Microsoft Remotely Deleted Tor From Windows Machines To Stop Botnet

← Back to Stories (view on slashdot.org)

Microsoft Remotely Deleted Tor From Windows Machines To Stop Botnet

Posted by timothy on Thursday January 16, 2014 @09:57AM from the because-they-can dept.

An anonymous reader writes "Microsoft remotely deleted old versions of Tor anonymizing software from Windows machines to prevent them from being exploited by Sefnit, a botnet that spread through the Tor network. It's unclear how many machines were affected, but the total number of computers on the Tor network ballooned from 1 million to 5.5 million as Sefnit spread. 'By October, the Tor network had dropped two million users thanks to Sefnit clients that had been axed. No one, not even the Tor developers themselves, knew how Microsoft had gone on a silent offensive against such a big opponent and won a decisive battle,' the Daily Dot reported. In a blog post, Microsoft claimed it views Tor as a 'good application,' but leaving it installed presented a severe threat to the infected machines."

214 comments

Min score:

Reason:

Sort:

A Microsoft Killswitch by gishzida · 2014-01-16 09:59 · Score: 2, Interesting

Who knew?
1. Re:A Microsoft Killswitch by BasilBrush · 2014-01-16 10:04 · Score: 5, Informative
  
  So called Anti-virus software is a kill switch. So everyone who knew their Windows PC was running Windows Security Essentials or any of the other Microsoft AV products knew.
2. Re:A Microsoft Killswitch by Anonymous Coward · 2014-01-16 10:04 · Score: 2, Informative
  
  "Despite the warnings about the privacy of Windows users from Jacob Appelbaum while on stage in Germany, Lewman seems less concerned. He surmises that Microsoft used its Microsoft Security Essentials software to eliminate the programs, a program users must install themselves."
3. Re:A Microsoft Killswitch by LinuxIsGarbage · 2014-01-16 10:07 · Score: 5, Informative
  
  Who knew?
  "Malicious Software Removal Tool" has been a Windows update for years. (Since 2005 http://en.wikipedia.org/wiki/Windows_Malicious_Software_Removal_Tool) What did you think it did? You have the option of not running it. If the update is selected / run it is a local program run one time after updates are installed that "checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month."
  http://www.microsoft.com/en-ca/download/malicious-software-removal-tool-details.aspx
4. Re:A Microsoft Killswitch by mechtech256 · 2014-01-16 10:10 · Score: 5, Interesting
  
  This doesn't sound much different to any other anti-virus removal. Microsoft almost certainly used the Microsoft Security Essential update to kill Sefnit, as they do with so many other viruses.
  "the total number of computers on the Tor network ballooned from 1 million to 5.5 million as Sefnit spread"
  These weren't dedicated Tor nodes that were taken offline because they were being used for malicious purposes, these were infected PCs with a virus that used Tor as the communication protocol. An outdated and vulnerable version of Tor was hidden in a "location that almost no human user would"
  If a PC was infected with Sefnit and had the signature old version of Tor in the hidden location, Tor was removed because it's logically the case that Tor was just part of the virus payload. Because of the unique install directory, there wasn't even a remote chance for false positives. Publicly available tools that can be used for good or bad are hijacked by viruses all the time, and it's never a surprise if an anti-virus removes that tool when the virus specific files are removed.
5. Re:A Microsoft Killswitch by number17 · 2014-01-16 10:25 · Score: -1, Troll
  
  What did you think it did? You have the option of not running it.
  The technical information doesn't exactly say it removes TOR or any particular version:
  
  Additional information
  The Sefnit family is known to use Tor or SSH provided by PuTTY as its C&C communication channel.
  
  Some variants add a Tor service under the display name "Tor Win32 Service". This a legitimate service that is used by the trojan to anonymize it’s network traffic.
  
