> Typically, it is fairly clear what the purpose of malware is, such as banking, clickfraud, ransomware or fake anti-virus malware. In this case however it is a bit more difficult.
I think the article answers its own question the paragraph previous:
> While some bots continue to operate using the standard HTTP connectivity, some versions of the malware use a peer-to-peer network to communicate (KAD based).
Tor and Kademlia are both rather complex systems. To use one or the other, but not both, in different versions of your botnet, would suggest to me that this is a botnet creator split-testing the effectiveness and scalability of different command-and-control technologies.
I wonder if it is conceivable that a government agency that wouldn't like what Tor offers, could reduce Tor's attractiveness by bombing it from a botnet, much like what they've done by arresting people who host a tor node for traffic that runs across it.
With that said, I accept that this is much less likely explanation than just some Russian group just using it to facilitate their usual crime.
I don't think the little activity disproves that theory beyond a reasonable doubt. If it really was a govt agency wanting to flood the network, they may be waiting for a particular event to initiate the flood.
Anyone with a botnet this large effectively has a kill switch on Tor.
If this botnet actually relies upon Tor for its primary means of C&C, and the botherders are in fact motivated by ordinary financial crime, then it would seem to be the largest botnet that would be least likely to try to shut down Tor.
The most dangerous scenario for Tor is if this botnet continues to grow exponentially, its operators command it to go into an uncontrolled DDoS mode, or some other glitch in its software causes Tor to fall over. The C&C hidden service would become unreachable, the operators could lose control of their botnet, and it could end up essentially stuck in a perma-DoS mode upon itself and Tor.
If they wanted to flood the network at a particular time, why would they in advance create low-volume traffic that reveals the existence of the botnet?
Could the anonymity of tor users be compromized by these presumed bots ? As for bitcoin which could be subverted if one users holds more than 50% of the bitcoins.
Most likely not. If the bots were to suddenly turn into nodes, then there is a good chance that a large percentage of users could have their anonymity compromised.
Tor anonymity relies on the fact it is difficult to tie in where you entered the system, and where you exited the system. If someone where to control a large amount of nodes, they could (in theory) tie a large amount identities together. But this requires a large amount of entry and exit nodes.
I don't think so. It looks like these bots are connecting as users, not nodes. It might be possible to use these bots to increase/control the load on tor which may be able to facilitate an attack based on controlling a significant amount of nodes.
I think the article answers its own question the paragraph previous:
> While some bots continue to operate using the standard HTTP connectivity, some versions of the malware use a peer-to-peer network to communicate (KAD based).
Tor and Kademlia are both rather complex systems. To use one or the other, but not both, in different versions of your botnet, would suggest to me that this is a botnet creator split-testing the effectiveness and scalability of different command-and-control technologies.