Researchers have found a new theory to explain the sudden spike in computers using the Tor anonymity network: a massive botnet that was recently updated to use Tor to communicate with its mothership.

Mevade.A, a network of infected computers dating back to at least 2009, has mainly used standard Web-based protocols to send and receive data to command and control (C&C) servers, according to researchers at security firm Fox-IT. Around the same time that Tor Project leaders began observing an unexplained doubling in Tor clients, Mevade overhauled its communication mechanism to use anonymized Tor addresses ending in .onion. In the week that has passed since Tor reported the uptick, the number of users has continued to mushroom.

"The botnet appears to be massive in size as well as very widespread," a Fox-IT researcher wrote in a blog post published Thursday. "Even prior to the switch to Tor, it consisted of tens of thousands of confirmed infections within a limited amount of networks. When these numbers are extrapolated on a per country and global scale, these are definitely in the same ballpark as the Tor users increase."

Tor Project leader "Arma" also published a blog post Thursday that backed the theory. Arma wrote:

The fact is, with a growth curve like this one, there's basically no way that there's a new human behind each of these new Tor clients. These Tor clients got bundled into some new software which got installed onto millions of computers pretty much overnight. Since no large software or operating system vendors have come forward to tell us they just bundled Tor with all their users, that leaves me with one conclusion: somebody out there infected millions of computers and as part of their plan they installed Tor clients on them.

Arma went on to warn of a "possible dangerous cycle" that could result if Tor relays are so overwhelmed by the new members that they each drop half the requests they get, a scenario that could set off a chain of failures over the network.

The use of Tor by botnets is at least 11 months old. Last October, researchers from GData uncovered a malware sample that used Tor hidden services to shield the IP addresses of its command servers. In December, researchers from Rapid7 discovered Skynet, a botnet that enslaved as many as 15,000 computers to carry out denial-of-service attacks and mine bitcoins. The Skynet-infected machines communicated with C&C servers mainly through Tor.

Making a C&C server a Tor hidden service makes sense from an attacker's perspective. Tor makes it much harder for white hats and law enforcement officers to identify the malware operators and to shut down the server. Instead of connecting to a registered IP address, an infected machine connects to a pseudo address such as vtipk3.onion that is hard—if not impossible—to trace. Researchers have been predicting that botnets would adopt Tor protocols since at least 2010.

Mevade is using version 0.2.3.25 of the Tor client, according to Fox-IT. That's consistent with last week's report from Tor that the new influx in Tor users were using a client in the 0.2.3.x family. The botnet also appears to be largely dormant at the moment, another observation that's consistent with Tor reports that the newcomers aren't particularly active on the network. Little else is immediately known about Mevade other than it may also go by the names Sefnit and SBC, and it appears to originate in a Russian-speaking country.

Post updated to add comments from Tor in fourth, fifth, and sixth paragraphs.