  Since August 2013, there has been a considerable increase in the Tor network's incoming connecting users - this is believed to be as result of the Sefnit family using Tor for its C&C communication. This is shown in the following graph from the Tor metrics portal:
  Some people find TOR using a Chrome browser. Should they have the authority to remove that too only to tell you about it later in a blog?
6. Re:A Microsoft Killswitch by timeOday · 2014-01-16 10:26 · Score: 4, Interesting
  
  A spam black hole is exactly the same thing, and so is gmail's spam filter. If some things are in and some are out, then somebody somewhere made that call.
  I am actually appreciating more and more, in retrospect, how non-intrusive Microsoft was for all those years and still is. Compared to today's Internet, and the PowerBook that wants a credit card number before I can even do a software update or download XCode (since it's all linked to the App Store now), Microsoft was/is a model of responsibility.
7. Re:A Microsoft Killswitch by mythosaz · 2014-01-16 10:28 · Score: 2
  
  Well, you grant it that authority, so unless you're suggesting you shouldn't have that authority, I don't know what your point is.
8. Re:A Microsoft Killswitch by PhunkySchtuff · 2014-01-16 10:35 · Score: 5, Insightful
  
  Some people find TOR using a Chrome browser. Should they have the authority to remove that too only to tell you about it later in a blog?
  No, of course not. Old, known-bad versions of TOR that have numerous exploits active in the wild are removed. Not Chrome browser as it's not malicious software.
  To quote another poster a few threads down
  
  If a PC was infected with Sefnit and had the signature old version of Tor in the hidden location, Tor was removed because it's logically the case that Tor was just part of the virus payload. Because of the unique install directory, there wasn't even a remote chance for false positives. Publicly available tools that can be used for good or bad are hijacked by viruses all the time, and it's never a surprise if an anti-virus removes that tool when the virus specific files are removed.
  
  --
  Specialist Mac support for creative pros, Melbourne
9. Re:A Microsoft Killswitch by CohibaVancouver · 2014-01-16 10:35 · Score: 5, Funny
  
  I'm sorry, but your thoughtful and well-written response is counter to the "Me hate Microsoft me LOVE TOR" groupthink on Slashdot, where facts are irrelevant and just muddy the waters.
  
  Please move along.
  
  (You're welcome to join me as I sit quietly in the corner, waiting to get modded down to troll.)
10. Re:A Microsoft Killswitch by Dracolytch · 2014-01-16 10:37 · Score: 5, Informative
  
  Did some more digging. Here are the details (from http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx) :
  Cleanup efforts
  Since the Sefnit-caused Tor eruption in August, we have worked to curb this risk. In this process, we consulted with Tor project developers to help plan the cleanup. We retroactively remediated machines that had previously been cleaned of Sefnit but still had a Sefnit-added Tor service:
  October 27, 2013: We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.
  November 12, 2013: Signature and remediation is included in Malicious Software Removal Tool and delivered through Windows Update/Microsoft Update.
  
  --
  This sig has been enciphered with a one-time pad. It could say almost anything.
11. Re:A Microsoft Killswitch by exomondo · 2014-01-16 10:41 · Score: 5, Informative
  
  Some people find TOR using a Chrome browser. Should they have the authority to remove that too only to tell you about it later in a blog?
  RTFA:
  "To fight back, Microsoft remotely removed the program from as many computers as it could, along with the Tor clients it used."
  Sounds like they removed the malware and the files it downloaded.
12. Re:A Microsoft Killswitch by Anonymous Coward · 2014-01-16 10:47 · Score: 0
  
  Holy shit, they did something right.
13. Re:A Microsoft Killswitch by Fluffeh · 2014-01-16 10:49 · Score: 4, Insightful
  
  I would go one step further - and say that if you are REALLY on top of your game, then you would have noticed this malware running on your system, removed it yourself and the "eViL WiNdOwS" Malicious Software Removal Tool would have done nothing to your PC anyhow.
  If you aren't on the ball enough to notice that your system has become infected, don't be so quick to anger when someone else removes the problem on your behalf.
  
  --
  Moved to http://soylentnews.org/. You are invited to join us too!
14. Re:A Microsoft Killswitch by Bacon+Bits · 2014-01-16 10:49 · Score: 5, Informative
  
  Should they have the authority to remove that too only to tell you about it later in a blog?
  Microsoft Security Essentials is antivirus software. By definition it must have the authority to remove, isolate, disable, and delete software from your computer. The computer owners installed MS Security Essentials precisely to perform this specific service.
  Have any Tor installations been removed that were not associated with Sefnit? It appears to me that the only software that was removed was the specific version of Tor that Sefnit used and, in most cases, when the Tor client has been installed a system service (which is very, very non-standard). MS did not remove the most recent version of the client.
  You're just spreading FUD about a non-story. This is less interesting than all those stories about antivirus false positives rendering Windows unable to boot.
  
