Botnet likely caused spike in number of Tor clients

So far, the network is still working, but measures need to be taken for the future, Tor said

The spike in the number of clients using the Tor anonymity network was likely caused by a botnet, according to Tor and third-party security researchers.

Around Aug. 20, the number of Tor clients jumped. There are now millions of new Tor clients and the number continues to rise, said Tor project leader Roger Dingledine, writing as "arma" in a blog post on Thursday. The spike is likely being caused by a botnet, wrote Dingledine, who often blogs under the "arma" handle and is one of the original developers of Tor.

Tor obscures a user's IP address by routing traffic through a series of encrypted volunteer relays that are selected at random. People have been using it to protect their privacy online but the same features make it attractive for those with more malicious intentions.

"Some people have speculated that the growth in users comes from activists in Syria, Russia, the United States, or some other country that has good reason to have activists and journalists adopting Tor en masse lately. Others have speculated that it's due to massive adoption of the Pirate Browser (a Tor Browser Bundle version that discards most of Tor's security and privacy features)," Dingledine wrote.

"The fact is, with a growth curve like this one, there's basically no way that there's a new human behind each of these new Tor clients," Dingledine wrote.

The clients were installed onto millions of computers pretty much overnight. Since no large software or OS vendors have come forward to say they just bundled Tor with all their products, that leaves one conclusion: somebody infected millions of computers and as part of their plan they installed Tor clients on them, Dingledine wrote.

The suspicion that the uptake in Tor usage is caused by a botnet is shared by Dutch security firm Fox-IT.

"We found that it is very likely that it is a botnet," said Ronald Prins, director and co-founder of the company.

"It seems to be a general-purpose botnet," Prins said, adding that a general purpose botnet is often used to harvest data such as log-in credentials that can be used later, or sold to another party. But what the botnet is trying to achieve is unknown at this point, he said.

Using Tor to control a botnet can be convenient because it makes it hard to detect, Prins said. The botnet's command and control (C&C) server is hidden by Tor, he noted. "This hinders the take-down very much," he said.

While Tor can be helpful, it also has a significant drawback, Prins said: "Traffic is very slow."

Fox-IT researchers said the name of the botnet could be "Mevade.A." But they also found old references that suggest the name is "Sefnit," which dates back to at least 2009 and also included Tor connectivity, they said in a blog post.

"We have found various references that the malware is internally known as SBC to its operators," they wrote, adding that they assume that it originates from a Russian-speaking area, and is likely to be financial-crime related. The researchers did not specify where they found the references.

Tor also thinks it is plausible that the botnet is running its C&C point as a hidden service, according to Dingledine.

While the Tor network is still working for now, the botnet could cause trouble, according to Tor.

The biggest problems are not caused by the amount of traffic added to the network, but rather by new circuits that are being made, Dingledine wrote.

"Tor clients build circuits preemptively, and millions of Tor clients means millions of circuits. Each circuit requires the relays to do expensive public key operations, and many of our relays are now maxed out on CPU load," Dingledine wrote.

This sets up a possible dangerous cycle. "When a client tries to build a circuit but it fails, it tries again. So if relays are so overwhelmed that they each drop half the requests they get, then more than half the attempted circuits will fail (since all the relays on the circuit have to succeed), generating even more circuit requests," Dingledine wrote.

To deal with these issues, Tor took several temporary measures to mitigate the problem. But for the future, other options need to be explored, Dingledine said. Tor could for example limit the circuit-create requests or learn to recognize the circuit building signature of a bot client.

"It would be great if botnet researchers would identify the particular characteristics of the botnet and start looking at ways to shut it down (or at least get it off of Tor)," Dingledine said.

"And finally, I still maintain that if you have a multi-million node botnet, it's silly to try to hide it behind the 4,000-relay Tor network. These people should be using their botnet as a peer-to-peer anonymity system for itself," Dingledine wrote.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Fox-ITsecurityencryptionmalwareprivacy

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Loek Essers

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?