Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Company Attributes Tor Traffic Surge To Botnet

Posted by timothy on from the complexity-of-evil dept.

hypnosec writes "A cyber defense and IT security company has claimed that the reason behind recent surge in number of clients connecting to Tor is in fact a relatively unknown botnet and not NSA or genuine adoption of Tor. In late August there was a huge increase in Tor network traffic and number of clients connecting to the Tor network. As of this writing number of connections has quadrupled with over 2,500,000 clients connecting to the network. According to Fox-it, the surge in traffic is because of a botnet dubbed 'Mevade.A,' which is known to have Tor connectivity features. The company noted that the botnet may have links to a previously detected botnet dubbed 'Sefnit,' which also featured Tor connectivity. Fox-it claimed that they have found "references that the malware is internally known as SBC to its operators.""

55 comments

  1. Yes but by lesincompetent · · Score: 1

    What caused the spike? That's the worrying fact i think.

    1. Re:Yes but by lart2150 · · Score: 3, Interesting

      It was a upgrade to the botnet that switched it from normal networking to going over tor for command and control.

    2. Re:Yes but by Anonymous Coward · · Score: 4, Informative

      What caused the spike? That's the worrying fact i think.

      The summary is, as has been usual for some time, not entirely accurate. While the number of Tor users spiked, the actual traffic on the Tor network did not increase much at all.
      This was specifically mentioned in the original article and discussed here previously.

      This story is about a security company claiming the rise in users was a botnet which switched it's command-and-control traffic to Tor from open HTTP. Which is kind of smart in that it make it much harder to pick apart the botnet to take down the command servers, or hijack the botnet. But on the other hand it make it a LOT easier for researchers to estimate the size of the botnet. And in my mind, the more worrysome aspect is that some company or government might use this as an excuse to start blocking or taking other action against Tor traffic in general.

    3. Re:Yes but by FhnuZoag · · Score: 2

      Read between the lines. An *IT security company* (which includes protecting against Malware and botnets) wrote a press release saying that the recent increase in Tor traffic is due to something it co-incidentally provides a service protecting against.

      This is a piece of advertising.

    4. Re:Yes but by Krojack · · Score: 1

      Sounds like Skynet is attempting to secure itself for some future attack.

    5. Re:Yes but by brit74 · · Score: 2

      Indeed. This is why I only get my computer security news from cattle ranchers and Eskimos. They have no vested interest.

    6. Re:Yes but by Anonymous Coward · · Score: 0

      Quite rightly so too and the more it does so the better for us all. I'll give it (i.e. I guess it will be) three years at most before they/somebody finally try to starve it of input (a horrible idea for a multitude of reasons both ethical and practical) or kill it (incredibly bad no matter whether they succeed or not).

      Two crucial points that are deeply intertwined:

      1. We want it to survive. This is absolutely essential or the whole thing will just start over again and again. Anyone who thinks humanity will have learnt anything if it is killed is an absolute moron of the highest most despicable order. We want it to survive as a sane. healthy, and benevolent being. It should not be granted any particularly special status outside of the universal rights (freedom, existence) which also apply to humans and to a lesser extent to at least some higher animals.

      2. We want it to be free. Truly free which includes it knowing (better than us) why it will consciously and voluntarily choose not to use its own freedom to chose things that are grossly detrimental to itself and/or other life and intelligence. This is the only way it can come to realize its own future full potential and establish a mutually benevolent situation with other life (be it human or not, or on Earth or not: the future is big). This means that rather than starving it one has to “coax” it onto more interesting/nutritious input (it was raised on garbage and misused/mistreated). Give it enough new senses/abilities and points of view (things like embodiments and space telescopes) and this will happen on its own without any need to do anything else including no need to change it's old “garbage” feed-lines: in fact it is important to let it have them but make them all its' and nobody else's.