  --
  The road to tyranny has always been paved with claims of necessity.
15. Re:A Microsoft Killswitch by nemesisrocks · 2014-01-16 10:51 · Score: 5, Informative
  
  He surmises that Microsoft used its Microsoft Security Essentials software to eliminate the programs, a program users must install themselves.
  Or he could read Microsoft's own statement, where they say exactly how they eliminated Tor:
  
  October 27, 2013: We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.
  November 12, 2013: Signature and remediation is included in Malicious Software Removal Tool and delivered through Windows Update/Microsoft Update.
16. Re:A Microsoft Killswitch by OneAhead · 2014-01-16 11:01 · Score: 5, Informative
  
  If you RTFA, you will find that the Microsoft guys first figured out that Sefnit installs Tor in a very specific, unusual way in very specific, unusual location, then contacted the Tor developers to ask if there is any chance a legitimate user would do the same thing. Only then, they proceeded to remove Tor versions that were installed in this very specific way and location. Without any doubt, one of their operating parameters was to avoid collateral damage at all cost; if they screwed up, they could have caused the Microsoft PR disaster of the decade (and boy, is there stiff competition for that title).
17. Re:A Microsoft Killswitch by LordLimecat · 2014-01-16 11:53 · Score: 0
  
  Its not gonna stop a slew of comments on how Microsoft is violating user rights or whatever.
18. Re:A Microsoft Killswitch by Anonymous Coward · 2014-01-16 12:05 · Score: 0
  
  Hey jackass,
  I 'm just reading comment at a high level and almost everything I'm seeing is proMS on this move, so take your pity party and shove it.
19. Re:A Microsoft Killswitch by McDutchie · 2014-01-16 12:14 · Score: 1
  
  prevalent malicious software (including Blaster, Sasser, and Mydoom)
  Yup, that's 2005 alright. Or even 2004 and 2003.
  Hardly inspires confidence that they haven't updated the description in nearly a decade.
20. Re:A Microsoft Killswitch by Anonymous Coward · 2014-01-16 12:20 · Score: 0
  
  It kind of saddens me that this was ranked as Funny. I mean it is kinda funny, but it's also true. A botnet is a widespread virus that acts as a "swarm", it only makes sense for them to do this. If you're worried about your files being periodically scanned then don't run an anti-virus... because that's how they work. Once they find one that meets their "signature", which can be a file hash (unique identifier for a file), a registry key, certain code instructions, etc., it removes/flags them. For a botnet that is spreading then the only way to kill it is to do it all at once. Unfortunately, as someone who works in IT, waiting for someone to remove the virus isn't good enough... as they can last for a really long time due to incompetent admins or users that aren't aware.
21. Re:A Microsoft Killswitch by Anonymous Coward · 2014-01-16 12:20 · Score: 2, Insightful
  
  *whew*
  "Microsoft Remotely Deleted Tor From Windows Machines To Stop Botnet" with no context screams "we can just remote into your system whenever we like". Having an infected client added to the malware list seems like a really responsible way to react to the threat.
  That being said, I'm still pretty sure they can just remote in whenever they like...
22. Re:A Microsoft Killswitch by scottbomb · 2014-01-16 12:43 · Score: 1
  
  MOD THIS UP. We may have been suckered by the news media (once again) trying to make much ado about nothing. Show us a story about MS deleting software people actually installed. THAT would be a story.
23. Re:A Microsoft Killswitch by Anonymous Coward · 2014-01-16 12:48 · Score: -1
  
  The OS is set to that automatically with the Windows update feature (automatically downloads 360 Megabytes of OS updates each night (about 4-5 hours on a 128K internet connection), then spends another four hours doing something with those files, then stops suddenly, switches the PC off and takes another couple of hours in an attempt to recover from whatever it failed to do last time.
  Then all the other components will also try and update; device drivers, applications, virus scanners. Anything tagged as a "virus" will automatically be disabled and quarantined. Even a system performance test will get flagged as "suspicious behavior" because it it using too much CPU power.
24. Re:A Microsoft Killswitch by AK+Marc · 2014-01-16 13:07 · Score: 1
  
  Some people find TOR using a Chrome browser. Should they have the authority to remove that too only to tell you about it later in a blog?
  The user granted Microsoft permission to do so with the installation of a security program, and there is an indication that only the Sefnit installed Tor was affected. How is it bad for a security program to remove botnet C&C? Oh, because Microsoft did it.
  
