Tor Network Spike Caused By Botnet

A significant uptick in Tor usage was not caused by genuine users, but by a massive botnet, according to security experts.

Some had speculated that users had started rapidly adopting Tor in response to the leaks of Edward Snowden on mass surveillance. Others had claimed activity in Syria or the Pirate Browser launch by the Pirate Bay was responsible.

But researchers now believe Mevade, which was using HTTP for command and control communication, recently shifted to using Tor for communications.

Botnets taking up Tor traffic

“The botnet appears to be massive in size as well as very widespread. Even prior to the switch to Tor, it consisted of tens of thousands of confirmed infections within a limited amount of networks,” said Fox-IT in a blog post.

“When these numbers are extrapolated on a per country and global scale, these are definitely in the same ballpark as the Tor user increase.

“It is possible that the purpose of this malware network is to load additional malware onto the system and that the infected systems are for sale. We have however no compelling evidence that this is true, so this assumption is merely based on a combination of small hints.

“It does, however, originate from a Russian spoken region, and is likely motivated by direct or indirect financial related crime.”

Trend Micro said the perpetrators were operating from Kharkov, Ukraine and Israel and have been active since at least 2010. The Mevade malware was seen downloading a Tor module in the last few weeks.

But the crooks behind the operation have not been so smart about hiding their tracks, Trend senior threat researcher Felike Hacquebord.

“One of the main actors is known as ‘Scorpion’. Another actor uses the nickname ‘Dekadent’. Together, they are part of a well organised and probably well financed cybercrime gang,” Hacquebord added in a blog post.

“We strongly associate these actors with installations of adware and hijacking search results. Therefore, we suspect that one of the ways the Mevade botnet is monetized is by installing adware and toolbars onto affected systems.”

What do you know about Internet security? Find out with our quiz!