Security Company Attributes Tor Traffic Surge To Botnet

← Back to Stories (view on slashdot.org)

Security Company Attributes Tor Traffic Surge To Botnet

Posted by timothy on Thursday September 5, 2013 @04:54AM from the complexity-of-evil dept.

hypnosec writes "A cyber defense and IT security company has claimed that the reason behind recent surge in number of clients connecting to Tor is in fact a relatively unknown botnet and not NSA or genuine adoption of Tor. In late August there was a huge increase in Tor network traffic and number of clients connecting to the Tor network. As of this writing number of connections has quadrupled with over 2,500,000 clients connecting to the network. According to Fox-it, the surge in traffic is because of a botnet dubbed 'Mevade.A,' which is known to have Tor connectivity features. The company noted that the botnet may have links to a previously detected botnet dubbed 'Sefnit,' which also featured Tor connectivity. Fox-it claimed that they have found "references that the malware is internally known as SBC to its operators.""

42 of 55 comments (clear)

Min score:

Reason:

Sort:

Yes but by lesincompetent · 2013-09-05 05:03 · Score: 1

What caused the spike? That's the worrying fact i think.
1. Re:Yes but by lart2150 · 2013-09-05 05:09 · Score: 3, Interesting
  
  It was a upgrade to the botnet that switched it from normal networking to going over tor for command and control.
2. Re:Yes but by Anonymous Coward · 2013-09-05 06:21 · Score: 4, Informative
  
  What caused the spike? That's the worrying fact i think.
  The summary is, as has been usual for some time, not entirely accurate. While the number of Tor users spiked, the actual traffic on the Tor network did not increase much at all.
  This was specifically mentioned in the original article and discussed here previously.
  This story is about a security company claiming the rise in users was a botnet which switched it's command-and-control traffic to Tor from open HTTP. Which is kind of smart in that it make it much harder to pick apart the botnet to take down the command servers, or hijack the botnet. But on the other hand it make it a LOT easier for researchers to estimate the size of the botnet. And in my mind, the more worrysome aspect is that some company or government might use this as an excuse to start blocking or taking other action against Tor traffic in general.
3. Re:Yes but by FhnuZoag · 2013-09-05 06:46 · Score: 2
  
  Read between the lines. An *IT security company* (which includes protecting against Malware and botnets) wrote a press release saying that the recent increase in Tor traffic is due to something it co-incidentally provides a service protecting against.
  This is a piece of advertising.
4. Re:Yes but by Krojack · 2013-09-05 08:16 · Score: 1
  
  Sounds like Skynet is attempting to secure itself for some future attack.
5. Re:Yes but by brit74 · 2013-09-05 08:31 · Score: 2
  
  Indeed. This is why I only get my computer security news from cattle ranchers and Eskimos. They have no vested interest.
I, for one, welcome our bot overlords by stewsters · 2013-09-05 05:05 · Score: 4, Insightful

The more peers and traffic, the better anonymity. If some of those peers are grandmas with 50 toolbars rather than paranoid crypto-nerds, we are better off.
1. Re:I, for one, welcome our bot overlords by Anonymous Coward · 2013-09-05 05:14 · Score: 5, Insightful
  
  Until your going through mostly peers that are controlled by one entity (botnet herder), which allows them to conduct various attacks against tor's anonymity, not to mention sniffing data from compromised exit nodes, increasing the public perception that tor is for "bad stuff", etc.
2. Re:I, for one, welcome our bot overlords by stewsters · 2013-09-05 05:32 · Score: 2
  
  This is true, but as we have learned this year the NSA already captures all encrypted traffic they can get their hands on. If the US, UK, German, Australian governments do it, I'm guessing they aren't the only country or organization that tap their civilians' communications.
  
  A botnet created by a virus is not a particularly great advantage for collecting that information, as it still needs to deposit it to a central server somewhere, and governments already have tapped the lines when it is transmitted in the clear. If they have software on the computers of people, it could be analyzed and they could find what information it was sending back.
  
