The Hacker News
Recently, Tor Project Director - Roger Dingledine described a sudden increase in Tor users on the Tor Network after the events related to disclosure of the PRISM surveillance program, Since August 19, 2013, there has been an impressive growth in the number of Tor users.

At first, No one knew who or what is responsible for this spontaneous growth of Tor users, but Security researchers at Fox-IT firm found evidence that the spike in Tor traffic is caused by a Mevade Botnet, that hides its Command-and-Control server in the anonymizing network.
The security firm documented the presence of the Mevade malware architecture based on the anonymizing network, "The malware uses a command and control connectivity via Tor .Onion links using HTTP. While some bots continue to operate using the standard HTTP connectivity, some versions of the malware use a peer-to-peer network to communicate (KAD based)."

"Typically, it is fairly clear what the purpose of malware is, such as banking, click fraud, ransomware or fake anti-virus malware. In this case however it is a bit more difficult. It is possible that the purpose of this malware network is to load additional malware onto the system and that the infected systems are for sale. " States the blog post.
The Hacker News
The benefit of using Tor network is to hide C&C servers, that allow criminals to build a bulletproof architecture. It was September, 2012 when the German security firm GData Software detected a Botnet with a particular feature, it was controlled from an Internet Relay Chat (IRC) server running as a hidden service of the Tor.

The main advantages of Botnet based on Tor are:
  • The botnet traffic is encrypted, which helps prevent detection by network monitors.
  • By running as an Hidden Service, the origin, location, and nature of the C&C are concealed and therefore not exposed to possible takedowns. In addition, since Hidden Services do not rely on public-facing IP addresses, they can be hosted behind firewalls or NAT-enabled devices such as home computers.
  • Hidden Services provides a Tor-specific .Onion pseudo top-level domain, which is not exposed to possible sinkholing.
  • The operator can easily move around the C&C servers just by re-using the generated private key for the Hidden Service.
Researches linked the bot agent to the Mevade malware family. "A recent detection name that has been used in relation to this botnet is 'Mevade.A', but older references suggest the name 'Sefnit', which dates back to at least 2009 and also included Tor connectivity. We have found various references that the malware is internally known as SBC to its operators."

Authors of Mevade Tor variant appear to use the Russian Language. One of them is known as "Scorpion" and with his colleague having nickname "Dekadent" probably are the part of an organized cyber gang.

The monetization schema implemented by cybercriminals is not sure, probably their primary intent is install adware and toolbars on victim's systems. According TrendMicro Security expert the Mavade malware has also a "backdoor component and communicates over SSH to remote hosts" and the botnet could be used for data theft.

It is possible that the purpose of this malware network is to load additional malware onto the system and that the infected systems are for sale.

Members of the Tor Project have begun an investigation and explained in a blog post, "The fact is, with a growth curve like this one, there's basically no way that there's a new human behind each of these new Tor clients. These Tor clients got bundled into some new software which got installed onto millions of computers pretty much overnight. Since no large software or operating system vendors have come forward to tell us they just bundled Tor with all their users, that leaves me with one conclusion: somebody out there infected millions of computers and as part of their plan they installed Tor clients on them,"

"It doesn't look like the new clients are using the Tor network to send traffic to external destinations (like websites). Early indications are that they're accessing hidden services — fast relays see "Received an ESTABLISH_RENDEZVOUS request" many times a second in their info-level logs, but fast exit relays don't report a significant growth in exit traffic. One plausible explanation (assuming it is indeed a botnet) is that its running its Command and Control (C&C) point as a hidden service."

Tor users are advised to upgrade to the newest version of Tor to mitigate the effect of the Botnet, it in fact includes a new handshake feature which Tor relays prioritize over the older handshake. The upgrade will advantage legitimate new clients ever the ones who use the older version exploited by an actual variant of Mevade malware.

Of course it is a palliative and not curative, the authors of the botnet may decide to update their Tor component too, that is the reason why Tor official also appealed security community to deeply analyze the botnet to shutdown it.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.