A cyber defense and IT security company has claimed that the reason behind recent surge in number of clients connecting to Tor is in fact a relatively unknown botnet and not NSA or genuine adoption of Tor.
In late August we reported that there was a huge increase in Tor network traffic and number of clients connecting to the Tor network. Statistics on Tor Metrics Portal indicated that there was a 100 percent increase in Tor traffic in August compared to July and as many as 1,200,000 users are connecting to the network. If we see the statistics as of now the number of connections has quadrupled with over 2,500,000 clients connecting to the network as of this writing.
According to Fox-it, the surge in traffic is because of a botnet dubbed “Mevade.A”, which is known to have Tor connectivity features. The company noted that the botnet may have links to a previously detected botnet dubbed “Sefnit”, which also featured Tor connectivity. Fox-it claimed that they have found “references that the malware is internally known as SBC to its operators.”
The botnet, Fox-it claims, was using HTTP connectivity up until now for distributing commands between its nodes, but the botnet has recently switched to “Tor as its method of communication for its command and control channel.” If the claims by Fox-it are true it means that the botnet would be huge in size and that it may very well have over a million bots under its control.
Mevade.A was reportedly having “tens of thousands of confirmed infections” prior to its Tor switch and according to Fox-it “when these numbers are extrapolated on a per country and global scale, these are definitely in the same ballpark as the Tor user increase.”
The Pirate Bay’s recent launch of the PirateBrowser was also a likely contender for the spike in connected clients, but according to reports the browser package has been downloaded 550,000 times only. Download dates of the influx in traffic in Tor network don’t match and for this reason PirateBrowser has been ruled out as well.
Tor Project has carried out an analysis on the recent network load and they have noted that the new Tor clients must be using 0.2.3.x as they are not using the new Tor handshake method, which was introduced in 0.2.4 series. Fox-it did a little digging inside the botnet code and has claimed that “the version of Tor that is used [by the botnet] is 0.2.3.25.”