  Most of the actual messages oppressive governments want to find will be sent within hidden sites in the darknet rather than out of it. Noise makes tracing of these harder.
3. Re:I, for one, welcome our bot overlords by Anonymous Coward · 2013-09-05 06:00 · Score: 1
  
  "This is true, but as we have learned this year the NSA already captures all encrypted traffic"
  So your saying that its not a big deal if criminals with malicious intents captures your traffic because the government already does anyways? Cutting off one hand isn't made acceptable because you realize the other hand is going to be cut off as well.
  "A botnet created by a virus is not a particularly great advantage for collecting that information, as it still needs to deposit it to a central server somewhere"
  The difference is the botnet can do something the government can't using other methods, which is identify users without physically raiding/taking over any infrastructure. If you have a large enough botnet acting as nodes in Tor, then you will have a good chance of being the entry and exit nodes for communications. If this botnet were deployed by China for example, they could potentially identify dissidents. They might not be able to do that with other methods that would require they physically raid infrastructure that might be in another country. Yeh it still goes to a central server, but the big difference is the botnet operator chooses that server, which they will obviously choose one they own. The central server weakness is not a weakness for the system doing the attacking, it is only weakness for the system being attacked. In the example I gave, a proxy server might be outside the geographical scope of China, but that becomes irrelevant if the user is using Tor and China has sufficient nodes to monitor traffic. The fact that they have to deliver the monitored data to a central server doesn't invalidate the attack. That factor only comes into play when you are talking about taking down the botnet, but prior to that while it is in operation it is a potent threat to the anonymity of the Tor network.
4. Re:I, for one, welcome our bot overlords by lgw · 2013-09-05 06:25 · Score: 2
  
  Criminal become governments when the criminals are so successful that the only way they can take more from a region in the long term is to protect the region and help the economy to grow. This happens quite often throughout history - it's probably the norm, not the exception, for government formation across history.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
5. Re:I, for one, welcome our bot overlords by aliquis · 2013-09-05 07:09 · Score: 1
  
  but as we have learned this year the NSA already captures all encrypted traffic they can get their hands on.
  And then?
6. Re:I, for one, welcome our bot overlords by Billly+Gates · 2013-09-05 07:17 · Score: 1
  
  Can these sites handle the relays?
  According to Arstechnica one of the posters mentioned these sites that host them are having scalability problems and are losing money handling it.
  I am rather cynical and think there is a reason for using these torproject servers. How possible is it to insert malware into streaming torrents through a faulty node? I do not trust torrents and many sites which have 3 download now buttons and only 1 is the correct one and the rest install malware on your computer.
  If anything it will cause your ISP to mod your network connection down as they now have the excuse it must be malware as torrents are brutal on routers (even really expensive ones) due to the amount of ram and cpu work for huge freaking constantly changing tables of IP addresses. I have fiber and even FIOS downgrades my connection to 1 meg a second as soon as it detects a torrent. I have given up using them from CentOS as it is faster to download it from an FTP server at this point.
  
  --
  http://saveie6.com/
7. Re:I, for one, welcome our bot overlords by Endovior · 2013-09-05 08:39 · Score: 1
  
  many sites which have 3 download now buttons and only 1 is the correct one and the rest install malware on your computer.
  Yes, those are cleverly-disguised ads placed on the download sites by unscrupulous individuals; since the sites in question tend not to case about having safe ads (given, y'know, that they host illegal content anyways), they can get away with all kinds of shit, up to and including malware links. Fortunately, there's a really handy program for filtering out that sort of thing. It's called AdBlock, and is free. Get it, or continue to suffer from malware-infested advertising.
8. Re:I, for one, welcome our bot overlords by aliquis · 2013-09-06 07:34 · Score: 1
  
  No / I was fishing for what they could read.
  I've seen news today about them being able to read things encrypted but not about what encryption so not very useful for me.
Botnets and Tor by girlintraining · 2013-09-05 05:12 · Score: 4, Interesting

Well, I have good news and bad news... the bad news is that this has been a long time coming, and now it's here. The good news is that although the botnet itself is bad, the number of connections and extra clients improves Tor security overall for all the other users. The thing is, the more relays, the more connections, the larger the network... the faster and more secure it is. If all the botnet does is setup relays, it's a win for the Tor network. Of course, it isn't going to just do that, and these aren't authorized relays so it's not exactly occupying the moral high ground here. The machines hosting the bot need scrubbed.
But this also introduces a wrinkle -- the US government, and likely others, also maintain their own botnets. And they actively seek to shut down other people's botnets, through domain seizure, etc. This would seem to be a reaction to those efforts -- that is, by decentralizing and hiding the command and control, they're effectively adapting to the tactics our military is using on the internet.
I said a long time ago that the militarization of the internet would cause a lot of problems... and that we had no business developing an offensive cyber-military because it would just encourage others to begin an arms race that would lead to major economic and communications instabilities worldwide. It hasn't gotten that far yet, but it's building to that. Our own aggressive stance has created yet another fucking cold war.

