Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Security Communications Encryption Microsoft Privacy Software Windows

Microsoft Remotely Deleted Tor From Windows Machines To Stop Botnet 214

Posted by timothy
from the because-they-can dept.
An anonymous reader writes "Microsoft remotely deleted old versions of Tor anonymizing software from Windows machines to prevent them from being exploited by Sefnit, a botnet that spread through the Tor network. It's unclear how many machines were affected, but the total number of computers on the Tor network ballooned from 1 million to 5.5 million as Sefnit spread. 'By October, the Tor network had dropped two million users thanks to Sefnit clients that had been axed. No one, not even the Tor developers themselves, knew how Microsoft had gone on a silent offensive against such a big opponent and won a decisive battle,' the Daily Dot reported. In a blog post, Microsoft claimed it views Tor as a 'good application,' but leaving it installed presented a severe threat to the infected machines."
This discussion has been archived. No new comments can be posted.

Microsoft Remotely Deleted Tor From Windows Machines To Stop Botnet

Comments Filter:
  • Battle (Score:5, Insightful)

    by Ksevio (865461) on Thursday January 16, 2014 @06:01PM (#45980105) Homepage

    No one, not even the Tor developers themselves, knew how Microsoft had gone on a silent offensive against such a big opponent and won a decisive battle

    It seems pretty obvious - the people who's machine had Tor removed didn't know it was installed and weren't using it to begin with. When MS removed it, they didn't notice or complain.

  • No killswitch (Score:2, Insightful)

    by Anonymous Coward on Thursday January 16, 2014 @06:05PM (#45980163)

    there's no "killswitch" it just got added to the definitions for removal. nothing to see here.

  • Re:Battle (Score:5, Insightful)

    by Hangtime (19526) on Thursday January 16, 2014 @06:11PM (#45980235) Homepage

    Exactly this version of Tor was installed in a non-obvious and non-trivial location to get to and as a service. Microsoft asked the Tor developers "Anybody actually do this?", Answer: "Nope.". Microsoft then nuked the rogue Tor apps either through Microsoft Security Essentials or through Malicious Software Tool removal app.

  • Re:Exactly how???? (Score:4, Insightful)

    by cyberspittle (519754) on Thursday January 16, 2014 @06:25PM (#45980335) Homepage
    Windows Update - malicious software removal tool. When you install Windows, or other Microsoft software, you agree to the End User License Agreement (EULA). There is nothing unusual about this. If the EULA is not agreeable, another OS should be installed.
  • Re:Next... (Score:4, Insightful)

    by LinuxIsGarbage (1658307) on Thursday January 16, 2014 @06:27PM (#45980357)


    MS deletes Firefox, saying it was used to infect millions of computers.

    Microsoft only deleted the install used as part of Sefnit. They didn't disable legitimate installs, and they're not out to squash your freedom. From the blog: []

    The Tor client service left behind on a previously-infected machine may seem harmless at first glance - Tor is a good application used to anonymize traffic and usually poses no threat. Unfortunately, the version installed by Sefnit is v0.2.3.25 – and does not self-update. The latest Tor release build at the time of writing is v0.2.4.20.

  • by mythosaz (572040) on Thursday January 16, 2014 @06:30PM (#45980391)

    While the intention was definitely good, I personally would not want to use a machine that the could be remotely accessed in such a mannter.

    Well you're in luck!

    Using the Malicious Software Removal Tool is entirely voluntary.

  • by PhunkySchtuff (208108) <kai@automatica. c o> on Thursday January 16, 2014 @06:35PM (#45980435) Homepage

    Some people find TOR using a Chrome browser. Should they have the authority to remove that too only to tell you about it later in a blog?

    No, of course not. Old, known-bad versions of TOR that have numerous exploits active in the wild are removed. Not Chrome browser as it's not malicious software.

    To quote another poster [] a few threads down

    If a PC was infected with Sefnit and had the signature old version of Tor in the hidden location, Tor was removed because it's logically the case that Tor was just part of the virus payload. Because of the unique install directory, there wasn't even a remote chance for false positives. Publicly available tools that can be used for good or bad are hijacked by viruses all the time, and it's never a surprise if an anti-virus removes that tool when the virus specific files are removed.

  • by Fluffeh (1273756) on Thursday January 16, 2014 @06:49PM (#45980555)

    I would go one step further - and say that if you are REALLY on top of your game, then you would have noticed this malware running on your system, removed it yourself and the "eViL WiNdOwS" Malicious Software Removal Tool would have done nothing to your PC anyhow.

    If you aren't on the ball enough to notice that your system has become infected, don't be so quick to anger when someone else removes the problem on your behalf.

  • by bloodhawk (813939) on Thursday January 16, 2014 @08:02PM (#45981121)
    Perhaps you should try something original... like reading the actual article.
  • by Anonymous Coward on Thursday January 16, 2014 @08:20PM (#45981271)


    "Microsoft Remotely Deleted Tor From Windows Machines To Stop Botnet" with no context screams "we can just remote into your system whenever we like". Having an infected client added to the malware list seems like a really responsible way to react to the threat.

    That being said, I'm still pretty sure they can just remote in whenever they like...

To spot the expert, pick the one who predicts the job will take the longest and cost the most.