Opera browser wild on opening sockets and listening on port 9050

The strange behavior of Opera browser described in this text happened in 2013 and was caused by ZeuS malware that dynamically injected its code to Opera process. I might be that there was nothing wrong with Opera browser itself. There is now a separate text describing the ZeuS incident.

I encountered an interesting incident on my Windows 7 home computer. I started to have issues: it seemed that internet connection started to drop. It happened once in a while and rebooting the computer resolved the issue. When the issue continued to come back I started investigating.

First thing I noticed is that ping worked well but new TCP traffic wasn't possible. I then downloaded TCPView and noticed that there were enormous amount of sockets to localhost port 9050. I learned that 9050 is a port typically used by Tor networking that I have never used myself. The sockets seemed to be opened by Opera web browser.

My first conclusion was that my Opera browser is running some malware JavaScript code that runs or tries to run Tor networking. I cleaned all the session and cache data from Opera and rebooted the computer. After the reboot I noticed the socket issue was cleared but Opera was automatically started at reboot and listened on port 9050. There seemed not to be any unwanted network traffic active so I decided not to take further actions other than running three different virus scanners on the computer. They didn't detect any virus or malware.

After a while the massive socket creation by Opera happened again. I noticed again the sockets connecting to port 9050 and also some Tor traffic connected between my computer and internet. There was not much left to do than uninstall Opera and after that removing all directories that related to Opera. This seems to have cleared the issue.

I don't really know what the issue was but if I would have to conclude something I would say that it was

  • possibly a modified Opera executable somehow injected to my computer, or a JavaScript-based attack using Opera browser
  • undetected by three different virus and malware scanners
  • creating network traffic related to Tor or disguised to look like Tor traffic

As I was fast on taking actions in protecting my computer I didn't investigate it deeply. Google searches return very little information what it could have been. I assume this is a rare or a new attack type.

After some time I decided to reinstall Opera and see how it behaves now. After a couple of days I noticed the same symptoms again and saw that there was TCP socket flooding going on on port 9050. I uninstalled Opera and removed all the Opera-related directories.

I still have no explanation for the issue. Is it a some sort of an attack or just Opera browser behaving badly on my Windows 7 computer? I don't know.