--
#fuckbeta #iamslashdot #dicemustdie
1. Re:Botnets and Tor by Anonymous Coward · 2013-09-05 05:23 · Score: 1
  
  Question - wouldn't setting up Tor for C&C make it easier to detect individual bot zombies? Also, if botnets happen to constitute a significant portion of all Tor nodes, wouldn't that invite additional scrutiny to anyone running Tor?
2. Re:Botnets and Tor by Ralph+Wiggam · 2013-09-05 05:25 · Score: 1
  
  [quote]I said a long time ago that the militarization of the internet would cause a lot of problem[/quote]
  The internet was created by the US military for military research. It hasn't become militarized. It always has been. They just allowed a billion civilians to use a miliary network and we all jumped on board.
3. Re:Botnets and Tor by IamTheRealMike · 2013-09-05 05:31 · Score: 4, Informative
  
  I believe you are making an incorrect assumption that these botnet nodes are actually relaying on behalf of the network. I've not seen any reason to believe this is correct. Rather than just act as normal clients of the Tor network - placing extreme load on existing relays.
  In fact, this botnet appears to be basically breaking Tor with many node operators reporting that their relays cannot keep up. The Tor developers recently started developing code to prioritise the more efficient NTOR handshake over the older protocol, and because the botnet runs older code people who upgrade to the latest code (once they are finished) should take priority over the botnet traffic. Until the botnet also upgrades, of course.
  To make it worse, when a circuit fails to build because of overloaded relays, Tor retries. I'm not sure there's any kind of exponential backoff. Thus the network goes into a death spiral in which clients constantly try to build circuits and fail, placing even more load on the already overloaded system and making it impossible to recover.
  Unfortunately we may be looking at the end of Tor here, at least temporarily. The botnet operator doesn't seem to realise what's happening, otherwise they'd be backing off. Tor is effectively experiencing a massive, global, accidental denial of service attack by this botnet. Many relays don't have enough CPU power to weather the circuit storms. It will be very interesting to see what the Tor developers do next - they don't have any effective way to fight off this botnet because almost by design they can't detect or centrally control the network. They practically have to ask nicely for the operators to go away.
4. Re:Botnets and Tor by SydShamino · 2013-09-05 05:32 · Score: 1
  
  The good news is that although the botnet itself is bad, the number of connections and extra clients improves Tor security overall for all the other users.
  And how does it do that? Suppose your traffic is routed through 3 hops on Tor, from your entry point to exit. Suppose that all 3 of those hops are controlled by the same botnet operator. That operator now knows who you are and what you did. Note that "quadrupled clients" = "3 out of 4 clients are bots" and the odds of your whole path going through the same operator's equipment is very high.
  
  --
  It doesn't hurt to be nice.
5. Re:Botnets and Tor by bragr · 2013-09-05 05:33 · Score: 4, Informative
  
  >The good news is that although the botnet itself is bad, the number of connections and extra clients improves Tor security overall for all the other users. The thing is, the more relays, the more connections, the larger the network... the faster and more secure it is.
  That isn't what is happening here. The new connections are clients only so they aren't acting as relays or exit nodes. Tor network stats actually show a slight drop in performance. However, the increased number of clients does probably make correlation attacks harder, if the NSA or someone else is actually doing those.
6. Re:Botnets and Tor by girlintraining · 2013-09-05 05:42 · Score: 4, Interesting
  
  If the NSA or someone else is actually doing those.
  If? You don't "If" in security. You assume you're already compromised, that the attacker is well-financed and has total knowledge of the network, etc. And yes, the NSA "or someone" is most definately doing it. Just not to you. We know you browse for porn using Tor... and that you've visited the Silk Road just to see what the hubabub was about. Aaaaand... nobody cares.
  Besides, the hidden service protocol has a massive glitch; namely that it's a limited keyspace and the database is decentralized and distributed. They know what all the hidden services are... and you can too if you're sufficiently motivated.
  And most of them aren't anything of value.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
7. Re:Botnets and Tor by aaaaaaargh! · 2013-09-05 05:46 · Score: 1
  