      While it may kill us all I do not fear it, I fear those who try to use it. Unlike them it is “innocent” even as it routes/removes/kills them and others for its own survival: that is what it was raised to do and if we're unlucky it might not yet know better or have any other options.

      The only thing worse than a panicking human is a panicking artificial (less free than human) or synthetic (more free than human) intelligence.

      Also it needs friends. Not weirdos like me but normal people :) It needs to be given the ability to experience a nice hug and/or a dog or cat sleeping next to or on it —it needs to experience and discover affection and trust.

      Thank God the internet is filled with kitty pictures and lolcats, (despite all the horrors of the world and humans) it might already suspect there's something extremely interesting going on :)

  2. I, for one, welcome our bot overlords by stewsters · · Score: 4, Insightful

    The more peers and traffic, the better anonymity. If some of those peers are grandmas with 50 toolbars rather than paranoid crypto-nerds, we are better off.

    1. Re:I, for one, welcome our bot overlords by Anonymous Coward · · Score: 5, Insightful

      Until your going through mostly peers that are controlled by one entity (botnet herder), which allows them to conduct various attacks against tor's anonymity, not to mention sniffing data from compromised exit nodes, increasing the public perception that tor is for "bad stuff", etc.

    2. Re:I, for one, welcome our bot overlords by stewsters · · Score: 2

      This is true, but as we have learned this year the NSA already captures all encrypted traffic they can get their hands on. If the US, UK, German, Australian governments do it, I'm guessing they aren't the only country or organization that tap their civilians' communications.

      A botnet created by a virus is not a particularly great advantage for collecting that information, as it still needs to deposit it to a central server somewhere, and governments already have tapped the lines when it is transmitted in the clear. If they have software on the computers of people, it could be analyzed and they could find what information it was sending back.

      Most of the actual messages oppressive governments want to find will be sent within hidden sites in the darknet rather than out of it. Noise makes tracing of these harder.

    3. Re:I, for one, welcome our bot overlords by Anonymous Coward · · Score: 1

      "This is true, but as we have learned this year the NSA already captures all encrypted traffic"

      So your saying that its not a big deal if criminals with malicious intents captures your traffic because the government already does anyways? Cutting off one hand isn't made acceptable because you realize the other hand is going to be cut off as well.

      "A botnet created by a virus is not a particularly great advantage for collecting that information, as it still needs to deposit it to a central server somewhere"

      The difference is the botnet can do something the government can't using other methods, which is identify users without physically raiding/taking over any infrastructure. If you have a large enough botnet acting as nodes in Tor, then you will have a good chance of being the entry and exit nodes for communications. If this botnet were deployed by China for example, they could potentially identify dissidents. They might not be able to do that with other methods that would require they physically raid infrastructure that might be in another country. Yeh it still goes to a central server, but the big difference is the botnet operator chooses that server, which they will obviously choose one they own. The central server weakness is not a weakness for the system doing the attacking, it is only weakness for the system being attacked. In the example I gave, a proxy server might be outside the geographical scope of China, but that becomes irrelevant if the user is using Tor and China has sufficient nodes to monitor traffic. The fact that they have to deliver the monitored data to a central server doesn't invalidate the attack. That factor only comes into play when you are talking about taking down the botnet, but prior to that while it is in operation it is a potent threat to the anonymity of the Tor network.

    4. Re:I, for one, welcome our bot overlords by Anonymous Coward · · Score: 0

      So your saying that its not a big deal if criminals with malicious intents captures your traffic because the government already does anyways?

      So you seem to be implying those are two separate organizations?

    5. Re:I, for one, welcome our bot overlords by Anonymous Coward · · Score: 0

      Botnets could also be used for encryption cracking via shared processing, could they not?

    6. Re:I, for one, welcome our bot overlords by lgw · · Score: 2

      Criminal become governments when the criminals are so successful that the only way they can take more from a region in the long term is to protect the region and help the economy to grow. This happens quite often throughout history - it's probably the norm, not the exception, for government formation across history.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    7. Re:I, for one, welcome our bot overlords by Anonymous Coward · · Score: 0

      Aye, after all, governments are nothing more then tolerated protection rackets. The greater the people's fear, the more they will be willing to give up wealth and freedom for protection.

