Starting around August 19, there has been a sudden spike in the number of Tor clients. Tor is an anonymity network operated by volunteers that provides encryption and identity protection capabilities. It allows users to avoid surveillance and traffic interception as well as circumvent internet censorship, and is a favorite of whistleblowers and political activists.
Within one week the number of users doubled to 1.2 million, up from 600,000. Now, in early September, users have reached 3.5 million – and the base continues to grow.
“Some people have speculated that the growth in users comes from activists in Syria, Russia, the United States, or some other country that has good reason to have activists and journalists adopting Tor en masse lately,” explained Tor project leader Roger Dingledine, in a blog. “Others have speculated that it's due to massive adoption of the Pirate Browser (a Tor Browser Bundle fork that discards most of Tor's security and privacy features), but we've talked to the Pirate Browser people and the downloads they've seen can't account for this growth. The fact is, with a growth curve like this one, there's basically no way that there's a new human behind each of these new Tor clients.”
The service thinks that the new Tor clients were somehow bundled into a software that was installed onto millions of computers “pretty much overnight.”
“Since no large software or operating system vendors have come forward to tell us they just bundled Tor with all their users, that leaves me with one conclusion: somebody out there infected millions of computers [with malware] and as part of their plan they installed Tor clients on them,” Dingledine said.
The new clients give themselves away, because they’re not actually browsing websites, nor are they generating enough traffic to be a legitimate user. Tor’s early indications are that they're accessing hidden services, DIngledine noted, and one plausible explanation is that the botnet is running its command-and-control (C&C) point as a hidden service.
“I still maintain that if you have a multi-million node botnet, it's silly to try to hide it behind the 4,000-relay Tor network,” said DIngledine. “These people should be using their botnet as a peer-to-peer anonymity system for itself. So I interpret this incident as continued exploration by botnet developers to try to figure out what resources, services and topologies integrate well for protecting botnet communications."
Tor is exploring ways to mitigate the effects of the botnet on its network and on other users, but it’s not devoting resources to shutting it down. That’s a job for someone else, Dingledine said.
“It would be great if botnet researchers would identify the particular characteristics of the botnet and start looking at ways to shut it down (or at least get it off of Tor),” he explained. “Note that getting rid of the C&C point may not really help, since it's the rendezvous attempts from the bots that are hurting so much.”
Tor is looking for ways to prevent botnets from infiltrating in the future. For example, it could rate-limit circuit create requests at entry guards, or learn to recognize the circuit-building signature of bot clients in order to refuse or tarpit connections from them. Entry guards could also demand that clients solve captchas before they can build more than a certain threshold of circuits.
Dingledine added, “Another facet of solving this problem long-term is helping [botnet operators] to understand that Tor isn't a great answer for their problem.”