Sep 12, 2013, 11:30 am EST

Security researchers at Fox-IT firm found evidence that the spike in Tor traffic is caused by a Mevade botnet that hides its C&C in the anonymizing network.

Is the Mevade malware the real responsible for the spike observed in the number of users directly connected to the Tor network?

In a article I wrote recently I analyzed the impact on the use of the Tor network after the events related to disclosure of the PRISM surveillance program highlighting a suspicious increase on a global scale in the number of users directly accessed Tor.

Various are the hypotesys more or less fascinating, part of the security community is convinced that a meaningful contribute to the anomalous increase is given by non-human generated traffic. In particular since August 19, 2013, there has been an impressive growth in the number of Tor users.

The most likely cause is a botnet designed to use the Tor network to hide its command and control servers, security firm Fox-IT is one of the first security firm that documented the presence of a new malicious architecture based on the anonymizing network.

Mevade Code

“The malware uses command and control connectivity via Tor .onion links using HTTP. While some bots continue to operate using the standard HTTP connectivity, some versions of the malware use a peer-to-peer network to communicate (KAD based). Typically, it is fairly clear what the purpose of malware is, such as banking, clickfraud, ransomware or fake anti-virus malware. In this case however it is a bit more difficult. It is possible that the purpose of this malware network is to load additional malware onto the system and that the infected systems are for sale. ”states the blog post.

We already discussed for the benefit to use Tor network when we introduced the Skynet botnet, hiding C&C servers is possible to build a bulletproof architecture. It was September 2012when the German security firm G Data Software detected a botnet with a particular feature, it was controlled from an Internet Relay Chat (IRC) server running as a hidden service of the Tor.

The main advantages of botnet based on Tor are:

  • The botnet traffic is encrypted, which helps prevent detection by network monitors.
  • By running as a Hidden Service, the origin, location, and nature of the C&C are concealed and therefore not exposed to possible takedowns. In addition, since Hidden Services do not rely on public-facing IP addresses, they can be hosted behind firewalls or NAT-enabled devices such as home computers.
  • Hidden Services provide a Tor-specific .onion pseudo top-level domain, which is not exposed to possible sinkholing.
  • The operator can easily move around the C&C servers just by re-using the generated private key for the Hidden Service.

Researches linked the bot agent to the Mevade malware family, older references link it to malicious code “Sefnit” dated 2009 that included Tor connectivity. The malware implemented a backup mechanism for its C&C communications with a Tor component. The Mevade malware was downloading a Tor module in the last weeks of August and early September.

Authors of Mevade Tor variant appear use Russian Language, one of them is known as “Scorpion” and with his colleague having nickname “Dekadent” probably is part of an organized cyber gang. The monetization schema implemented by cybercriminals is not sure; probably their primary intent is install adware and toolbars onto victim’s systems.

According TrenMicro blog the Mavade malware has also a “backdoor component and communicates over SSH to remote hosts”, security expert are confident that the botnet could be used for data theft.

Members of the Tor Project began an investigation into the spike in usage confirming that millions of new Tor clients were part of a Mevade botnet as they have explained in a Tor officials wrote in a blog post:

“The fact is, with a growth curve like this one, there’s basically no way that there’s a new human behind each of these new Tor clients. These Tor clients got bundled into some new software which got installed onto millions of computers pretty much overnight. Since no large software or operating system vendors have come forward to tell us they just bundled Tor with all their users, that leaves me with one conclusion: somebody out there infected millions of computers and as part of their plan they installed Tor clients on them,” “It doesn’t look like the new clients are using the Tor network to send traffic to external destinations (like websites). Early indications are that they’re accessing hidden services — fast relays see “Received an ESTABLISH_RENDEZVOUS request” many times a second in their info-level logs, but fast exit relays don’t report a significant growth in exit traffic. One plausible explanation (assuming it is indeed a botnet) is that it’s running its Command and Control (C&C) point as a hidden service.”

Tor officials are inviting users to upgrade to the newest version of Tor to mitigate the effect of the botnet, it in fact includes a new handshake feature which Tor relays prioritize over the older handshake. The upgrade will advantage legitimate new clients ever the ones who use the older version exploited by actual variant of Mevade malware.

Of course it is a palliative and not curative, the authors of the botnet may decide to update their Tor component too, that is the reason why Tor official also appealed security community to deeply analyze the botnet to shutdown it.

“In parallel, it would be great if botnet researchers would identify the particular characteristics of the botnet and start looking at ways to shut it down (or at least get it off of Tor). Note that getting rid of the C&C point may not really help, since it’s the rendezvous attempts from the bots that are hurting so much,” the Tor officials said.

Concluding the spike in Tor user number is not only attributable to event related to PRISM and the will of to escape to government surveillance, unless someone wants to misuse of the botnet to make all the bots run as Tor relays exit nodes!

(Source: CDM, Pierluigi Paganini, Editor and Chief )