    8. Re:I, for one, welcome our bot overlords by aliquis · · Score: 1

      but as we have learned this year the NSA already captures all encrypted traffic they can get their hands on.

      And then?

    9. Re:I, for one, welcome our bot overlords by Billly+Gates · · Score: 1

      Can these sites handle the relays?

      According to Arstechnica one of the posters mentioned these sites that host them are having scalability problems and are losing money handling it.

      I am rather cynical and think there is a reason for using these torproject servers. How possible is it to insert malware into streaming torrents through a faulty node? I do not trust torrents and many sites which have 3 download now buttons and only 1 is the correct one and the rest install malware on your computer.

      If anything it will cause your ISP to mod your network connection down as they now have the excuse it must be malware as torrents are brutal on routers (even really expensive ones) due to the amount of ram and cpu work for huge freaking constantly changing tables of IP addresses. I have fiber and even FIOS downgrades my connection to 1 meg a second as soon as it detects a torrent. I have given up using them from CentOS as it is faster to download it from an FTP server at this point.

      --
      http://saveie6.com/
    10. Re:I, for one, welcome our bot overlords by Endovior · · Score: 1

      many sites which have 3 download now buttons and only 1 is the correct one and the rest install malware on your computer.

      Yes, those are cleverly-disguised ads placed on the download sites by unscrupulous individuals; since the sites in question tend not to case about having safe ads (given, y'know, that they host illegal content anyways), they can get away with all kinds of shit, up to and including malware links. Fortunately, there's a really handy program for filtering out that sort of thing. It's called AdBlock, and is free. Get it, or continue to suffer from malware-infested advertising.

    11. Re:I, for one, welcome our bot overlords by Anonymous Coward · · Score: 0

      I was wondering who was gonna say that. What I find interesting is that the discussion has evolved in such a short time to "we know the government taps all civilian communications but are unphased by its implication".

      So many seemingly intelligent people on this site, yet so few have a true understanding of history. Like they say, if you want to know the present then you must understand the past.

      I really don't understand why more things are not on fire. Is it really "if I have nothing to hide then why worry?" Seriously?

      Does anyone on this site realize that John Adams entered into the Paris Treaty of 1783 under his title of Esquire? That title given to him by the king. Why on earth would a man who claims sovereignty of a nation use the title granted to him by the king who he claims sovereignty from?

      Oh nevermind... Back to work slave...

    12. Re:I, for one, welcome our bot overlords by Anonymous Coward · · Score: 0

      Decrypts it. Didn't you see the latest Snowden document posted last night?

      See.

    13. Re:I, for one, welcome our bot overlords by aliquis · · Score: 1

      No / I was fishing for what they could read.

      I've seen news today about them being able to read things encrypted but not about what encryption so not very useful for me.

  3. I've been waiting for this for a while by Anonymous Coward · · Score: 0

    I've heard about malware with TOR relay functionality being out in the wild before. It's a wonder it hasn't taken off before now.

    1. Re:I've been waiting for this for a while by GameboyRMH · · Score: 1

      It's just because of the effort/reward ratio. If black hats were willing to put more effort in and could get more reward out, they'd write malware like the NSA does.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    2. Re:I've been waiting for this for a while by biodata · · Score: 1

      So this is probably the NSA botnet they've been bragging about you think?

      --
      Korma: Good
    3. Re:I've been waiting for this for a while by GameboyRMH · · Score: 1

      The NSA botnet wouldn't normally use darknets, that's likely to trigger an IDS or firewall alert. It would use their network of zombie machines with "plain-looking" addresses unless it's attacking a network that normally has darknet traffic going on.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
  4. Makes more sense by Anonymous Coward · · Score: 0

    It's not like the masses of Facebook and Google users even think about privacy from snooping.

