Forgot your password?
typodupeerror
Security Communications Encryption Microsoft Privacy Software Windows

Microsoft Remotely Deleted Tor From Windows Machines To Stop Botnet 214

Posted by timothy
from the because-they-can dept.
An anonymous reader writes "Microsoft remotely deleted old versions of Tor anonymizing software from Windows machines to prevent them from being exploited by Sefnit, a botnet that spread through the Tor network. It's unclear how many machines were affected, but the total number of computers on the Tor network ballooned from 1 million to 5.5 million as Sefnit spread. 'By October, the Tor network had dropped two million users thanks to Sefnit clients that had been axed. No one, not even the Tor developers themselves, knew how Microsoft had gone on a silent offensive against such a big opponent and won a decisive battle,' the Daily Dot reported. In a blog post, Microsoft claimed it views Tor as a 'good application,' but leaving it installed presented a severe threat to the infected machines."
This discussion has been archived. No new comments can be posted.

Microsoft Remotely Deleted Tor From Windows Machines To Stop Botnet

Comments Filter:
  • by BasilBrush (643681) on Thursday January 16, 2014 @06:04PM (#45980145)

    So called Anti-virus software is a kill switch. So everyone who knew their Windows PC was running Windows Security Essentials or any of the other Microsoft AV products knew.

  • by Anonymous Coward on Thursday January 16, 2014 @06:04PM (#45980149)

    "Despite the warnings about the privacy of Windows users from Jacob Appelbaum while on stage in Germany, Lewman seems less concerned. He surmises that Microsoft used its Microsoft Security Essentials software to eliminate the programs, a program users must install themselves."

  • by LinuxIsGarbage (1658307) on Thursday January 16, 2014 @06:07PM (#45980187)

    Who knew?

    "Malicious Software Removal Tool" has been a Windows update for years. (Since 2005 http://en.wikipedia.org/wiki/Windows_Malicious_Software_Removal_Tool [wikipedia.org]) What did you think it did? You have the option of not running it. If the update is selected / run it is a local program run one time after updates are installed that "checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month."

    http://www.microsoft.com/en-ca/download/malicious-software-removal-tool-details.aspx [microsoft.com]

  • by BasilBrush (643681) on Thursday January 16, 2014 @06:12PM (#45980239)

    Well we do know if we bother to RTFA.

  • by BasilBrush (643681) on Thursday January 16, 2014 @06:15PM (#45980263)

    This is no different from anti-virus, because it WAS the Microsoft anti-virus tool that did it. A specific version of TOR in a specific hidden directory being part of the virus payload.

    Talk of not owning your own computer is nonsense. You are free to not run AV software if you prefer. It would be a dumb move, but you are free to do it.

  • Re:Anyone surprised? (Score:5, Informative)

    by LinuxIsGarbage (1658307) on Thursday January 16, 2014 @06:16PM (#45980279)

    Windows Update has doubled as Windows Remote Administration for years.

    Microsoft using their security software (Microsoft Security Essentials and Malicious Software Removal Tool) to tackle a real security hazard, while leaving legitimate Tor users unaffected? The horror!

  • by gallondr00nk (868673) on Thursday January 16, 2014 @06:26PM (#45980343)

    Removes malicious software, that just happens to use Tor.

    Come on /., you can do better than this.

  • by LinuxIsGarbage (1658307) on Thursday January 16, 2014 @06:29PM (#45980379)

    Well we do know if we bother to RTFA.

    Indeed

    Since the Sefnit-caused Tor eruption in August, we have worked to curb this risk. In this process, we consulted with Tor project developers to help plan the cleanup. We retroactively remediated machines that had previously been cleaned of Sefnit but still had a Sefnit-added Tor service:

            October 27, 2013: We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.
            November 12, 2013: Signature and remediation is included in Malicious Software Removal Tool and delivered through Windows Update/Microsoft Update.

  • Re:Exactly how???? (Score:4, Informative)

    by Bert64 (520050) <bertNO@SPAMslashdot.firenzee.com> on Thursday January 16, 2014 @06:31PM (#45980405) Homepage

    If you install their software then you are trusting them to have control over your machine. Your hardware is doing exactly what microsoft has programmed it to do. And every time you install updates, you are allowing them to install a new set of program code on your machine.

    If you don't like it, run something else.

  • Re:Battle (Score:5, Informative)

    by gnick (1211984) on Thursday January 16, 2014 @06:35PM (#45980441) Homepage

    Was the botnet doing anything bad? Or was it just making Tor faster for everyone?

    Even if it was doing nothing but running tor in the background, then for people that don't have unlimited bandwidth use yes it was doing something bad.

