Cyber-thieves blamed for leap in Tor dark net use Published duration 6 September 2013

image caption Most spam email messages are sent via botnets run by cyber-thieves

Cyber-thieves are behind a big leap in the number of computers connecting to the Tor anonymous web browsing system, a security company has said.

The number of connections to Tor almost doubled in late August.

Some thought the rise was caused by people in repressive regimes using Tor to escape official scrutiny.

But Dutch security company Fox-IT said it had evidence it had been caused by cybercriminals using Tor to control legions of hijacked home PCs.

Hidden network

The sharp leap in Tor numbers began on 19 August.

Before that date about 500,000 connections a day were being made to the network.

Within a week, the number of connections had hit 1.5 million and has continued to grow.

The latest update from Tor suggests about three million connections are now being made on a daily basis.

Tor (The Onion Router) attempts to hide who is using the web by routing their data through a series of computers each one of which encrypts the data passing through it.

It is widely used by people living in nations that monitor what citizens say online, to avoid official attention.

Many people on the Tor admin mailing list suggested the growth in use had been caused by more people turning to the network as many different governments cracked down on what can be said and done online.

But Fox-IT said it had traced the growing number of connections to a botnet - a network of home computers hijacked by malicious computer programs.

Botnets are the favoured tools of cybercriminals, who use them as a resource to plunder for saleable information or as a way to send spam or launch attacks on other sites.

In a blog post Fox-IT said there was growing evidence a group of criminals who ran the Mevade.A or Sefnit botnet had turned to Tor to control their army of hijacked computers.

The geographic spread of compromised computers on Sefnit was very similar to those recently seen to have joined Tor, it said.

And a closer look at the code being run by some individual PCs on Sefnit showed they had the latest version of Tor installed and regularly checked in with a Tor site for instructions about what to do.

So far, said the blog, it was not entirely clear what the botnet was being used for.

"It does however originate from a Russian-spoken region, and is likely motivated by direct or indirect financial-related crime," wrote Fox-IT analysts.

The rise in Tor connections has caused problems for operators of the browsing network.

In a blog post, Tor said it was looking into ways to stop botnet controllers using the network to co-ordinate criminal activity.

In addition, it added, Tor was not a great way to control millions of infected machines.

"If you have a multi-million node botnet, it's silly to try to hide it behind the 4,000-relay Tor network," said the blog