Security Company Attributes Tor Traffic Surge To Botnet

hypnosec writes "A cyber defense and IT security company has claimed that the reason behind recent surge in number of clients connecting to Tor is in fact a relatively unknown botnet and not NSA or genuine adoption of Tor. In late August there was a huge increase in Tor network traffic and number of clients connecting to the Tor network. As of this writing number of connections has quadrupled with over 2,500,000 clients connecting to the network. According to Fox-it, the surge in traffic is because of a botnet dubbed 'Mevade.A,' which is known to have Tor connectivity features. The company noted that the botnet may have links to a previously detected botnet dubbed 'Sefnit,' which also featured Tor connectivity. Fox-it claimed that they have found "references that the malware is internally known as SBC to its operators.""

I, for one, welcome our bot overlords

[stewsters]

The more peers and traffic, the better anonymity. If some of those peers are grandmas with 50 toolbars rather than paranoid crypto-nerds, we are better off.

Re:I, for one, welcome our bot overlords

Until your going through mostly peers that are controlled by one entity (botnet herder), which allows them to conduct various attacks against tor's anonymity, not to mention sniffing data from compromised exit nodes, increasing the public perception that tor is for "bad stuff", etc.

Re:I, for one, welcome our bot overlords

[stewsters]

This is true, but as we have learned this year the NSA already captures all encrypted traffic they can get their hands on. If the US, UK, German, Australian governments do it, I'm guessing they aren't the only country or organization that tap their civilians' communications.

A botnet created by a virus is not a particularly great advantage for collecting that information, as it still needs to deposit it to a central server somewhere, and governments already have tapped the lines when it is transmitted in the clear. If they have software on the computers of people, it could be analyzed and they could find what information it was sending back.

Most of the actual messages oppressive governments want to find will be sent within hidden sites in the darknet rather than out of it. Noise makes tracing of these harder.

Re:I, for one, welcome our bot overlords

[lgw]

Criminal become governments when the criminals are so successful that the only way they can take more from a region in the long term is to protect the region and help the economy to grow. This happens quite often throughout history - it's probably the norm, not the exception, for government formation across history.

Re:Yes but

[lart2150]

It was a upgrade to the botnet that switched it from normal networking to going over tor for command and control.

Botnets and Tor

[girlintraining]

Well, I have good news and bad news... the bad news is that this has been a long time coming, and now it's here. The good news is that although the botnet itself is bad, the number of connections and extra clients improves Tor security overall for all the other users. The thing is, the more relays, the more connections, the larger the network... the faster and more secure it is. If all the botnet does is setup relays, it's a win for the Tor network. Of course, it isn't going to just do that, and these aren't authorized relays so it's not exactly occupying the moral high ground here. The machines hosting the bot need scrubbed.

But this also introduces a wrinkle -- the US government, and likely others, also maintain their own botnets. And they actively seek to shut down other people's botnets, through domain seizure, etc. This would seem to be a reaction to those efforts -- that is, by decentralizing and hiding the command and control, they're effectively adapting to the tactics our military is using on the internet.

I said a long time ago that the militarization of the internet would cause a lot of problems... and that we had no business developing an offensive cyber-military because it would just encourage others to begin an arms race that would lead to major economic and communications instabilities worldwide. It hasn't gotten that far yet, but it's building to that. Our own aggressive stance has created yet another fucking cold war.

Re:Botnets and Tor

[IamTheRealMike]

I believe you are making an incorrect assumption that these botnet nodes are actually relaying on behalf of the network. I've not seen any reason to believe this is correct. Rather than just act as normal clients of the Tor network - placing extreme load on existing relays.

In fact, this botnet appears to be basically breaking Tor with many node operators reporting that their relays cannot keep up. The Tor developers recently started developing code to prioritise the more efficient NTOR handshake over the older protocol, and because the botnet runs older code people who upgrade to the latest code (once they are finished) should take priority over the botnet traffic. Until the botnet also upgrades, of course.

To make it worse, when a circuit fails to build because of overloaded relays, Tor retries. I'm not sure there's any kind of exponential backoff. Thus the network goes into a death spiral in which clients constantly try to build circuits and fail, placing even more load on the already overloaded system and making it impossible to recover.