  • by Dracolytch (714699) on Thursday January 16, 2014 @06:37PM (#45980463) Homepage

    Did some more digging. Here are the details (from http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx [technet.com]) :

    Cleanup efforts

    Since the Sefnit-caused Tor eruption in August, we have worked to curb this risk. In this process, we consulted with Tor project developers to help plan the cleanup. We retroactively remediated machines that had previously been cleaned of Sefnit but still had a Sefnit-added Tor service:

    October 27, 2013: We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.
    November 12, 2013: Signature and remediation is included in Malicious Software Removal Tool and delivered through Windows Update/Microsoft Update.

  • Re:Battle (Score:5, Informative)

    by girlintraining (1395911) on Thursday January 16, 2014 @06:39PM (#45980483)

    Was the botnet doing anything bad? Or was it just making Tor faster for everyone?

    Actually, it shit up the network so badly that Tor developers considered it effectively a DDoS attack. During the peak of the infection, the network was effectively unusable, with latencies exceeding that of the typical TCP connection timeout of 120 seconds. As it turns out, using an anonymizing network doesn't translate into knowing how to build a network-aware application that doesn't stomp on its own dick so hard that the only thing the bot-net ever appears to have done was shit up the Tor network -- it does not appear it was ever activated in any meaningful capacity because the botnet owner, having shit the network it connected to, wasn't able to actually send commands to the majority of clients.

  • by exomondo (1725132) on Thursday January 16, 2014 @06:41PM (#45980499)

    Some people find TOR using a Chrome browser. Should they have the authority to remove that too only to tell you about it later in a blog?

    RTFA:
    "To fight back, Microsoft remotely removed the program from as many computers as it could, along with the Tor clients it used."

    Sounds like they removed the malware and the files it downloaded.

  • by Bacon Bits (926911) on Thursday January 16, 2014 @06:49PM (#45980559)

    Should they have the authority to remove that too only to tell you about it later in a blog?

    Microsoft Security Essentials is antivirus software. By definition it must have the authority to remove, isolate, disable, and delete software from your computer. The computer owners installed MS Security Essentials precisely to perform this specific service.

    Have any Tor installations been removed that were not associated with Sefnit? It appears to me that the only software that was removed was the specific version of Tor that Sefnit used and, in most cases, when the Tor client has been installed a system service (which is very, very non-standard). MS did not remove the most recent version of the client.

    You're just spreading FUD about a non-story. This is less interesting than all those stories about antivirus false positives rendering Windows unable to boot [cnet.com].

  • by nemesisrocks (1464705) on Thursday January 16, 2014 @06:51PM (#45980575) Homepage

    He surmises that Microsoft used its Microsoft Security Essentials software to eliminate the programs, a program users must install themselves.

    Or he could read Microsoft's own statement [technet.com], where they say exactly how they eliminated Tor:

    October 27, 2013: We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.

    November 12, 2013: Signature and remediation is included in Malicious Software Removal Tool and delivered through Windows Update/Microsoft Update.

  • by OneAhead (1495535) on Thursday January 16, 2014 @07:01PM (#45980679)
    If you RTFA, you will find that the Microsoft guys first figured out that Sefnit installs Tor in a very specific, unusual way in very specific, unusual location, then contacted the Tor developers to ask if there is any chance a legitimate user would do the same thing. Only then, they proceeded to remove Tor versions that were installed in this very specific way and location. Without any doubt, one of their operating parameters was to avoid collateral damage at all cost; if they screwed up, they could have caused the Microsoft PR disaster of the decade (and boy, is there stiff competition for that title).
  • Re:Legal? (Score:4, Informative)

    by mcl630 (1839996) on Thursday January 16, 2014 @07:31PM (#45980895)

    Yes, but that's not what happened here. If you read TFA, it was removed by Microsoft Security Essentials and the Malicious Software Removal Tool (from Windows Update) and it only removed a specific version of Tor installed in a specific folder. No legit install of Tor would have been in that specific folder.

    If you don't want MSE, don't use it. If you don't want Windows Updates, disable it. Otherwise accept that you're giving some control over your system to Microsoft.

  • by NeBan (606215) on Thursday January 16, 2014 @08:41PM (#45981423)
    Jacob Appelbaum and Roger Dingledine talked about this at the 30c3 conference last December. Here's a link to the video: https://www.youtube.com/watch?v=CJNxbpbHA-I [youtube.com] They talk about this around the 39:55 mark. Basically they weren't thrilled about microsoft doing such a thing, but on the other hand if the attack had been malicious it would have taken down the entire TOR network.
  • by Cenan (1892902) on Friday January 17, 2014 @02:32AM (#45983145)

    It might have been done through Windows Update.

    Not at first [technet.com], although the signature for Tor v0.2.3.25 used in Sefnit was added later to the Malicious Software Removal Tool that Windows Update regularly pushes out.

Little known fact about Middle Earth: The Hobbits had a very sophisticated computer network! It was a Tolkien Ring...

Working...