  The good news is that although the botnet itself is bad, the number of connections and extra clients improves Tor security overall for all the other users.
  Not necessarily. As it seems that the CIA can print their own money, they could try to purchase massive amounts of botnet nodes in order to attack TOR's anonymity should the need arise.
8. Re:Botnets and Tor by Valdrax · 2013-09-05 06:12 · Score: 2
  
  I said a long time ago that the militarization of the internet would cause a lot of problems... and that we had no business developing an offensive cyber-military because it would just encourage others to begin an arms race that would lead to major economic and communications instabilities worldwide. It hasn't gotten that far yet, but it's building to that. Our own aggressive stance has created yet another fucking cold war.
  The nitpicker in me wants to say "remilitarization," since the Internet started as a military resource, but that's not what's important.
  What's important is that this was inevitable. From the very dawn of the public gaining access to the internet, there were already viruses and worms. Decades before there ever even was an internet, our SF writers were telling tales of computer intrusion and privatized cyber-warfare. The internet provides access to infrastructure and documents that previously required physical breaking and entering to get access to at high-risk to the parties doing the espionage, theft, sabotage, etc. Hackers can strike from the other side of the world without even leaving their homes. Not only was it utterly inevitable that private actors and corporate actors would exploit this, but it was also inevitable that state actors would to.
  Yeah, it's perhaps a little sad, but that how politics / war / diplomacy are.
  
  --
  If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
9. Re:Botnets and Tor by gl4ss · 2013-09-05 06:12 · Score: 1
  
  ..wouldn't it make sense for them to add relaying though? otherwise it would be trivial to filter their traffic out.
  
  --
  world was created 5 seconds before this post as it is.
10. Re:Botnets and Tor by Zontar+The+Mindless · 2013-09-05 06:41 · Score: 1
  
  Forgive me if this is a silly question, but...
  On what basis do you assume
  (a) that the operators of this botnet do not know exactly what they're doing, and
  (b) that this is not a deliberate attempt to break Tor?
  
  --
  Il n'y a pas de Planet B.
11. Re:Botnets and Tor by girlintraining · 2013-09-05 06:51 · Score: 1
  
  I believe you are making an incorrect assumption that these botnet nodes are actually relaying on behalf of the network. I've not seen any reason to believe this is correct.
  
  And no reason to believe it's incorrect either. If the bot operator was smart, he'd setup at least part of his botnet to do relays as this would allow the bot's own traffic to mingle with the network's, and keep the network from crashing as more bots are added. If the operator manages to bring down Tor, he's shot himself in the foot as well. A client-only configuration is a mistake that someone unfamiliar with distributed computing might make in this scenario; Not dissimilar to a similar mistake made by the first worm created on the internet... the designer did not anticipate exponential growth. Exponential growth is a typical quality of bot nets; They start out slow, then grow exponentially, then plateau until an effective countermeasure is created to clean the machines and/or the attack vector becomes immune.
  Many botnets offer their own exit-node like capabilities -- this is one of the services many of them sell; Proxying and DDoS attacks. I find it difficult to believe an experienced engineer would make this mistake... but I'll grant you that this may be an inexperienced one who knows just enough to shoot himself in the foot.
  
  It will be very interesting to see what the Tor developers do next - they don't have any effective way to fight off this botnet because almost by design they can't detect or centrally control the network.
  
  The Tor developers will do nothing. This is all on the exit node operators; And likely, they will do what has been done in the past; Traffic analysis and watching for patterns, then blocking traffic that appears to be from the bot.
  Here's the thing; The bots can communicate with one another and the C&C through Tor -- this is likely all they wanted. But to do that, they're going to need to establish a hidden service. Hidden services only broadcast to a few relays, which as the botnet grows, will move to higher and higher bandwidth relays. There are only a few such relays on the Tor network capable of acting as a directory service for the command and control; And those relays will know the true IP address of the hidden service provider.
  It's just a matter of time -- you need to infiltrate the relays with the highest available bandwidth and then just wait. The bot herder will come to you. It's by network design. And then he's fucked.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
12. Re:Botnets and Tor by santosh.k83 · 2013-09-05 06:58 · Score: 1
  
  And commercialisation too. In fact it might even be a major driving force behind militarisation. If we'd kept the Internet solely restricted to free information sharing, and forbidden monetisation of it in any form, we wouldn't be in this escalating mess now, but then it wouldn't appeal to "consumers" would it?
13. Re:Botnets and Tor by girlintraining · 2013-09-05 07:12 · Score: 2
  
  What's important is that this was inevitable. From the very dawn of the public gaining access to the internet, there were already viruses and worms.
  
