Recently, Tor Project Director – Roger Dingledine described a sudden increase in Tor users on the Tor Network after the events related to disclosure of the PRISM surveillance program, Since August 19, 2013, there has been an impressive growth in the number of Tor users.
- The botnet traffic is encrypted, which helps prevent detection by network monitors.
- By running as an Hidden Service, the origin, location, and nature of the C&C are concealed and therefore not exposed to possible takedowns. In addition, since Hidden Services do not rely on public-facing IP addresses, they can be hosted behind firewalls or NAT-enabled devices such as home computers.
- Hidden Services provides a Tor-specific .Onion pseudo top-level domain, which is not exposed to possible sinkholing.
- The operator can easily move around the C&C servers just by re-using the generated private key for the Hidden Service.
Researches linked the bot agent to the Mevade malware family. “A recent detection name that has been used in relation to this botnet is ‘Mevade.A’, but older references suggest the name ‘Sefnit’, which dates back to at least 2009 and also included Tor connectivity. We have found various references that the malware is internally known as SBC to its operators.”
Authors of Mevade Tor variant appear to use the Russian Language. One of them is known as “Scorpion” and with his colleague having nickname “Dekadent” probably are the part of an organized cyber gang.
The monetization schema implemented by cybercriminals is not sure, probably their primary intent is install adware and toolbars on victim’s systems. According TrendMicro Security expert the Mavade malware has also a “backdoor component and communicates over SSH to remote hosts” and the botnet could be used for data theft.
It is possible that the purpose of this malware network is to load additional malware onto the system and that the infected systems are for sale.
Members of the Tor Project have begun an investigation and explained in a blog post, “The fact is, with a growth curve like this one, there’s basically no way that there’s a new human behind each of these new Tor clients. These Tor clients got bundled into some new software which got installed onto millions of computers pretty much overnight. Since no large software or operating system vendors have come forward to tell us they just bundled Tor with all their users, that leaves me with one conclusion: somebody out there infected millions of computers and as part of their plan they installed Tor clients on them,”
“It doesn’t look like the new clients are using the Tor network to send traffic to external destinations (like websites). Early indications are that they’re accessing hidden services — fast relays see “Received an ESTABLISH_RENDEZVOUS request” many times a second in their info-level logs, but fast exit relays don’t report a significant growth in exit traffic. One plausible explanation (assuming it is indeed a botnet) is that its running its Command and Control (C&C) point as a hidden service.”
Tor users are advised to upgrade to the newest version of Tor to mitigate the effect of the Botnet, it in fact includes a new handshake feature which Tor relays prioritize over the older handshake. The upgrade will advantage legitimate new clients ever the ones who use the older version exploited by an actual variant of Mevade malware.
Of course it is a palliative and not curative, the authors of the botnet may decide to update their Tor component too, that is the reason why Tor official also appealed security community to deeply analyze the botnet to shutdown it.