Large botnet cause of recent Tor network overload

Blog 3 Minutes

Recently, Roger Dingledine described a sudden increase in Tor users on the Tor Talk mailinglist. To date there has been a large amount of speculation as to why this may have happened. A large number of articles seem to suggest this to be the result of the recent global espionage events, the evasion of the Pirate Bay blockades using the PirateBrowser or the Syrian civil war.

At the time of writing, the amount of Tor clients actually appears to have more than quintupled already. The graph shows no signs of a decline in growth, as seen below:

Tor Metrics

An alternative recurring explanation is the increased usage of botnets using Tor, based on the assertion that the increase appears to consist of mostly new users to Tor that apparently are not doing much given the limited impact on Tor exit performance. In recent days, we have indeed found evidence which suggests that a specific and rather unknown botnet is responsible for the majority of the sudden uptick in Tor users. A recent detection name that has been used in relation to this botnet is “Mevade.A”, but older references suggest the name “Sefnit”, which dates back to at least 2009 and also included Tor connectivity. We have found various references that the malware is internally known as SBC to its operators.

SBC Panel

Previously, the botnet communicated mainly using HTTP as well as alternative communication methods. More recently and coinciding with the uptick in Tor users, the botnet switched to Tor as its method of communication for its command and control channel. The botnet appears to be massive in size as well as very widespread. Even prior to the switch to Tor, it consisted of tens of thousands of confirmed infections within a limited amount of networks. When these numbers are extrapolated on a per country and global scale, these are definitely in the same ballpark as the Tor user increase.

Thus one important thing to note is that this was an already existing botnet of massive scale, even prior to the conversion to using Tor and .onion as command and control channel.

As pointed out in the Tor weekly news, the version of Tor that is used by the new Tor clients must be 0.2.3.x, due to the fact that they do not use the new Tor handshake method. Based on the code we can confirm that the version of Tor that is used is 0.2.3.25.

Tor Module Analysis

The malware uses command and control connectivity via Tor .onion links using HTTP. While some bots continue to operate using the standard HTTP connectivity, some versions of the malware use a peer-to-peer network to communicate (KAD based).

Typically, it is fairly clear what the purpose of malware is, such as banking, clickfraud, ransomware or fake anti-virus malware. In this case however it is a bit more difficult. It is possible that the purpose of this malware network is to load additional malware onto the system and that the infected systems are for sale. We have however no compelling evidence that this is true, so this assumption is merely based on a combination of small hints. It does however originate from a Russian spoken region, and is likely motivated by direct or indirect financial related crime.

This specific version of the malware, which includes the Tor functionality, will install itself in:

%SYSTEM%\config\systemprofile\Local Settings\Application Data\Windows Internet Name System\wins.exe

Additionally, it will install a Tor component in:

%PROGRAMFILES%\Tor\Tor.exe

A live copy for researchers of the malware can be found at:

hxxp://olivasonny .no-ip .biz /attachments/tc.c1

This location is regularly updated with new versions.

Related md5 hashes:

2eee286587f76a09f34f345fd4e00113 (August 2013)
c11c83a7d9e7fa0efaf90cebd49fbd0b (September 2013)

Related md5 hashes from non-Tor version:

4841b5508e43d1797f31b6cdb83956a3 (December 2012)
4773a00879134a9365e127e2989f4844 (January 2013)
9fcddc45ae35d5cdc06e8666d249d250 (February 2013)
b939f6ef3bd292996f97aa5786757870 (March 2013)
47c8b85a4c82ed71487deab68de196ba (March 2013)
3e6eb9f8d81161db44b4c4b17763c46a (April 2013)
a0343241bf53576d18e9c1329e6a5e7e (April 2013)

Thank you to our partners for the help in investigating this threat.

