Researchers have found a new theory to explain the sudden spike in computers using the Tor anonymity network: a massive botnet that was recently updated to use Tor to communicate with its mothership.
Mevade.A, a network of infected computers dating back to at least 2009, has mainly used standard Web-based protocols to send and receive data to command and control (C&C) servers, according to researchers at security firm Fox-IT. Around the same time that Tor Project leaders began observing an unexplained doubling in Tor clients, Mevade overhauled its communication mechanism to use anonymized Tor addresses ending in .onion. In the week that has passed since Tor reported the uptick, the number of users has continued to mushroom.
"The botnet appears to be massive in size as well as very widespread," a Fox-IT researcher wrote in a blog post published Thursday. "Even prior to the switch to Tor, it consisted of tens of thousands of confirmed infections within a limited amount of networks. When these numbers are extrapolated on a per country and global scale, these are definitely in the same ballpark as the Tor users increase."