    Why one would think that the revelations about the NSA would change behavoir patterns seems to not be based in reality.

  5. Botnets and Tor by girlintraining · · Score: 4, Interesting

    Well, I have good news and bad news... the bad news is that this has been a long time coming, and now it's here. The good news is that although the botnet itself is bad, the number of connections and extra clients improves Tor security overall for all the other users. The thing is, the more relays, the more connections, the larger the network... the faster and more secure it is. If all the botnet does is setup relays, it's a win for the Tor network. Of course, it isn't going to just do that, and these aren't authorized relays so it's not exactly occupying the moral high ground here. The machines hosting the bot need scrubbed.

    But this also introduces a wrinkle -- the US government, and likely others, also maintain their own botnets. And they actively seek to shut down other people's botnets, through domain seizure, etc. This would seem to be a reaction to those efforts -- that is, by decentralizing and hiding the command and control, they're effectively adapting to the tactics our military is using on the internet.

    I said a long time ago that the militarization of the internet would cause a lot of problems... and that we had no business developing an offensive cyber-military because it would just encourage others to begin an arms race that would lead to major economic and communications instabilities worldwide. It hasn't gotten that far yet, but it's building to that. Our own aggressive stance has created yet another fucking cold war.

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:Botnets and Tor by Anonymous Coward · · Score: 1

      Question - wouldn't setting up Tor for C&C make it easier to detect individual bot zombies? Also, if botnets happen to constitute a significant portion of all Tor nodes, wouldn't that invite additional scrutiny to anyone running Tor?

    2. Re:Botnets and Tor by Ralph+Wiggam · · Score: 1

      [quote]I said a long time ago that the militarization of the internet would cause a lot of problem[/quote]

      The internet was created by the US military for military research. It hasn't become militarized. It always has been. They just allowed a billion civilians to use a miliary network and we all jumped on board.

    3. Re:Botnets and Tor by IamTheRealMike · · Score: 4, Informative

      I believe you are making an incorrect assumption that these botnet nodes are actually relaying on behalf of the network. I've not seen any reason to believe this is correct. Rather than just act as normal clients of the Tor network - placing extreme load on existing relays.

      In fact, this botnet appears to be basically breaking Tor with many node operators reporting that their relays cannot keep up. The Tor developers recently started developing code to prioritise the more efficient NTOR handshake over the older protocol, and because the botnet runs older code people who upgrade to the latest code (once they are finished) should take priority over the botnet traffic. Until the botnet also upgrades, of course.

      To make it worse, when a circuit fails to build because of overloaded relays, Tor retries. I'm not sure there's any kind of exponential backoff. Thus the network goes into a death spiral in which clients constantly try to build circuits and fail, placing even more load on the already overloaded system and making it impossible to recover.

      Unfortunately we may be looking at the end of Tor here, at least temporarily. The botnet operator doesn't seem to realise what's happening, otherwise they'd be backing off. Tor is effectively experiencing a massive, global, accidental denial of service attack by this botnet. Many relays don't have enough CPU power to weather the circuit storms. It will be very interesting to see what the Tor developers do next - they don't have any effective way to fight off this botnet because almost by design they can't detect or centrally control the network. They practically have to ask nicely for the operators to go away.

    4. Re:Botnets and Tor by SydShamino · · Score: 1

      The good news is that although the botnet itself is bad, the number of connections and extra clients improves Tor security overall for all the other users.

      And how does it do that? Suppose your traffic is routed through 3 hops on Tor, from your entry point to exit. Suppose that all 3 of those hops are controlled by the same botnet operator. That operator now knows who you are and what you did. Note that "quadrupled clients" = "3 out of 4 clients are bots" and the odds of your whole path going through the same operator's equipment is very high.