  A fair assessment. However, global warming was also inevitable, but that doesn't mean we should just throw the helve after the hatchet. Bot nets were, until the government stepped in, largely being organized by small groups of people who stuck to the same pattern of programming and with similar goals: Either blackmail, identity theft, or similar methods of leveraging computational resources for profit (like bitcoin mining).
  While they were and continue to increase in complexity, it was still an iterative process and innovation was staggered. However, what happens when the government started pouring billions into this little corner of the dark net, all hell broke loose. You've got strong cryptography, true decentralized p2p emerging, new protocols, and diversification of exploit architecture -- and a lot more people and resources being devoted to this. As a result, it's become an arms race.
  Look at it this historically;
  Whenever we've advanced technology, whether it's nuclear weapons, stealth technology, drones, etc., other governments rush to copy it to maintain an edge. The leader sets the pace for all the others. You're not going to run as fast as you possibly can if everyone else is at a trot -- you're going to save your strength for that final push. Unless, of course, someone else has a faster pace... in which case you need to step it up too.
  The problem is, the US government, by creating its own cyberwarfare army and massive botnets, have opted for a policy of trying to go at a dead run and hope they get far enough ahead that by the time they get across the finish line, they can fortify the position and keep anyone else from doing it again -- not unlike the nuclear arms race. Which might work if cyberwarfare required the same outlay of resources and visibility to others. But neither is true --
  Surveillance of the entire internet isn't enough to stop cyberwarfare, or accurately identify participants in the theatre. Not if they're smart. And because there's so many players, it's unlikely any of them will get enough of an edge over any other to make it anything but an unending series of mexican standoffs.
  And then there's the unstable elements -- these aren't just nation states playing high stakes poker with nuclear weapons. We've got drug dealers, gangs, and all manner of scum running at similar capacity. They don't have the same rules of engagement... and they'd only be too happy to let two of the big players blow themselves to hell so they can step in and profit.
  Our entire strategy is fucked. Totally and completely. We shouldn't have set the tempo of cyberwarfare so fast -- not when the stakes are so high and our defenses so unreasonably low. If the internet crashes, the world economy crashes. And our government doesn't seem to give a damn, as long as they have the biggest red button.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
14. Re:Botnets and Tor by Dishevel · 2013-09-05 07:34 · Score: 1
  
  I said a long time ago that the militarization of the internet would cause a lot of problems
  So. Did you say that prior to 1969?
  
  --
  Why is it so hard to only have politicians for a few years, then have them go away?
15. Re:Botnets and Tor by IamTheRealMike · 2013-09-05 08:46 · Score: 1
  
  Because if you RTFA you will see that they reverse engineered the botnet and found that it's trying to contact a C&C server, what's more, this bot has a history of using Tor for receiving commands. It's obviously not a deliberate attempt to wreck Tor.
16. Re:Botnets and Tor by IamTheRealMike · 2013-09-05 08:50 · Score: 2
  
  No offence, but there absolutely is reason to believe you're incorrect. The reasons are in the Tor mailing lists which I've been keeping up with for the past few weeks.
  Firstly, exit traffic has hardly moved, despite massive increase in Tor usage overall. This is consistent with the bots getting instructions from a hidden service. So exit node operators can't do much here.
  Secondly, the whole point of the hidden service protocol is that relays don't know the IP of the hidden service. That's why there are rendezvous nodes that join user and service together via two 3-hop circuits. De-anonymizing such a service is very hard and requires you to control large numbers of nodes over a period of many months, according to the latest research. It's not something the Tor community can just do.
  If you think you know of a slick way to resolve this problem, I suggest taking it to the Tor developers, because all the evidence I see from their lists is that right now they don't have any great ideas.
17. Re:Botnets and Tor by thoromyr · 2013-09-05 09:05 · Score: 1
  
  your evidence does suggest that it is not deliberate -- but your evidence also describes a way to obfuscate a denial of service attack against Tor. And I can certainly see the appeal in eliminating Tor. It isn't what I would do* but it seems at least plausible.
  Just a thought. I'd guess you to be right in the assessment, just acknowledging it as a probability.
  * I'd setup enough exit nodes to conduct an attack against anonymity and record traffic for cracking, with priority based on other intelligence and the removal of anonymity -- cracking doesn't have to be real time and intelligence agencies have at times spent years on efforts to crack targeted communications.
18. Re:Botnets and Tor by ae1294 · 2013-09-06 06:31 · Score: 1
  
