Forgot your password?
typodupeerror
Security Communications Encryption Microsoft Privacy Software Windows

Microsoft Remotely Deleted Tor From Windows Machines To Stop Botnet 214

Posted by timothy
from the because-they-can dept.
An anonymous reader writes "Microsoft remotely deleted old versions of Tor anonymizing software from Windows machines to prevent them from being exploited by Sefnit, a botnet that spread through the Tor network. It's unclear how many machines were affected, but the total number of computers on the Tor network ballooned from 1 million to 5.5 million as Sefnit spread. 'By October, the Tor network had dropped two million users thanks to Sefnit clients that had been axed. No one, not even the Tor developers themselves, knew how Microsoft had gone on a silent offensive against such a big opponent and won a decisive battle,' the Daily Dot reported. In a blog post, Microsoft claimed it views Tor as a 'good application,' but leaving it installed presented a severe threat to the infected machines."
This discussion has been archived. No new comments can be posted.

Microsoft Remotely Deleted Tor From Windows Machines To Stop Botnet

Comments Filter:
  • by gishzida (591028)

    Who knew?

    • by BasilBrush (643681) on Thursday January 16, 2014 @06:04PM (#45980145)

      So called Anti-virus software is a kill switch. So everyone who knew their Windows PC was running Windows Security Essentials or any of the other Microsoft AV products knew.

      • by Shavano (2541114)

        It wasn't necessarily done through Security Essentials. It might have been done through Windows Update.

        • Re: (Score:3, Funny)

          by morgauxo (974071)

          Hardly! They never could have uninstalled so many that way. Don't you know Windows Update doesn't run on pirated copies of Windows anymore?

          • by Mondor (704672)

            A part of every monthly Windows Update is a program called Malicious Software Removal Tool.

        • by Cenan (1892902) on Friday January 17, 2014 @02:32AM (#45983145)

          It might have been done through Windows Update.

          Not at first [technet.com], although the signature for Tor v0.2.3.25 used in Sefnit was added later to the Malicious Software Removal Tool that Windows Update regularly pushes out.

        • by hairyfeet (841228)

          What I don't understand is why anybody would get their panties in a bunch over this. I mean how many years did we hear "MS don't do enough to protect its users" while all those worms and bugs ran amok? Now we see MSFT getting rid of a program that 1.- Is out of date, 2.- Many users may not even know they have, 3.- Isn't being used by the users (or else it would have been updated) and most importantly 4.- Is being used in a major malware infection.

          As someone who fixes and sells PCs I can tell you that if y

    • Re: (Score:2, Informative)

      by Anonymous Coward

      "Despite the warnings about the privacy of Windows users from Jacob Appelbaum while on stage in Germany, Lewman seems less concerned. He surmises that Microsoft used its Microsoft Security Essentials software to eliminate the programs, a program users must install themselves."

      • by nemesisrocks (1464705) on Thursday January 16, 2014 @06:51PM (#45980575) Homepage

        He surmises that Microsoft used its Microsoft Security Essentials software to eliminate the programs, a program users must install themselves.

        Or he could read Microsoft's own statement [technet.com], where they say exactly how they eliminated Tor:

        October 27, 2013: We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.

        November 12, 2013: Signature and remediation is included in Malicious Software Removal Tool and delivered through Windows Update/Microsoft Update.

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          *whew*

          "Microsoft Remotely Deleted Tor From Windows Machines To Stop Botnet" with no context screams "we can just remote into your system whenever we like". Having an infected client added to the malware list seems like a really responsible way to react to the threat.

          That being said, I'm still pretty sure they can just remote in whenever they like...

          • by Shavano (2541114)

            They can certainly target any software they like by the same methods. I can't see them going after legitl software that you installed yourself on purpose. That would open them up to the mother of all anti-trust lawsuits. Going after what everybody agrees are bad guys is safe.

            • by Xest (935314)

              "They can certainly target any software they like by the same methods."

