Skip to content ↓ | Skip to navigation ↓

Update: Microsoft apparently DID NOT remove vulnerable versions of Tor from systems infected with the Sefnit malware. “A Microsoft Spokesperson” clarified:

Microsoft Malware Protection Center (MMPC) has protections to remove the services started by the Sefnit malware, but it does not uninstall Tor, remove any Tor binaries, or prevent users from using Tor.

Also, this video has third party confirmation from Jacob Applebaum and Roger Dingledine, both members of the Tor project, discussing Microsoft’s “clean-up” efforts in regards to Sefnit. In the video, Applebaum mentioned Microsoft removed the Sefnit-added Tor clients as part of the efforts. However, Dingledine immediately clarified stating “they actually removed the bot and left the Tor clients because they weren’t sure whether they should remove it,” to which Applebaum responded “whoops.”

Original article:

In a bold move to combat the Sefnit Botnet, also known as ZeroAccess, Microsoft has stealthily removed outdated Tor software from as many as two million systems remotely without having to get consent from the systems’ owners, according to reports.

Late last summer, the anonymizing Tor network experienced an unprecedented spike in users, accounting for a 600% increase. While many speculated it was in response to NSA surveillance allegations, butthat was not the case.

Researchers soon determined that the sudden increase was due to a Tor-based malware called Sefnit which was infecting a larger number of systems to create a botnet that would be leveraged by criminal organizations for bitcoin mining and click-fraud operations.

Further investigations determined that users downloaded some software offerings like Browser Protector and FileScout, they were unwittingly also installing Sefnit modules and a vulnerable version of Tor.

“The security problem lies in the fact that during a Sefnit component infection, the Tor client service is also silently installed in the background. Even after Sefnit is removed, unless specific care is taken, the Tor service will be left and still regularly connect to the Tor Network,” researchers found.

Given the larger number of systems involved, Microsoft decided to act on its own to remove the infections by modifying antimalware apps in all its security software, and included provisions to remove the vulnerable Tor versions.

“Even after Sefnit is removed, unless specific care is taken, the Tor service will be left and still regularly connect to the Tor Network. This is a problem not only for the workload it applies to the Tor Network, but also for the security of these computers.” Microsoft said.

In December, The Microsoft Digital Crimes Unit working in collaboration with Europol’s European Cybercrime Centre (EC3), the Federal Bureau of Investigation (FBI) and unidentified organizations in the technology industry, had announced that they successfully disrupted the Sirefef botnet, also known as ZeroAccess.

Using a legal strategy that has been successful in previous botnet takedowns, Microsoft filed a lawsuit against the botnet’s operators to get an injunction that would prevent communications between zombie computers in the U.S. and IP addresses that have been connected the botnet, as well as taking control of 49 associated domains.

Previously, Microsoft was instrumental in the Rustock botnet takedown, which was estimated to have controlled between 250,000 and 1,000,000 computers, as well as the shut down the Waledac botnet and the massive Zeus Trojan botnet.

Read More Here…