

Large botnet cause of recent Tor network overload - thursley
http://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/

======
derefr
> Typically, it is fairly clear what the purpose of malware is, such as
> banking, clickfraud, ransomware or fake anti-virus malware. In this case
> however it is a bit more difficult.

I think the article answers its own question the paragraph previous:

> While some bots continue to operate using the standard HTTP connectivity,
> some versions of the malware use a peer-to-peer network to communicate (KAD
> based).

Tor and Kademlia are both rather complex systems. To use one or the other, but
not both, in different versions of your botnet, would suggest to me that this
is a botnet creator _split-testing the effectiveness and scalability of
different command-and-control technologies_.

~~~
X-Istence
Even criminals need to do A/B testing!

------
jruthers
I wonder if it is conceivable that a government agency that wouldn't like what
Tor offers, could reduce Tor's attractiveness by bombing it from a botnet,
much like what they've done by arresting people who host a tor node for
traffic that runs across it.

With that said, I accept that this is much less likely explanation than just
some Russian group just using it to facilitate their usual crime.

~~~
brazzy
So far the new users are showing little activity (according to the article),
so that seems unlikely.

~~~
fiatpandas
I don't think the little activity disproves that theory beyond a reasonable
doubt. If it really was a govt agency wanting to flood the network, they may
be waiting for a particular event to initiate the flood.

~~~
eli
As is the nature of conspiracy theories, it is _impossible_ to definitively
disprove.

~~~
mavhc
When you eliminate the falsifiable, whatever remains, however improbable, must
be a conspiracy theory

------
chmike
Could the anonymity of tor users be compromized by these presumed bots ? As
for bitcoin which could be subverted if one users holds more than 50% of the
bitcoins.

~~~
001sky
Is there any commercial logic to hacking tor, though?

~~~
dylz
They are connecting as users -- it's more than likely that the only thing that
is to be gained is a fully anonymous non-takedownable C&C