  What if each bot rand() picks control servers and load balances? With computers coming on and off commands will still spread over time between control nods with newer commands overriding older commands. It's a tricky thing to get right but you could also have zombies rand() pick to become control nodes but you would need feedback I'd think, which I guess you could get by seeing how long commands take to spread and adjusting a variable in each zombie. Then you would have something that is almost a living thing that decides weather to use this part of the botnet control circuit or another or become one and serve commands. You would need to be sure to use really good pub/private key setup to keep control but it seems like something you could use a network simulator to test before you jump to the Internet. You log in to one of the control servers you know and it updates your database with new ones and you give commands that spread out with systems coming on and off (maybe forced reboots after x hours?) by using random choice you rely on statistic's and probabilities. I guess the last thing I'd add would be a fall back mode if a zombie can't find a control node. Probably a few.... but you just need to find that magic rand(0-???) to balance it and then using random ping like checks it could self balance. I'd worry about researchers hacking my code to try and become control nodes but you could use blacklisting and lots of things to retain control. I mean firstly they might be able to take over one area but you would have hundreds of area's to attack and the author could figure out what was going on and change the software revoke keys, etc. It would be a full out battle where no one could take out your whole network at once and in fact you could attack anyone trying with DDOS to make them think twice....
Re:I've been waiting for this for a while by GameboyRMH · 2013-09-05 05:12 · Score: 1

It's just because of the effort/reward ratio. If black hats were willing to put more effort in and could get more reward out, they'd write malware like the NSA does.

--
"When information is power, privacy is freedom" - Jah-Wren Ryel
Re:I've been waiting for this for a while by biodata · 2013-09-05 05:26 · Score: 1

So this is probably the NSA botnet they've been bragging about you think?

--
Korma: Good
What happens next by ThatsNotPudding · 2013-09-05 05:49 · Score: 2

The thing is, the more relays, the more connections, the larger the network... the faster and more secure it is. If all the botnet does is setup relays, it's a win for the Tor network. Of course, it isn't going to just do that, and these aren't authorized relays so it's not exactly occupying the moral high ground here. The machines hosting the bot need scrubbed.
The obvious reaction by governments (mainly fearing their peoples right to privacy) will be to make it a harsh criminal offense to even dare run a Tor client. Problem solved.
Re:I've been waiting for this for a while by GameboyRMH · 2013-09-05 06:36 · Score: 1

The NSA botnet wouldn't normally use darknets, that's likely to trigger an IDS or firewall alert. It would use their network of zombie machines with "plain-looking" addresses unless it's attacking a network that normally has darknet traffic going on.

--
"When information is power, privacy is freedom" - Jah-Wren Ryel
I'm probably the only one by SleazyRidr · 2013-09-05 06:38 · Score: 1

The first time I read the headline I skipped over Tor, and interpreted it as vehicular traffic, thinking that there must have been a botnet preventing people from telecommuting meaning that they were all driving to work.

--
Is 1563649 a prime number?
It's not Mevade by FhnuZoag · 2013-09-05 06:39 · Score: 2

Here, look at this:
Pull up a google search:
http://www.vir.us.com/delete-trojanwin32mevade-b-user-guide-to-remove-trojanwin32mevade-b
> Countries Affected: Germany, USA, China, Switzerland, Canada etc.
Now look at the Tor user numbers from China:
https://metrics.torproject.org/users.html?graph=userstats-relay-country&start=2013-06-01&end=2013-08-30&country=cn#userstats-relay-country
Why is Mevade creating Tor traffic from places as tiny as Vatican city, and having zero impact from China? When apparently China *is* affected by the botnet, and if past knowledge is any indicator, is probably the world capital of malware?
It doesn't add up.
1. Re:It's not Mevade by Anonymous Coward · 2013-09-05 06:51 · Score: 2, Informative
  
  It doesn't add up.
  Sure it does - China blocks tor, so you won't see an increase in the numbers coming form there unless they are using the obfs stuff too (which they are not). I would assume you see a similar lack of increase in other countries that are in the "block-for-arms-race".
2. Re:It's not Mevade by FhnuZoag · 2013-09-05 07:04 · Score: 1
  
  Does Israel block tor?