ProtACT Team & InTELL Team

Published

74 thoughts on “Large botnet cause of recent Tor network overload

  1. Pingback: Cyber-thieves blamed for leap in Tor dark net use | ss_site_title
  2. Pingback: Cyber-thieves blamed for leap in Tor dark net use | Udaku Zone | Chanzo Cha Udaku Wote
  3. Pingback: Cyber-thieves blamed for leap in Tor dark net use - Habari Za Michezo - Habari Za Michezo
  4. Pingback: Cyber-crime responsible for huge rise in Tor use | ITProPortalITProPortal.com
  5. Pingback: Tor Anonymizing network overload caused by Mevade Botnet | My great WordPress blog
  6. Pingback: Mevade botnet responsible for the spike in Tor traffic | Cyber Defense Magazine
  7. Pingback: Cyber-thieves blamed for leap in Tor dark net use | Habari Michezo
  8. Pingback: ← DNS takeover redirects thousands of websites to malware Large botnet cause of recent Tor network overload | School of Privacy
  9. Pingback: Tor-veksten fortsetter Men det skyldes ikke vanlige brukere. | Kommentarfeltet
  10. Pingback: Cyber-thieves blamed for leap in Tor dark net use | Sports
  11. Pingback: anubis | Unknown DGA14 – The Mevade Connection
  12. Pingback: Tor anonymity: how it works and how to use it | Doug Vitale Tech Blog
  13. Pingback: The Mysterious Mevade Malware | IT Security
  14. Pingback: Linux Outlaws 321 – You Just Turned This into a Bloodbath | Sixgun Productions
  15. Pingback: Hidden click fraud botnet uncovered
  16. Pingback: Ссылка: рост числа пользователей Tor из-за ботнетов
  17. Pingback: The Mysterious Mevade Malware | Cyber security labs by Cipher Net AB
  18. Pingback: Internet-Anonymisierungsdienst: Tor unter Beschuss | TokNok Deutschland
  20. Pingback: Czy zbliża się wielkie, globalne “wydarzenie”? Połączmy fakty « Portal Jarka Kefira
  21. Pingback: Surge in Tor traffic is caused by Mevade botnet « SecurEncrypt - HIPAA/HITECH File Encryption Software SecurEncrypt – HIPAA/HITECH File Encryption Software
  22. Pingback: Osary Computing Security researchers at Fox-IT firm found evidence that the spike in Tor traffic is caused by a Mevade botnet that hides its C&C in the anonymizing network. » Osary Computing
  23. Pingback: Cyber-thieves blamed for leap in Tor dark net use | VCS Trusted Network

  25. To answer this question it requires full insight into all the infection vectors. However it is safe to say that the infection vector is something which affects “western” countries more than others. But as those 7 countries are the largest western countries in terms of population, it is safe to assume the other western countries are equally affected.

    As China actively blocks Tor it is seemingly unaffected by the Tor variant (reality is it simply cannot communicate over Tor). Some other countries are for some reason not impacted so much by this, one surprising one is South Korea, culturally similar to Japan, but typically also affected by numerous botnets. There are a couple of other interesting countries where seemingly the amount of connecting clients is very low.

  26. A large part of it is actually the built in Tor client. Not sure why I would be interested in memory usage though, so I really have no idea 🙂

  28. Pingback: Cyber-thieves blamed for leap in Tor dark net use | Contingent Security Services, Ltd.
  29. Pingback: Tor Bot Net over 3 million strong | USCyberLabs
  30. Pingback: Plötzlicher Anstieg der Tor-Nutzerzahlen geklärt - ComputerBase
  31. Pingback: Nutzeranstieg im Tor-Netz durch Botnet verursacht | Klaus Ahrens: News, Tipps, Tricks und Fotos
  32. Pingback: ste williams – Malware culprit fingered in mysterious Tor traffic spike
  33. Pingback: Botnetz verursachte Zunahme von TOR-Traffic | ZDNet.de
  34. Pingback: Sekretarz Homeland Security ostrzega przed potężnym cyberatakiem. Połączmy kilka faktów. “Zbliża się wielka katastrofa..” « Portal Jarka Kefira
  35. Pingback: Tor Anonymizing network overload caused by Mevade Botnet | Hacking with New Ideas
  36. Pingback: Mevade botnet responsible for the traffic spike in Tor network
  37. Pingback: Tor-veksten fortsetter Men det skyldes ikke vanlige brukere.

