20 comments

[ 2.1 ms ] story [ 56.2 ms ] thread
Could this be related to Ricochet getting press?
From the article:

One possibility, he said, might be a sudden swell in the popularity of Ricochet, an app that uses Tor to allow anonymous instant messaging between users.

I'd say this is highly likely. I saw it posted earlier on hn and Reddit. If it's doing the rounds, it seems plausible that 25k people just gave it a whirl. The article even states that the spike could be a due to Ricochet, but "mystery" traffic makes a better headline.
That's the speculation on the tor-talk mailing list. Makes sense to me. Also, there was a recent security audit of ricochet. It's possible that the auditors automated some kind of test framework with the side effect of creating thousands of new hidden service addresses.
A different hypothesis on the tor-talk list was a piece of ransomware that generates a hidden service per victim:

https://lists.torproject.org/pipermail/tor-talk/2016-Februar...

Exactly my first reaction.

At the moment we get hundreds of Locky mails per day.

There is a huge spike in ransomware at the moment. And all ransom has to be paid via a tor location.

We started blocking .docm at the mail server (it uses a Word macro to download)
That won't block all macro viruses. You need a dedicated program/firewall for this, filtering on extension won't work. Older .doc formats can also have macro's included and will work in newer (as well as older) versions of word.
This was just to prevent this specific attack - kind of a stopgap until the AV detects it properly.

IIRC last time I checked the Word doc on virustotal it was picked up 22/55.

Fortunately at least AV did pick up the payload when a user let the macro run...

Edit, ran it by virustotal again and got 28/55

Bitcoin Core v0.12.0 was just released.

From the release notes,

  Starting with Tor version 0.2.7.1 it is possible, through Tor's control socket API, to create and destroy 'ephemeral' hidden services programmatically. Bitcoin Core has been updated to make use of this.

  This means that if Tor is running (and proper authorization is available), Bitcoin Core automatically creates a hidden service to listen on, without manual configuration. Bitcoin Core will also use Tor automatically to connect to other .onion nodes if the control socket can be successfully opened. This will positively affect the number of available .onion nodes and their usage.

  This new feature is enabled by default if Bitcoin Core is listening, and a connection to Tor can be made. It can be configured with the -listenonion, -torcontrol and -torpassword settings. To show verbose debugging information, pass -debug=tor
https://github.com/bitcoin/bitcoin/blob/master/doc/release-n...
are these spikes in exit nodes ?
no, these are spikes in hidden services.
Starting with Tor version 0.2.7.1 it is possible, through Tor's control socket API, to create and destroy 'ephemeral' hidden services programmatically. Bitcoin Core has been updated to make use of this.

This means that if Tor is running (and proper authorization is available), Bitcoin Core automatically creates a hidden service to listen on, without manual configuration. Bitcoin Core will also use Tor automatically to connect to other .onion nodes if the control socket can be successfully opened. This will positively affect the number of available .onion nodes and their usage.

This new feature is enabled by default if Bitcoin Core is listening, and a connection to Tor can be made. It can be configured with the -listenonion, -torcontrol and -torpassword settings. To show verbose debugging information, pass -debug=tor.