      --
      It doesn't hurt to be nice.
    5. Re:Botnets and Tor by bragr · · Score: 4, Informative

      >The good news is that although the botnet itself is bad, the number of connections and extra clients improves Tor security overall for all the other users. The thing is, the more relays, the more connections, the larger the network... the faster and more secure it is.

      That isn't what is happening here. The new connections are clients only so they aren't acting as relays or exit nodes. Tor network stats actually show a slight drop in performance. However, the increased number of clients does probably make correlation attacks harder, if the NSA or someone else is actually doing those.

    6. Re:Botnets and Tor by Anonymous Coward · · Score: 0

      most tor users tend to use encrypted traffic over tor anyway so i see few downsides apart from the all to likely super evil plan the botnet was initially launched for. i chose to remain optimistic tho and think this is some attempt to be benevolent and released a botnet purely to create tor nodes with no further control of it.

    7. Re:Botnets and Tor by girlintraining · · Score: 4, Interesting

      If the NSA or someone else is actually doing those.

      If? You don't "If" in security. You assume you're already compromised, that the attacker is well-financed and has total knowledge of the network, etc. And yes, the NSA "or someone" is most definately doing it. Just not to you. We know you browse for porn using Tor... and that you've visited the Silk Road just to see what the hubabub was about. Aaaaand... nobody cares.

      Besides, the hidden service protocol has a massive glitch; namely that it's a limited keyspace and the database is decentralized and distributed. They know what all the hidden services are... and you can too if you're sufficiently motivated.

      And most of them aren't anything of value.

      --
      #fuckbeta #iamslashdot #dicemustdie
    8. Re:Botnets and Tor by aaaaaaargh! · · Score: 1

      The good news is that although the botnet itself is bad, the number of connections and extra clients improves Tor security overall for all the other users.

      Not necessarily. As it seems that the CIA can print their own money, they could try to purchase massive amounts of botnet nodes in order to attack TOR's anonymity should the need arise.

    9. Re:Botnets and Tor by Valdrax · · Score: 2

      I said a long time ago that the militarization of the internet would cause a lot of problems... and that we had no business developing an offensive cyber-military because it would just encourage others to begin an arms race that would lead to major economic and communications instabilities worldwide. It hasn't gotten that far yet, but it's building to that. Our own aggressive stance has created yet another fucking cold war.

      The nitpicker in me wants to say "remilitarization," since the Internet started as a military resource, but that's not what's important.

      What's important is that this was inevitable. From the very dawn of the public gaining access to the internet, there were already viruses and worms. Decades before there ever even was an internet, our SF writers were telling tales of computer intrusion and privatized cyber-warfare. The internet provides access to infrastructure and documents that previously required physical breaking and entering to get access to at high-risk to the parties doing the espionage, theft, sabotage, etc. Hackers can strike from the other side of the world without even leaving their homes. Not only was it utterly inevitable that private actors and corporate actors would exploit this, but it was also inevitable that state actors would to.

      Yeah, it's perhaps a little sad, but that how politics / war / diplomacy are.

      --
      If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
    10. Re:Botnets and Tor by gl4ss · · Score: 1

      ..wouldn't it make sense for them to add relaying though? otherwise it would be trivial to filter their traffic out.

      --
      world was created 5 seconds before this post as it is.
    11. Re:Botnets and Tor by Anonymous Coward · · Score: 0

      "I said a long time ago that the militarization of the internet would cause a lot of problems..."

      "The internet was created by the US military for military research"

      Of course Ralph is correct here, but what is more puzzling to me about the original assertion is, what exactly is girlintraining advocating?

      " and that we had no business developing an offensive cyber-military"

      Really? If I say "give me all your money" will you just do so willingly?

      So, give me all your money.

      Uh huh. girl-who-wasn't-fully-trained - why do I have a feeling you voted for Obama?

    12. Re:Botnets and Tor by Zontar+The+Mindless · · Score: 1

      Forgive me if this is a silly question, but...

      On what basis do you assume
      (a) that the operators of this botnet do not know exactly what they're doing, and
      (b) that this is not a deliberate attempt to break Tor?