Unfortunately we may be looking at the end of Tor here, at least temporarily. The botnet operator doesn't seem to realise what's happening, otherwise they'd be backing off. Tor is effectively experiencing a massive, global, accidental denial of service attack by this botnet. Many relays don't have enough CPU power to weather the circuit storms. It will be very interesting to see what the Tor developers do next - they don't have any effective way to fight off this botnet because almost by design they can't detect or centrally control the network. They practically have to ask nicely for the operators to go away.

Re:Botnets and Tor

[bragr]

>The good news is that although the botnet itself is bad, the number of connections and extra clients improves Tor security overall for all the other users. The thing is, the more relays, the more connections, the larger the network... the faster and more secure it is.

That isn't what is happening here. The new connections are clients only so they aren't acting as relays or exit nodes. Tor network stats actually show a slight drop in performance. However, the increased number of clients does probably make correlation attacks harder, if the NSA or someone else is actually doing those.

Re:Botnets and Tor

[girlintraining]

If the NSA or someone else is actually doing those.

If? You don't "If" in security. You assume you're already compromised, that the attacker is well-financed and has total knowledge of the network, etc. And yes, the NSA "or someone" is most definately doing it. Just not to you. We know you browse for porn using Tor... and that you've visited the Silk Road just to see what the hubabub was about. Aaaaand... nobody cares.

Besides, the hidden service protocol has a massive glitch; namely that it's a limited keyspace and the database is decentralized and distributed. They know what all the hidden services are... and you can too if you're sufficiently motivated.

And most of them aren't anything of value.

Re:Botnets and Tor

[Valdrax]

I said a long time ago that the militarization of the internet would cause a lot of problems... and that we had no business developing an offensive cyber-military because it would just encourage others to begin an arms race that would lead to major economic and communications instabilities worldwide. It hasn't gotten that far yet, but it's building to that. Our own aggressive stance has created yet another fucking cold war.

The nitpicker in me wants to say "remilitarization," since the Internet started as a military resource, but that's not what's important.

What's important is that this was inevitable. From the very dawn of the public gaining access to the internet, there were already viruses and worms. Decades before there ever even was an internet, our SF writers were telling tales of computer intrusion and privatized cyber-warfare. The internet provides access to infrastructure and documents that previously required physical breaking and entering to get access to at high-risk to the parties doing the espionage, theft, sabotage, etc. Hackers can strike from the other side of the world without even leaving their homes. Not only was it utterly inevitable that private actors and corporate actors would exploit this, but it was also inevitable that state actors would to.

Yeah, it's perhaps a little sad, but that how politics / war / diplomacy are.

Re:Botnets and Tor

[girlintraining]

What's important is that this was inevitable. From the very dawn of the public gaining access to the internet, there were already viruses and worms.

A fair assessment. However, global warming was also inevitable, but that doesn't mean we should just throw the helve after the hatchet. Bot nets were, until the government stepped in, largely being organized by small groups of people who stuck to the same pattern of programming and with similar goals: Either blackmail, identity theft, or similar methods of leveraging computational resources for profit (like bitcoin mining).

While they were and continue to increase in complexity, it was still an iterative process and innovation was staggered. However, what happens when the government started pouring billions into this little corner of the dark net, all hell broke loose. You've got strong cryptography, true decentralized p2p emerging, new protocols, and diversification of exploit architecture -- and a lot more people and resources being devoted to this. As a result, it's become an arms race.

Look at it this historically;
Whenever we've advanced technology, whether it's nuclear weapons, stealth technology, drones, etc., other governments rush to copy it to maintain an edge. The leader sets the pace for all the others. You're not going to run as fast as you possibly can if everyone else is at a trot -- you're going to save your strength for that final push. Unless, of course, someone else has a faster pace... in which case you need to step it up too.

The problem is, the US government, by creating its own cyberwarfare army and massive botnets, have opted for a policy of trying to go at a dead run and hope they get far enough ahead that by the time they get across the finish line, they can fortify the position and keep anyone else from doing it again -- not unlike the nuclear arms race. Which might work if cyberwarfare required the same outlay of resources and visibility to others. But neither is true --

Surveillance of the entire internet isn't enough to stop cyberwarfare, or accurately identify participants in the theatre. Not if they're smart. And because there's so many players, it's unlikely any of them will get enough of an edge over any other to make it anything but an unending series of mexican standoffs.