              Not really, all the malicious software has to do going forward is block any incoming updates from Microsoft for their security products.

            • ". I can't see them going after legitl software that you installed yourself on purpose. "

              Yes. For example, if they removed TOR that would be outrageous, but this is different. Oh, wait ...

    • by LinuxIsGarbage (1658307) on Thursday January 16, 2014 @06:07PM (#45980187)

      Who knew?

      "Malicious Software Removal Tool" has been a Windows update for years. (Since 2005 http://en.wikipedia.org/wiki/Windows_Malicious_Software_Removal_Tool [wikipedia.org]) What did you think it did? You have the option of not running it. If the update is selected / run it is a local program run one time after updates are installed that "checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month."

      http://www.microsoft.com/en-ca/download/malicious-software-removal-tool-details.aspx [microsoft.com]

      • by McDutchie (151611)

        prevalent malicious software (including Blaster, Sasser, and Mydoom)

        Yup, that's 2005 alright. Or even 2004 and 2003.

        Hardly inspires confidence that they haven't updated the description in nearly a decade.

        • If the description is still accurate (and by my understanding it is), why bother updating it?
    • by mechtech256 (2617089) on Thursday January 16, 2014 @06:10PM (#45980219)

      This doesn't sound much different to any other anti-virus removal. Microsoft almost certainly used the Microsoft Security Essential update to kill Sefnit, as they do with so many other viruses.

      "the total number of computers on the Tor network ballooned from 1 million to 5.5 million as Sefnit spread"

      These weren't dedicated Tor nodes that were taken offline because they were being used for malicious purposes, these were infected PCs with a virus that used Tor as the communication protocol. An outdated and vulnerable version of Tor was hidden in a "location that almost no human user would"

      If a PC was infected with Sefnit and had the signature old version of Tor in the hidden location, Tor was removed because it's logically the case that Tor was just part of the virus payload. Because of the unique install directory, there wasn't even a remote chance for false positives. Publicly available tools that can be used for good or bad are hijacked by viruses all the time, and it's never a surprise if an anti-virus removes that tool when the virus specific files are removed.

      • by CohibaVancouver (864662) on Thursday January 16, 2014 @06:35PM (#45980437)
        I'm sorry, but your thoughtful and well-written response is counter to the "Me hate Microsoft me LOVE TOR" groupthink on Slashdot, where facts are irrelevant and just muddy the waters.

        Please move along.

        (You're welcome to join me as I sit quietly in the corner, waiting to get modded down to troll.)
        • So true. I just got modded down from +3 interesting to troll for posing the legal QUESTION of patents and indemnity for Linux in a the previous JP Morgan ATM thread. The stupidest comments got modded up.

      • by Dracolytch (714699) on Thursday January 16, 2014 @06:37PM (#45980463) Homepage

        Did some more digging. Here are the details (from http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx [technet.com]) :

        Cleanup efforts

        Since the Sefnit-caused Tor eruption in August, we have worked to curb this risk. In this process, we consulted with Tor project developers to help plan the cleanup. We retroactively remediated machines that had previously been cleaned of Sefnit but still had a Sefnit-added Tor service:

        October 27, 2013: We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.
        November 12, 2013: Signature and remediation is included in Malicious Software Removal Tool and delivered through Windows Update/Microsoft Update.

    • by timeOday (582209) on Thursday January 16, 2014 @06:26PM (#45980351)
      A spam black hole is exactly the same thing, and so is gmail's spam filter. If some things are in and some are out, then somebody somewhere made that call.

      I am actually appreciating more and more, in retrospect, how non-intrusive Microsoft was for all those years and still is. Compared to today's Internet, and the PowerBook that wants a credit card number before I can even do a software update or download XCode (since it's all linked to the App Store now), Microsoft was/is a model of responsibility.