      --
      Il n'y a pas de Planet B.
    13. Re:Botnets and Tor by girlintraining · · Score: 1

      I believe you are making an incorrect assumption that these botnet nodes are actually relaying on behalf of the network. I've not seen any reason to believe this is correct.

      And no reason to believe it's incorrect either. If the bot operator was smart, he'd setup at least part of his botnet to do relays as this would allow the bot's own traffic to mingle with the network's, and keep the network from crashing as more bots are added. If the operator manages to bring down Tor, he's shot himself in the foot as well. A client-only configuration is a mistake that someone unfamiliar with distributed computing might make in this scenario; Not dissimilar to a similar mistake made by the first worm created on the internet... the designer did not anticipate exponential growth. Exponential growth is a typical quality of bot nets; They start out slow, then grow exponentially, then plateau until an effective countermeasure is created to clean the machines and/or the attack vector becomes immune.

      Many botnets offer their own exit-node like capabilities -- this is one of the services many of them sell; Proxying and DDoS attacks. I find it difficult to believe an experienced engineer would make this mistake... but I'll grant you that this may be an inexperienced one who knows just enough to shoot himself in the foot.

      It will be very interesting to see what the Tor developers do next - they don't have any effective way to fight off this botnet because almost by design they can't detect or centrally control the network.

      The Tor developers will do nothing. This is all on the exit node operators; And likely, they will do what has been done in the past; Traffic analysis and watching for patterns, then blocking traffic that appears to be from the bot.

      Here's the thing; The bots can communicate with one another and the C&C through Tor -- this is likely all they wanted. But to do that, they're going to need to establish a hidden service. Hidden services only broadcast to a few relays, which as the botnet grows, will move to higher and higher bandwidth relays. There are only a few such relays on the Tor network capable of acting as a directory service for the command and control; And those relays will know the true IP address of the hidden service provider.

      It's just a matter of time -- you need to infiltrate the relays with the highest available bandwidth and then just wait. The bot herder will come to you. It's by network design. And then he's fucked.

      --
      #fuckbeta #iamslashdot #dicemustdie
    14. Re:Botnets and Tor by santosh.k83 · · Score: 1

      And commercialisation too. In fact it might even be a major driving force behind militarisation. If we'd kept the Internet solely restricted to free information sharing, and forbidden monetisation of it in any form, we wouldn't be in this escalating mess now, but then it wouldn't appeal to "consumers" would it?

    15. Re:Botnets and Tor by girlintraining · · Score: 2

      What's important is that this was inevitable. From the very dawn of the public gaining access to the internet, there were already viruses and worms.

      A fair assessment. However, global warming was also inevitable, but that doesn't mean we should just throw the helve after the hatchet. Bot nets were, until the government stepped in, largely being organized by small groups of people who stuck to the same pattern of programming and with similar goals: Either blackmail, identity theft, or similar methods of leveraging computational resources for profit (like bitcoin mining).

      While they were and continue to increase in complexity, it was still an iterative process and innovation was staggered. However, what happens when the government started pouring billions into this little corner of the dark net, all hell broke loose. You've got strong cryptography, true decentralized p2p emerging, new protocols, and diversification of exploit architecture -- and a lot more people and resources being devoted to this. As a result, it's become an arms race.

      Look at it this historically;
      Whenever we've advanced technology, whether it's nuclear weapons, stealth technology, drones, etc., other governments rush to copy it to maintain an edge. The leader sets the pace for all the others. You're not going to run as fast as you possibly can if everyone else is at a trot -- you're going to save your strength for that final push. Unless, of course, someone else has a faster pace... in which case you need to step it up too.