And then there's the unstable elements -- these aren't just nation states playing high stakes poker with nuclear weapons. We've got drug dealers, gangs, and all manner of scum running at similar capacity. They don't have the same rules of engagement... and they'd only be too happy to let two of the big players blow themselves to hell so they can step in and profit.

Our entire strategy is fucked. Totally and completely. We shouldn't have set the tempo of cyberwarfare so fast -- not when the stakes are so high and our defenses so unreasonably low. If the internet crashes, the world economy crashes. And our government doesn't seem to give a damn, as long as they have the biggest red button.

Re:Botnets and Tor

[IamTheRealMike]

No offence, but there absolutely is reason to believe you're incorrect. The reasons are in the Tor mailing lists which I've been keeping up with for the past few weeks.

Firstly, exit traffic has hardly moved, despite massive increase in Tor usage overall. This is consistent with the bots getting instructions from a hidden service. So exit node operators can't do much here.

Secondly, the whole point of the hidden service protocol is that relays don't know the IP of the hidden service. That's why there are rendezvous nodes that join user and service together via two 3-hop circuits. De-anonymizing such a service is very hard and requires you to control large numbers of nodes over a period of many months, according to the latest research. It's not something the Tor community can just do.

If you think you know of a slick way to resolve this problem, I suggest taking it to the Tor developers, because all the evidence I see from their lists is that right now they don't have any great ideas.

What happens next

[ThatsNotPudding]

The thing is, the more relays, the more connections, the larger the network... the faster and more secure it is. If all the botnet does is setup relays, it's a win for the Tor network. Of course, it isn't going to just do that, and these aren't authorized relays so it's not exactly occupying the moral high ground here. The machines hosting the bot need scrubbed.

The obvious reaction by governments (mainly fearing their peoples right to privacy) will be to make it a harsh criminal offense to even dare run a Tor client. Problem solved.

Re:Yes but

What caused the spike? That's the worrying fact i think.

The summary is, as has been usual for some time, not entirely accurate. While the number of Tor users spiked, the actual traffic on the Tor network did not increase much at all.
This was specifically mentioned in the original article and discussed here previously.

This story is about a security company claiming the rise in users was a botnet which switched it's command-and-control traffic to Tor from open HTTP. Which is kind of smart in that it make it much harder to pick apart the botnet to take down the command servers, or hijack the botnet. But on the other hand it make it a LOT easier for researchers to estimate the size of the botnet. And in my mind, the more worrysome aspect is that some company or government might use this as an excuse to start blocking or taking other action against Tor traffic in general.

It's not Mevade

[FhnuZoag]

Here, look at this:

Pull up a google search:

http://www.vir.us.com/delete-trojanwin32mevade-b-user-guide-to-remove-trojanwin32mevade-b
> Countries Affected: Germany, USA, China, Switzerland, Canada etc.

Now look at the Tor user numbers from China:

https://metrics.torproject.org/users.html?graph=userstats-relay-country&start=2013-06-01&end=2013-08-30&country=cn#userstats-relay-country

Why is Mevade creating Tor traffic from places as tiny as Vatican city, and having zero impact from China? When apparently China *is* affected by the botnet, and if past knowledge is any indicator, is probably the world capital of malware?

It doesn't add up.

Re:It's not Mevade

It doesn't add up.

Sure it does - China blocks tor, so you won't see an increase in the numbers coming form there unless they are using the obfs stuff too (which they are not). I would assume you see a similar lack of increase in other countries that are in the "block-for-arms-race".

Re:Yes but

[FhnuZoag]

Read between the lines. An *IT security company* (which includes protecting against Malware and botnets) wrote a press release saying that the recent increase in Tor traffic is due to something it co-incidentally provides a service protecting against.

This is a piece of advertising.

Re:Yes but

[brit74]

Indeed. This is why I only get my computer security news from cattle ranchers and Eskimos. They have no vested interest.