  • Battle (Score:5, Insightful)

    by Ksevio (865461) on Thursday January 16, 2014 @06:01PM (#45980105) Homepage

    No one, not even the Tor developers themselves, knew how Microsoft had gone on a silent offensive against such a big opponent and won a decisive battle

    It seems pretty obvious - the people who's machine had Tor removed didn't know it was installed and weren't using it to begin with. When MS removed it, they didn't notice or complain.

    • Re:Battle (Score:5, Insightful)

      by Hangtime (19526) on Thursday January 16, 2014 @06:11PM (#45980235) Homepage

      Exactly this version of Tor was installed in a non-obvious and non-trivial location to get to and as a service. Microsoft asked the Tor developers "Anybody actually do this?", Answer: "Nope.". Microsoft then nuked the rogue Tor apps either through Microsoft Security Essentials or through Malicious Software Tool removal app.

      • Re: (Score:2, Interesting)

        by mrbluze (1034940)

        Exactly this version of Tor was installed in a non-obvious and non-trivial location to get to and as a service. Microsoft asked the Tor developers "Anybody actually do this?", Answer: "Nope.". Microsoft then nuked the rogue Tor apps either through Microsoft Security Essentials or through Malicious Software Tool removal app.

        Was the botnet doing anything bad? Or was it just making Tor faster for everyone?

        • Re:Battle (Score:4, Funny)

          by Lehk228 (705449) on Thursday January 16, 2014 @06:31PM (#45980407) Journal
          botnets are like furries, inherantly evil.
        • Re:Battle (Score:5, Informative)

          by gnick (1211984) on Thursday January 16, 2014 @06:35PM (#45980441) Homepage

          Was the botnet doing anything bad? Or was it just making Tor faster for everyone?

          Even if it was doing nothing but running tor in the background, then for people that don't have unlimited bandwidth use yes it was doing something bad.

        • Anything bad? As in taking up computer and network resources without authorization? Yes.

        • Re:Battle (Score:5, Informative)

          by girlintraining (1395911) on Thursday January 16, 2014 @06:39PM (#45980483)

          Was the botnet doing anything bad? Or was it just making Tor faster for everyone?

          Actually, it shit up the network so badly that Tor developers considered it effectively a DDoS attack. During the peak of the infection, the network was effectively unusable, with latencies exceeding that of the typical TCP connection timeout of 120 seconds. As it turns out, using an anonymizing network doesn't translate into knowing how to build a network-aware application that doesn't stomp on its own dick so hard that the only thing the bot-net ever appears to have done was shit up the Tor network -- it does not appear it was ever activated in any meaningful capacity because the botnet owner, having shit the network it connected to, wasn't able to actually send commands to the majority of clients.

          • It wouldn't surprise me if the infected machines were so loaded with other malware, that their CPU, RAM, and available bandwidth were all overloaded.
          • I'm just tinfoil-hatting here, but do we know that wasn't its intended purpose?
            • I'm just tinfoil-hatting here, but do we know that wasn't its intended purpose?

              Because of the pathetically few hits on honeypots indicated it managed to attempt two things: Bitcoin mining (lol; a couple million infections over a two month period earned him maybe $100), and click fraud... so basically he defrauded two institutions widely regarded as fraudulent in their own right. Woooo.... big achiever.

          • by steelfood (895457)

            My tinfoil hat says it worked as intended. Making TOR unusable in this period of time would discourage its use by non-technical computer users who were probably flocking to it for privacy's sake.

            I mean, nobody'd do straight DDOS over TOR because exit nodes are limited and a DDOS just wouldn't happen by definition. And if somebody wanted to do C&C over TOR, wouldn't you think they'd set the zombies up to act as bridges and relays rather than straight clients? The tinfoil hat says this was deliberately do

            • My tinfoil hat says it worked as intended. Making TOR unusable in this period of time would discourage its use by non-technical computer users who were probably flocking to it for privacy's sake.

              Except for the part where MS security researchers asked the Tor devs if this type of installation was normal, and they said "No."

