents that previously required phys

      • What's important is that this was inevitable. From the very dawn of the public gaining access to the internet, there were already viruses and worms.

        A fair assessment. However, global warming was also inevitable, but that doesn't mean we should just throw the helve after the hatchet. Bot nets were, until the government stepped in, largely being organized by small groups of people who stuck to the same pattern of programming and with similar goals: Either blackmail, identity theft, or similar methods of leveraging computational resources for profit (like bitcoin mining).

        While they were and continue to increase in complexity, it was still an iterative pro

    • And commercialisation too. In fact it might even be a major driving force behind militarisation. If we'd kept the Internet solely restricted to free information sharing, and forbidden monetisation of it in any form, we wouldn't be in this escalating mess now, but then it wouldn't appeal to "consumers" would it?
    • by Dishevel (1105119)

      I said a long time ago that the militarization of the internet would cause a lot of problems

      So. Did you say that prior to 1969?

  • The first time I read the headline I skipped over Tor, and interpreted it as vehicular traffic, thinking that there must have been a botnet preventing people from telecommuting meaning that they were all driving to work.

  • by FhnuZoag (875558) on Thursday September 05, 2013 @02:39PM (#44767835)

    Here, look at this:

    Pull up a google search:

    http://www.vir.us.com/delete-trojanwin32mevade-b-user-guide-to-remove-trojanwin32mevade-b [us.com]
    > Countries Affected: Germany, USA, China, Switzerland, Canada etc.

    Now look at the Tor user numbers from China:

    https://metrics.torproject.org/users.html?graph=userstats-relay-country&start=2013-06-01&end=2013-08-30&country=cn#userstats-relay-country [torproject.org]

    Why is Mevade creating Tor traffic from places as tiny as Vatican city, and having zero impact from China? When apparently China *is* affected by the botnet, and if past knowledge is any indicator, is probably the world capital of malware?

    It doesn't add up.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      It doesn't add up.

      Sure it does - China blocks tor, so you won't see an increase in the numbers coming form there unless they are using the obfs stuff too (which they are not). I would assume you see a similar lack of increase in other countries that are in the "block-for-arms-race".

He keeps differentiating, flying off on a tangent.

Working...