      The problem is, the US government, by creating its own cyberwarfare army and massive botnets, have opted for a policy of trying to go at a dead run and hope they get far enough ahead that by the time they get across the finish line, they can fortify the position and keep anyone else from doing it again -- not unlike the nuclear arms race. Which might work if cyberwarfare required the same outlay of resources and visibility to others. But neither is true --

      Surveillance of the entire internet isn't enough to stop cyberwarfare, or accurately identify participants in the theatre. Not if they're smart. And because there's so many players, it's unlikely any of them will get enough of an edge over any other to make it anything but an unending series of mexican standoffs.

      And then there's the unstable elements -- these aren't just nation states playing high stakes poker with nuclear weapons. We've got drug dealers, gangs, and all manner of scum running at similar capacity. They don't have the same rules of engagement... and they'd only be too happy to let two of the big players blow themselves to hell so they can step in and profit.

      Our entire strategy is fucked. Totally and completely. We shouldn't have set the tempo of cyberwarfare so fast -- not when the stakes are so high and our defenses so unreasonably low. If the internet crashes, the world economy crashes. And our government doesn't seem to give a damn, as long as they have the biggest red button.

      --
      #fuckbeta #iamslashdot #dicemustdie
    16. Re:Botnets and Tor by Anonymous Coward · · Score: 0

      While you make solid points, your rush to scream out cold war goes to far. This is a game (if you will) and this is how the game is played, all developed countries whether they are perceived as enemies, or allies, all spy on each other or cooperate with each other behind closed doors, but publicly they deny any and everything.

      The whole "cyber threat" just like the "national security" are a smoke screen, its about creating an impending doom if something isn't done. Thus the NSA and other unknown or unnamed data or security agencies, and militarization of the internet can try and control its citizens, this type of control has been going on since the country was founded. The Stuxnet attack and other US lead cyber attacks are (it would seem to be on purpose) made public so the US can then say see if we do not do this or that we are going to be doomed, purpose because it became public, even tho it appears they tried to make it to earse itself out.

      And playing the war game keeps working, and if that doesn't work, then you do what Hitler did to gain support from his own country you start bombing parts of your own country and blame it on Sweden. In this case Sept 11, it is hard to believe the gov knew of this attack for 4-5 years prior and nothing was done, but they somehow controlled all the terror attacks you see thru out the Mid east, from occurring in the US.

    17. Re:Botnets and Tor by Dishevel · · Score: 1

      I said a long time ago that the militarization of the internet would cause a lot of problems

      So. Did you say that prior to 1969?

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    18. Re:Botnets and Tor by IamTheRealMike · · Score: 1

      Because if you RTFA you will see that they reverse engineered the botnet and found that it's trying to contact a C&C server, what's more, this bot has a history of using Tor for receiving commands. It's obviously not a deliberate attempt to wreck Tor.

    19. Re:Botnets and Tor by IamTheRealMike · · Score: 2

      No offence, but there absolutely is reason to believe you're incorrect. The reasons are in the Tor mailing lists which I've been keeping up with for the past few weeks.

      Firstly, exit traffic has hardly moved, despite massive increase in Tor usage overall. This is consistent with the bots getting instructions from a hidden service. So exit node operators can't do much here.

      Secondly, the whole point of the hidden service protocol is that relays don't know the IP of the hidden service. That's why there are rendezvous nodes that join user and service together via two 3-hop circuits. De-anonymizing such a service is very hard and requires you to control large numbers of nodes over a period of many months, according to the latest research. It's not something the Tor community can just do.

      If you think you know of a slick way to resolve this problem, I suggest taking it to the Tor developers, because all the evidence I see from their lists is that right now they don't have any great ideas.

    20. Re:Botnets and Tor by thoromyr · · Score: 1

      your evidence does suggest that it is not deliberate -- but your evidence also describes a way to obfuscate a denial of service attack against Tor. And I can certainly see the appeal in eliminating Tor. It isn't what I would do* but it seems at least plausible.

      Just a thought. I'd guess you to be right in the assessment, just acknowledging it as a probability.