              That's why the tinfoil hat moniker came about in the first place: to identify FUD and other nonsense.

              At the end of the day, the malware got removed, and there was no public outrage from people losing their legitimate Tor installations---because only the bad ones got wiped.

              If you don't run a Microsoft security product and don't choose the Malicious Software Removal Tool from Window

        • by exomondo (1725132)

          Was the botnet doing anything bad?

          Mining bitcoins.

        • Your question is answered in TFA. They were mining BitCoins.

        • Well, I don't really detect sarcasm, and same for troll detection, yet I have a hard time accepting these as real questions, but what the hell....

          According to TFA, the botnet was mining bitcoins for the two botnet 'herders'.

          'Doing anything bad?'
          1.) Taking control away from the PC's owner and covertly installing malware
          2.) Using significant amounts of energy at the owners expense without agreement
          3.) Tor network users jumped from approx. 1 million users, to over 5 million users when this botnet went online.

        • It was mining bitcoins on the slave machines.

          At a minimum, there is an increase in electrical consumption. Also, potentially: slowdowns, overheating, bandwidth overages (some countries have metered internet), misc compatibility issues.

  • by eedwardsjr (1327857) on Thursday January 16, 2014 @06:02PM (#45980133)
    There is always the possibility it could have been executed through the security patch subsystem. It has the capacity to execute scripts/executables.
    • by PCM2 (4486) on Thursday January 16, 2014 @06:07PM (#45980185) Homepage

      Yeah ... when every few weeks or so Windows Update tells me it's going to download something called the Malicious Software Removal Tool, I've always wondered what it did. We might have a few new clues here.

      • by Ecuador (740021)

        Hmm, I always read it as: "Malicious, Software Removal Tool" and opted out to avoid having it maliciously remove my software. I would even be shocked that MS would even propose such a thing, but I read slashdot, so I did expect such and worse...
        But in retrospect, perhaps you are right, and it is just a Tool that removes Malicious Software?
        Honest mistake, I mean that's how Pythia had all the success...

        • by McFly777 (23881)

          MSRT could also be MicroSoft Removal Tool... but that would just be a Linux install disk of whatever flavor you choose.

  • No killswitch (Score:2, Insightful)

    by Anonymous Coward

    there's no "killswitch" it just got added to the definitions for removal. nothing to see here.

  • by gallondr00nk (868673) on Thursday January 16, 2014 @06:26PM (#45980343)

    Removes malicious software, that just happens to use Tor.

    Come on /., you can do better than this.

    • by mythosaz (572040)

      It's not even good trolling on the author's part.

      It'd be like a piece of malware that installs an old copy of VNC for spying purposes, in a hidden folder, with a obscure named .EXE, starting in an arcane point in the registry, and then leading with a headline of: Microsoft Removes VNC From Computers!.

  • so Microsoft removes a virus with there removal tool and somehow they did a bad thing. and removed the infected version of tor not the new ones.
  • Microsoft remotely deleted a characteristic version of Tor and other maliciously installed software which a botnet had installed from Windows machines to stop said botnet, just as it does for all kinds of malicious software via its (get this) Malicious Software Removal tool (which regularly appears in Windows Update) and/or Microsoft Security Essentials, which you, the user, gave it permission to do.

    ...but it didn't fit*.

    *in length or in terms of agenda.

  • by NeBan (606215) on Thursday January 16, 2014 @08:41PM (#45981423)
    Jacob Appelbaum and Roger Dingledine talked about this at the 30c3 conference last December. Here's a link to the video: https://www.youtube.com/watch?v=CJNxbpbHA-I [youtube.com] They talk about this around the 39:55 mark. Basically they weren't thrilled about microsoft doing such a thing, but on the other hand if the attack had been malicious it would have taken down the entire TOR network.

Practical people would be more practical if they would take a little more time for dreaming. -- J. P. McEvoy

Working...