{ "id": "9f4d508f-0f25-42c3-b544-07b867e40553", "created_at": "2026-04-06T00:20:55.791738Z", "updated_at": "2026-04-10T03:20:37.586276Z", "deleted_at": null, "sha1_hash": "f8d1fd22fd3933c03d297cb260f3b4d3a2f4d0c2", "title": "Large botnet cause of recent Tor network overload", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 183680, "plain_text": "Large botnet cause of recent Tor network overload\r\nBy Published September 5, 2013September 5, 2013\r\nPublished: 2013-09-05 · Archived: 2026-04-05 17:14:20 UTC\r\nBlog\r\nSeptember 5, 2013September 5, 2013 3 Minutes\r\nRecently, Roger Dingledine described a sudden increase in Tor users on the Tor Talk mailinglist. To date there has\r\nbeen a large amount of speculation as to why this may have happened. A large number of articles seem to suggest\r\nthis to be the result of the recent global espionage events, the evasion of the Pirate Bay blockades using the\r\nPirateBrowser or the Syrian civil war.\r\nAt the time of writing, the amount of Tor clients actually appears to have more than quintupled already. The graph\r\nshows no signs of a decline in growth, as seen below:\r\nAn alternative recurring explanation is the increased usage of botnets using Tor, based on the assertion that the\r\nincrease appears to consist of mostly new users to Tor that apparently are not doing much given the limited impact\r\non Tor exit performance. In recent days, we have indeed found evidence which suggests that a specific and rather\r\nunknown botnet is responsible for the majority of the sudden uptick in Tor users. A recent detection name that has\r\nbeen used in relation to this botnet is “Mevade.A”, but older references suggest the name “Sefnit”, which dates\r\nback to at least 2009 and also included Tor connectivity. We have found various references that the malware is\r\ninternally known as SBC to its operators.\r\nhttps://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/\r\nPage 1 of 4\n\nPreviously, the botnet communicated mainly using HTTP as well as alternative communication methods. More\r\nrecently and coinciding with the uptick in Tor users, the botnet switched to Tor as its method of communication\r\nfor its command and control channel. The botnet appears to be massive in size as well as very widespread. Even\r\nprior to the switch to Tor, it consisted of tens of thousands of confirmed infections within a limited amount of\r\nnetworks. When these numbers are extrapolated on a per country and global scale, these are definitely in the same\r\nballpark as the Tor user increase.\r\nThus one important thing to note is that this was an already existing botnet of massive scale, even prior to the\r\nconversion to using Tor and .onion as command and control channel.\r\nAs pointed out in the Tor weekly news, the version of Tor that is used by the new Tor clients must be 0.2.3.x, due\r\nto the fact that they do not use the new Tor handshake method. Based on the code we can confirm that the version\r\nof Tor that is used is 0.2.3.25.\r\nThe malware uses command and control connectivity via Tor .onion links using HTTP. While some bots continue\r\nto operate using the standard HTTP connectivity, some versions of the malware use a peer-to-peer network to\r\ncommunicate (KAD based).\r\nhttps://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/\r\nPage 2 of 4\n\nTypically, it is fairly clear what the purpose of malware is, such as banking, clickfraud, ransomware or fake anti-virus malware. In this case however it is a bit more difficult. It is possible that the purpose of this malware\r\nnetwork is to load additional malware onto the system and that the infected systems are for sale. We have however\r\nno compelling evidence that this is true, so this assumption is merely based on a combination of small hints. It\r\ndoes however originate from a Russian spoken region, and is likely motivated by direct or indirect financial\r\nrelated crime.\r\nThis specific version of the malware, which includes the Tor functionality, will install itself in:\r\n%SYSTEM%\\config\\systemprofile\\Local Settings\\Application Data\\Windows Internet Name System\\wins.exe\r\nAdditionally, it will install a Tor component in:\r\n%PROGRAMFILES%\\Tor\\Tor.exe\r\nA live copy for researchers of the malware can be found at:\r\nhxxp://olivasonny .no-ip .biz /attachments/tc.c1\r\nThis location is regularly updated with new versions.\r\nRelated md5 hashes:\r\n2eee286587f76a09f34f345fd4e00113 (August 2013)\r\nc11c83a7d9e7fa0efaf90cebd49fbd0b (September 2013)\r\nRelated md5 hashes from non-Tor version:\r\n4841b5508e43d1797f31b6cdb83956a3 (December 2012)\r\n4773a00879134a9365e127e2989f4844 (January 2013)\r\n9fcddc45ae35d5cdc06e8666d249d250 (February 2013)\r\nb939f6ef3bd292996f97aa5786757870 (March 2013)\r\n47c8b85a4c82ed71487deab68de196ba (March 2013)\r\n3e6eb9f8d81161db44b4c4b17763c46a (April 2013)\r\na0343241bf53576d18e9c1329e6a5e7e (April 2013)\r\nThank you to our partners for the help in investigating this threat.\r\nProtACT Team \u0026 InTELL Team\r\nPost navigation\r\nhttps://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/\r\nPage 3 of 4\n\nSource: https://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/\r\nhttps://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/" ], "report_names": [ "large-botnet-cause-of-recent-tor-network-overload" ], "threat_actors": [], "ts_created_at": 1775434855, "ts_updated_at": 1775791237, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f8d1fd22fd3933c03d297cb260f3b4d3a2f4d0c2.pdf", "text": "https://archive.orkl.eu/f8d1fd22fd3933c03d297cb260f3b4d3a2f4d0c2.txt", "img": "https://archive.orkl.eu/f8d1fd22fd3933c03d297cb260f3b4d3a2f4d0c2.jpg" } }