Friday, 19 February 2016

Is The Tor Increase Malware?

Yesterday I wrote about the dramatic increase in Tor hidden services in recent days.  The best correlation I was able to find was the possible increase in the use of the anonymous instant messaging service, Ricochet.   However, another possibility has been mooted: the rapid rise in Tor hidden services is a result of the rapid spread of the malware known as Locky.

There is some suggestion that when a machine is infected with Locky, the malware creates a unique Bitcoin, and .onion address.  This would prevents law enforcement tracing the criminals.  Martijn Grooten pointed back to similar spikes in the number of "users" of Tor, which were caused by malware using the network as part of their command and control system:

Major jump in Tor "users" reported in Virus Bulletin 2013
As the rise in Tor hidden services continues apace, the open question remains whether there is proof that the Locky malware is doing as some suspect and creating thousands of .onion addresses. 

The anecdotal evidence from the messages displayed by the malware would suggest it does but I have yet to see it described in any details.  If it is doing this it leaves some interesting question about how, for example, the criminals are receiving the private address for the Bitcoin transaction and if that could somehow be intercepted.

However, although this is a plausible explanation, and some initial evidence suggests it is doing as discussed, I shall wait for the full analysis of the malware before reaching a final conclusion.

In any event the continued rise is unprecedented for Tor hidden services, and it would good to know what is causing it.