  --
  Learn to love Alaska
25. Re:A Microsoft Killswitch by Anonymous Coward · 2014-01-16 13:50 · Score: 0
  
  You install Windows updates. Microsoft can ship an update that deletes files on the machine, because you are giving them kernel-level control of your machine (really - they can ship NT kernel updates if they feel like it) You install Microsoft Security Essentials and update your signatures. MSE is a program designed specifically to delete malicious programs as identified as Microsoft. That's what anti-virus programs do; that's what security updates do. If you think this is too much then you should be considering FOSS yesterday.
26. Re:A Microsoft Killswitch by Runaway1956 · 2014-01-16 14:16 · Score: 2
  
  Bingo. In those years that I ran Windows, I always had a good idea of how my machine was running, how it was using resources, and what was calling for those resources. In the earlier days of virus infections, I seldom recognized a virus, and virus detectors failed to identify viruses. But, the fact that 60%+ of system resources were devoted to something that I couldn't identify was a sure tipoff.
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
27. Re:A Microsoft Killswitch by sharknado · 2014-01-16 15:19 · Score: 1
  
  Huh. I've never thought of it that way...using an antivirus program as a kill switch. *puts on a tin foil hat*
28. Re:A Microsoft Killswitch by Anonymous Coward · 2014-01-16 16:11 · Score: 0
  
  Indeed, I can download TOR in about 3 1/2 seconds and I'd gladly download it again over having a virus I did not know about.
29. Re:A Microsoft Killswitch by __aaltlg1547 · 2014-01-16 16:42 · Score: 1
  
  It wasn't necessarily done through Security Essentials. It might have been done through Windows Update.
30. Re:A Microsoft Killswitch by __aaltlg1547 · 2014-01-16 16:45 · Score: 2
  
  They can certainly target any software they like by the same methods. I can't see them going after legitl software that you installed yourself on purpose. That would open them up to the mother of all anti-trust lawsuits. Going after what everybody agrees are bad guys is safe.
31. Re:A Microsoft Killswitch by bill_mcgonigle · 2014-01-16 16:54 · Score: 2
  
  Not Chrome browser as it's not malicious software.
  Hypothetically, one could write a botnet client that ran under Chrome's native code (making it platform-specific to Chrome). The results would be interesting on several axes - I'm sure Microsoft is praying nobody does that. The Shadows(b5) would write one to see what happens.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
32. Re:A Microsoft Killswitch by morgauxo · 2014-01-16 17:10 · Score: 2, Funny
  
  Hardly! They never could have uninstalled so many that way. Don't you know Windows Update doesn't run on pirated copies of Windows anymore?
33. Re:A Microsoft Killswitch by Anonymous Coward · 2014-01-16 17:28 · Score: 0
  
  That's really funny how my pirated win7 box is up to date then...
34. Re:A Microsoft Killswitch by Jack+Griffin · 2014-01-16 17:44 · Score: 1
  
  I wonder how this same situation would've panned out in a Linux dominated universe?
35. Re:A Microsoft Killswitch by Cenan · 2014-01-16 18:32 · Score: 4, Informative
  
  It might have been done through Windows Update.
  Not at first, although the signature for Tor v0.2.3.25 used in Sefnit was added later to the Malicious Software Removal Tool that Windows Update regularly pushes out.
  
  --
  ... whatever ...
36. Re:A Microsoft Killswitch by Anonymous Coward · 2014-01-16 18:44 · Score: 0
  
  Don't you know Windows Update doesn't run on pirated copies of Windows anymore?
  Oh poor you, maybe you should recheck that fact. Here is a hint, a true pirated copy is 100% original and not even Microsoft themself can tell the difference, LITERALLY.
37. Re:A Microsoft Killswitch by Hal_Porter · 2014-01-16 21:41 · Score: 1
  