  39. Hope that the dark net runs smooth again. Makes no fun to shop at Silk Road Anonymous Marketplace with a slow connection.

  40. Pingback: Huge Botnet Found Using Tor Network for Communications | infosec360

  41. These attacks are limited to Windows platforms.

    The only viable end to such vulnerabilities is to wean business off of it’s addiction to all things Microsoft and replace these critical systems with Linux and Mac OS X. These alternatives have been proven to be steadfastly resistant to such wholesale attacks.

  42. Pingback: NSA Attacks Encryption – WSWiR Episode 76 | WatchGuard Security Center

  43. The link you posted, is that the entire thing or is it a downloader? If it’s the former I’d imagine it’s quite a large binary for a trojan. What’s the memory usage like?

  44. Pingback: IT-Security-Links – Week 36 | SWITCH Security-Blog
  45. Pingback: La cyberguerra sbarca su Tor - Giornalettismo
  46. Pingback: TOR : Un malware responsable de la brusque croissance du réseau | UnderNews
  47. Pingback: The Mysterious Mevade Malware | Virus / malware / hacking / security news
  48. Pingback: A Russian Botnet Is Attacking The Secret Internet For Criminals — And No One Knows Why
  49. Pingback: Izardnet | Sudden spike of Tor users likely caused by one “massive” botnet
  50. Pingback: Huge Botnet Found Using Tor Network for Communications « Cyber Security Aid
  51. Pingback: The Mysterious Mevade Malware | Security Intelligence Blog | Trend Micro
  52. Pingback: The Anonymous Internet Is Under Attack | Gizmodo Australia
  53. Pingback: Tor Traffic Surge: ‘SBC’ Botnet To Blame? | Malwarebytes Unpacked
  54. Pingback: В сети Tor наблюдается серьёзная перегрузка. Пользователям рекомендован переход на Tor 0.2.4 | AllUNIX.ru — Всероссийский портал о UNIX-система
  55. Pingback: Servidores de Tor podem estar em perigo - Boa Informação
  56. Pingback: To δίκτυο Tor απειλείται (και πάλι) | ndot - Βάλε τελεία στην ενημέρωση σου
  57. Pingback: » Sudden spike of Tor users likely caused by one “massive” botnet - OnlineExamsForU
  58. Pingback: Huge Botnet Found Using Tor Network for Communications | Threatpost
  59. Pingback: L’explosion de l’usage de Tor provient en réalité… d’un botnet | Tifritine
  60. Pingback: Sudden spike of Tor users likely caused by one “massive” botnet | Kronosim
  61. Pingback: Botnet likely caused spike in number of Tor clients | Alternative News Alert!
  62. Pingback: EGO2ECO The sustianable intellectual & material luxury life style Sudden spike of Tor users likely caused by one “massive” botnet
  63. Pingback: To δίκτυο Tor απειλείται (και πάλι) - Inside News! - Inside News!
  64. Pingback: Sudden spike of Tor users likely caused by one “massive” botnet | RSS Feeds die Dennis graag leest
  65. Pingback: To δίκτυο Tor απειλείται (και πάλι) | Digital Life
  68. Pingback: A Russian Botnet Is Attacking The Secret Internet For Criminals — And No One Knows Why | This Is Jah Smith DOT com
  69. Pingback: A Russian Botnet Is Attacking The Secret Internet For Criminals — And No One Knows Why | Lord of the Net
  70. Pingback: A Russian Botnet Is Attacking The Secret Internet For Criminals — And No One Knows Why | Digital Wealth
  72. Pingback: Zagadka ogormnego wzrostu liczby użytkowników sieci TOR wyjaśniona | Zaufana Trzecia Strona
  73. Pingback: Large botnet cause of recent Tor network overload | Rocketboom

Leave a Reply

Your email address will not be published. Required fields are marked *