Malware, Vulnerability Management

A botnet is likely behind a massive Tor Network user spike

A botnet might be responsible for a massive spike in users on Tor, a network that uses a modified version of web browsers – notably Firefox – to direct traffic through thousands of relays and makes locating users virtually impossible.

Initial speculation, according to a post by Roger Dingledine, the Tor Project director, is that the mass influx of users was coming from activists desiring anonymity. Follow-up conjecture was that more people were using Pirate Browser, which uses the Tor Network to circumvent censorship, but does not create an anonymous web browsing experience.

Only after researching and analyzing the spike that began on Aug. 20 – and noting that users increased to roughly 3.5 million from nearly 500,000 in just a few short weeks – Dingledine seems convinced that a botnet is the culprit at work.

“The fact is, with a growth curve like this one, there's basically no way that there's a new human behind each of these new Tor clients,” Dingledine said, adding it “leaves me with one conclusion: somebody out there infected millions of computers and, as part of their plan, they installed Tor clients on them.”

The giveaway is in the new users' behavior, or rather a lack thereof, according to Dingledine, who said that clients are not using the Tor network to access websites.

“[They're] most likely using Tor for command-and-control via a hidden service,” Andrew Lewman, Tor Project executive director, told on Wednesday. “But that's just speculation.”

Researchers have some ideas as to where the downloading is originating from, said Lewman, but while he was unable to say anything definitive at this point, he did say the download is affecting users globally.

Fortunately the Tor Project recently improved its scalability and is able to keep up, said Dingledine, but problems are still occurring. Lewman said the botnet is “Slowing [the network] down by making the relays handle lots of circuit builds, which increases the crypto operations per relay.”

In order to create a more stable experience, Dingledine and Lewman are telling users to upgrade to a Tor Browser Bundle with Tor 0.2.4.x in it and then to wait for enough relays to upgrade to the most recent release. This should help by prioritizing legitimate users.

Dingledine, not impressed with the idea of hiding a multi-million node botnet on a 4,000 relay network, said “it would be great if botnet researchers would identify the particular characteristics of the botnet and start looking at ways to shut it down (or at least get it off of Tor).” He also added that he interprets “this incident as continued exploration by botnet developers to try to figure out what resources, services, and topologies integrate well for protecting botnet communications.”

The Tor Project attracted media attention in early August following the FBI arrest of Eric Marques, who is charged with distributing child porn on the anonymous network. It is alleged that authorities exploited a vulnerability in older versions of Firefox that allowed users to be tracked on Tor.

Image courtesy of

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.