  Microsoft Malicious Software Removal Toolkit has always been able to uninstall software. They distribute a version once a month or so through Windows Update.
  http://en.wikipedia.org/wiki/Windows_Malicious_Software_Removal_Tool
  They could theoretically use it to remove or update old, unsecure versions of Java, Flash and Acrobat but as far as I know they've never done this, presumably because they fear anti trust action from Adobe and Oracle.
  E.g.
  http://blogs.msdn.com/b/larryosterman/archive/2008/04/16/this-is-the-way-the-world-wide-web-ends.aspx
  
  Robert Hensing linked to a post by Thomas Ptacek over on the Matasano Chargen blog. Thomas (who is both a good hacker AND a good writer) has a writeup of a "game-over" vulnerability that was just published by Mark Dowd over at IBM's ISS X-Force that affects Flash. For those that don't speak hacker-speak, in this case, a "game-over" vulnerability is one that can be easily weaponized (his techniques appear to be reliable and can be combined to run an arbitrary payload). As an added bonus, because it's a vulnerability in Flash, it allows the attacker to write a cross-browser, cross-platform exploit - this puppy works just fine in both IE and Firefox (and potentially in Safari and Opera).
  This vulnerability doesn't affect Windows directly, but it DOES show how a determined attacker can take what was previously thought to be an unexploitable failure (a null pointer dereference) and turn it into something that can be used to 0wn the machine.
  Every one of the "except not quite" issues that Thomas writes about in the article represented a stumbling block that the attacker (who had no access to the source to Flash) had to overcome - there are about 4 of them, but the attacker managed to overcome all of them.
  As far as I know Microsoft have never removed or updated Flash or Java even if it is insecure.
  Since the people who write Tor are unlikely to sue them, I guess they decided it was OK.
  
  --
  echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
38. Re:A Microsoft Killswitch by Xest · 2014-01-16 23:48 · Score: 1
  
  "They can certainly target any software they like by the same methods."
  Not really, all the malicious software has to do going forward is block any incoming updates from Microsoft for their security products.
39. Re: A Microsoft Killswitch by Anonymous Coward · 2014-01-17 00:03 · Score: 0
  
  Come back and find out in 2034, the Year of the Linux Desktop.
40. Re:A Microsoft Killswitch by BlazingATrail · 2014-01-17 00:08 · Score: 0
  
  If you were really the sharpest tool in the shed, you'd stop using such a shitty OS like windows.
41. Re: A Microsoft Killswitch by VTBlue · 2014-01-17 00:40 · Score: 2
  
  So true. I just got modded down from +3 interesting to troll for posing the legal QUESTION of patents and indemnity for Linux in a the previous JP Morgan ATM thread. The stupidest comments got modded up.
42. Re:A Microsoft Killswitch by RaceProUK · 2014-01-17 01:00 · Score: 1
  
  If the description is still accurate (and by my understanding it is), why bother updating it?
  
  --
  No colour or religion ever stopped the bullet from a gun
43. Re:A Microsoft Killswitch by Anonymous Coward · 2014-01-17 01:10 · Score: 0
  
  Lies.
  Most of the time, there's so much bloatware installed, you have no idea what each process is for. For a while, things were so bad, it was easier to monitor what you installed and ignore the anti-xx software because it was hogging more resources than the malware.
  Anyway, Microsoft screwed up. Removing Tor hardly helps, it's a tool used by malware, nothing more, they're not actually removing the malware itself, so, computers remain infected. It's a tipically idiotic Microsoft solution.
  A helicopter was flying around above Seattle yesterday when an electrical malfunction disabled all of the aircraft's electronic navigation and communication equipment. Due to the clouds and haze the pilot could not determine his position or course to steer to the airport. The pilot saw a tall building, flew toward it, circled, drew a handwritten sign and held it in the helicopter's window. The sign said "WHERE AM I ?" in large letters.
  People in the tall building quickly responded to the aircraft, drew a large sign and held it in a building window. Their sign said, "YOU ARE IN A HELICOPTER." The pilot smiled, waved, looked at his map and determine the course to steer to SEATAC (Seattle/Tacoma) airport and landed safely.
  After they were on the ground, the co-pilot asked the pilot how the "YOU ARE IN A HELICOPTER" sign helped determine their position. The pilot responded, "I knew that had to be the MICROSOFT building because they gave me a technically correct but completely useless answer."
44. Re:A Microsoft Killswitch by Anonymous Coward · 2014-01-17 02:11 · Score: 0
  