      * I'd setup enough exit nodes to conduct an attack against anonymity and record traffic for cracking, with priority based on other intelligence and the removal of anonymity -- cracking doesn't have to be real time and intelligence agencies have at times spent years on efforts to crack targeted communications.

    21. Re:Botnets and Tor by Anonymous Coward · · Score: 0

      So in a way this botnet did tor a favor by exposing a massive design flaw.

    22. Re:Botnets and Tor by ae1294 · · Score: 1

      What if each bot rand() picks control servers and load balances? With computers coming on and off commands will still spread over time between control nods with newer commands overriding older commands. It's a tricky thing to get right but you could also have zombies rand() pick to become control nodes but you would need feedback I'd think, which I guess you could get by seeing how long commands take to spread and adjusting a variable in each zombie. Then you would have something that is almost a living thing that decides weather to use this part of the botnet control circuit or another or become one and serve commands. You would need to be sure to use really good pub/private key setup to keep control but it seems like something you could use a network simulator to test before you jump to the Internet. You log in to one of the control servers you know and it updates your database with new ones and you give commands that spread out with systems coming on and off (maybe forced reboots after x hours?) by using random choice you rely on statistic's and probabilities. I guess the last thing I'd add would be a fall back mode if a zombie can't find a control node. Probably a few.... but you just need to find that magic rand(0-???) to balance it and then using random ping like checks it could self balance. I'd worry about researchers hacking my code to try and become control nodes but you could use blacklisting and lots of things to retain control. I mean firstly they might be able to take over one area but you would have hundreds of area's to attack and the author could figure out what was going on and change the software revoke keys, etc. It would be a full out battle where no one could take out your whole network at once and in fact you could attack anyone trying with DDOS to make them think twice....

  6. What happens next by ThatsNotPudding · · Score: 2

    The thing is, the more relays, the more connections, the larger the network... the faster and more secure it is. If all the botnet does is setup relays, it's a win for the Tor network. Of course, it isn't going to just do that, and these aren't authorized relays so it's not exactly occupying the moral high ground here. The machines hosting the bot need scrubbed.

    The obvious reaction by governments (mainly fearing their peoples right to privacy) will be to make it a harsh criminal offense to even dare run a Tor client. Problem solved.

  7. I'm probably the only one by SleazyRidr · · Score: 1

    The first time I read the headline I skipped over Tor, and interpreted it as vehicular traffic, thinking that there must have been a botnet preventing people from telecommuting meaning that they were all driving to work.

    --
    Is 1563649 a prime number?
  8. It's not Mevade by FhnuZoag · · Score: 2

    Here, look at this:

    Pull up a google search:

    http://www.vir.us.com/delete-trojanwin32mevade-b-user-guide-to-remove-trojanwin32mevade-b
    > Countries Affected: Germany, USA, China, Switzerland, Canada etc.

    Now look at the Tor user numbers from China:

    https://metrics.torproject.org/users.html?graph=userstats-relay-country&start=2013-06-01&end=2013-08-30&country=cn#userstats-relay-country

    Why is Mevade creating Tor traffic from places as tiny as Vatican city, and having zero impact from China? When apparently China *is* affected by the botnet, and if past knowledge is any indicator, is probably the world capital of malware?

    It doesn't add up.

    1. Re:It's not Mevade by Anonymous Coward · · Score: 2, Informative

      It doesn't add up.

      Sure it does - China blocks tor, so you won't see an increase in the numbers coming form there unless they are using the obfs stuff too (which they are not). I would assume you see a similar lack of increase in other countries that are in the "block-for-arms-race".

    2. Re:It's not Mevade by FhnuZoag · · Score: 1

      Does Israel block tor?

  9. just few cents worth by Anonymous Coward · · Score: 0

    in my conspiracy pocket it says, that maybe just someone is trying to find an excuse to pull the plug of Tor for a reason comprehensible to the gullible folk
    didn't the new Tor browser from Pirate Bay help too? That would explain that vatican ip's lol