The spike in the number of clients using the Tor anonymity network was likely caused by a botnet, according to Tor and third-party security researchers.
Around Aug. 20, the number of Tor clients jumped. There are now millions of new Tor clients and the number continues to rise, said Tor project leader Roger Dingledine, writing as "arma" in a blog post on Thursday. The spike is likely being caused by a botnet, wrote Dingledine, who often blogs under the "arma" handle and is one of the original developers of Tor.
Tor obscures a user's IP address by routing traffic through a series of encrypted volunteer relays that are selected at random. People have been using it to protect their privacy online but the same features make it attractive for those with more malicious intentions.
"Some people have speculated that the growth in users comes from activists in Syria, Russia, the United States, or some other country that has good reason to have activists and journalists adopting Tor en masse lately. Others have speculated that it's due to massive adoption of the Pirate Browser (a Tor Browser Bundle version that discards most of Tor's security and privacy features)," Dingledine wrote.
"The fact is, with a growth curve like this one, there's basically no way that there's a new human behind each of these new Tor clients," Dingledine wrote.
The clients were installed onto millions of computers pretty much overnight. Since no large software or OS vendors have come forward to say they just bundled Tor with all their products, that leaves one conclusion: somebody infected millions of computers and as part of their plan they installed Tor clients on them, Dingledine wrote.
The suspicion that the uptake in Tor usage is caused by a botnet is shared by Dutch security firm Fox-IT.
"We found that it is very likely that it is a botnet," said Ronald Prins, director and co-founder of the company.
"It seems to be a general-purpose botnet," Prins said, adding that a general purpose botnet is often used to harvest data such as log-in credentials that can be used later, or sold to another party. But what the botnet is trying to achieve is unknown at this point, he said.
Using Tor to control a botnet can be convenient because it makes it hard to detect, Prins said. The botnet's command and control (C&C) server is hidden by Tor, he noted. "This hinders the take-down very much," he said.
While Tor can be helpful, it also has a significant drawback, Prins said: "Traffic is very slow."
Fox-IT researchers said the name of the botnet could be "Mevade.A." But they also found old references that suggest the name is "Sefnit," which dates back to at least 2009 and also included Tor connectivity, they said in a blog post.
Sign up for CIO Asia eNewsletters.