Microsoft Remotely Deleted Tor From Windows Machines To Stop Botnet 214
An anonymous reader writes "Microsoft remotely deleted old versions of Tor anonymizing software from Windows machines to prevent them from being exploited by Sefnit, a botnet that spread through the Tor network. It's unclear how many machines were affected, but the total number of computers on the Tor network ballooned from 1 million to 5.5 million as Sefnit spread. 'By October, the Tor network had dropped two million users thanks to Sefnit clients that had been axed. No one, not even the Tor developers themselves, knew how Microsoft had gone on a silent offensive against such a big opponent and won a decisive battle,' the Daily Dot reported. In a blog post, Microsoft claimed it views Tor as a 'good application,' but leaving it installed presented a severe threat to the infected machines."
Battle (Score:5, Insightful)
No one, not even the Tor developers themselves, knew how Microsoft had gone on a silent offensive against such a big opponent and won a decisive battle
It seems pretty obvious - the people who's machine had Tor removed didn't know it was installed and weren't using it to begin with. When MS removed it, they didn't notice or complain.
No killswitch (Score:2, Insightful)
there's no "killswitch" it just got added to the definitions for removal. nothing to see here.
Re:Battle (Score:5, Insightful)
Exactly this version of Tor was installed in a non-obvious and non-trivial location to get to and as a service. Microsoft asked the Tor developers "Anybody actually do this?", Answer: "Nope.". Microsoft then nuked the rogue Tor apps either through Microsoft Security Essentials or through Malicious Software Tool removal app.
Re:Exactly how???? (Score:4, Insightful)
Re:Next... (Score:4, Insightful)
Upcoming:
MS deletes Firefox, saying it was used to infect millions of computers.
Microsoft only deleted the install used as part of Sefnit. They didn't disable legitimate installs, and they're not out to squash your freedom. From the blog:
http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx [technet.com]
The Tor client service left behind on a previously-infected machine may seem harmless at first glance - Tor is a good application used to anonymize traffic and usually poses no threat. Unfortunately, the version installed by Sefnit is v0.2.3.25 – and does not self-update. The latest Tor release build at the time of writing is v0.2.4.20.
Re:Not sure how I feel about this... (Score:4, Insightful)
While the intention was definitely good, I personally would not want to use a machine that the could be remotely accessed in such a mannter.
Well you're in luck!
Using the Malicious Software Removal Tool is entirely voluntary.
Re:A Microsoft Killswitch (Score:5, Insightful)
Some people find TOR using a Chrome browser. Should they have the authority to remove that too only to tell you about it later in a blog?
No, of course not. Old, known-bad versions of TOR that have numerous exploits active in the wild are removed. Not Chrome browser as it's not malicious software.
To quote another poster [slashdot.org] a few threads down
If a PC was infected with Sefnit and had the signature old version of Tor in the hidden location, Tor was removed because it's logically the case that Tor was just part of the virus payload. Because of the unique install directory, there wasn't even a remote chance for false positives. Publicly available tools that can be used for good or bad are hijacked by viruses all the time, and it's never a surprise if an anti-virus removes that tool when the virus specific files are removed.
Re:A Microsoft Killswitch (Score:5, Insightful)
I would go one step further - and say that if you are REALLY on top of your game, then you would have noticed this malware running on your system, removed it yourself and the "eViL WiNdOwS" Malicious Software Removal Tool would have done nothing to your PC anyhow.
If you aren't on the ball enough to notice that your system has become infected, don't be so quick to anger when someone else removes the problem on your behalf.
Re:Cost of ownership (Score:4, Insightful)
Re:A Microsoft Killswitch (Score:2, Insightful)
*whew*
"Microsoft Remotely Deleted Tor From Windows Machines To Stop Botnet" with no context screams "we can just remote into your system whenever we like". Having an infected client added to the malware list seems like a really responsible way to react to the threat.
That being said, I'm still pretty sure they can just remote in whenever they like...