  You can create an Apple ID for free, just not through the app store interface page. Even microsoft requires you for register to get their free development tools and always has (since they made free versions available) Updates can be downloaded without user IDs directly from Apple, don't use the app store if you don't like its terms. They don't make you, but they really want you to register and give them info.
  Turn in your geek and slashdot card, it takes a single google search to find the offline updaters and how to get into the app store without a CC.
  --BitStream
45. Re:A Microsoft Killswitch by hairyfeet · 2014-01-17 03:30 · Score: 2
  
  What I don't understand is why anybody would get their panties in a bunch over this. I mean how many years did we hear "MS don't do enough to protect its users" while all those worms and bugs ran amok? Now we see MSFT getting rid of a program that 1.- Is out of date, 2.- Many users may not even know they have, 3.- Isn't being used by the users (or else it would have been updated) and most importantly 4.- Is being used in a major malware infection.
  As someone who fixes and sells PCs I can tell you that if you want to have ANY effect against the thousands of new nasties that appear every week you WILL have to do things like in TFA to help remove control and keep things from spreading. Heck most of my customers if they saw the word Tor in the ad remove programs would assume it is something important and would be afraid to touch it.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
46. Re:A Microsoft Killswitch by Anonymous Coward · 2014-01-17 03:33 · Score: 0
  
  They could theoretically use it to remove or update old, unsecure versions of Java, Flash and Acrobat but as far as I know they've never done this, presumably because they fear anti trust action from Adobe and Oracle.
  Also, old versions of these three items might be required for testing or compatibility (certainly Java is sometimes); all can be used safely with known locally stored content.
47. Re:A Microsoft Killswitch by EndlessNameless · 2014-01-17 04:26 · Score: 1
  
  Bloatware leads to one of two conclusions. Either:
  1. The user doesn't understand what his OS and applications do, and so he needs someone to secure his computer for him.
  OR
  2. The user understands the software on his machine, and he can remove what he deems unnecessary.
  The presence of bloatware strongly indicates the person falls into category #1, at least for Windows machines. I also have no problem with the idea that a person could be a guru on one system and a total noob on another.
  The decision to"secure it yourself" vs "let someone secure it for you" includes time, effort, and expertise as considerations. If most people decide to have someone else secure the system, that is probably better anyway. After all, a vast MINORITY of users are IT professionals.
  
  --
  
  ---
  According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
48. Re:A Microsoft Killswitch by Anonymous Coward · 2014-01-17 04:50 · Score: 1
  
  Yes. But that isn't what he is saying.
  He's saying that, save legal problems, MS could add the signature for FireFox or Chrome to the "malicious software removal tool" and Windows' Microsoft Security Essentials will automatically remove them as malware. He's right.
  Technically though, If I were a package developer for an essential part of an Linux, I could add a line or two to my package to do the same thing. Or if I maintained the malware definitions of any Anti Virus.
49. Re:A Microsoft Killswitch by timeOday · 2014-01-17 05:08 · Score: 1
  
  Actually it's not just XCode either... every day it is nagging me to update iPhoto, iMovie, and so on, which require a big intrusive profile creation to do. And of course there is no way to say NO to the update, only "remind me later."
  Yes, I finally broke down and created a new phony ID and got my XCode and my updates without entering any CC info. But it shouldn't be like this in the first place. I resent it.
  And coming back to Microsoft, actually the XBox is adopting all these same spam-ridden tactics. I finally just unplugged our 360 from the Internet because every time we just wanted to play a game it would cajole and threaten us to download more updates and agree to yet another new TOS, change the interface around, and push spam at us. So I guess they are getting with the times as well.
50. Re:A Microsoft Killswitch by Zero__Kelvin · 2014-01-17 05:49 · Score: 1
  
  ". I can't see them going after legitl software that you installed yourself on purpose. "
  Yes. For example, if they removed TOR that would be outrageous, but this is different. Oh, wait ...
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
51. Re:A Microsoft Killswitch by Zero__Kelvin · 2014-01-17 05:55 · Score: 1
  
  "Microsoft Security Essentials is antivirus software. By definition it must have the authority to remove, isolate, disable, and delete software from your computer. "
  It must by definition remove, isolate, and disable malware. Claiming that whatever it removes is fair game is absurd. Maybe I run an old buggy version of something on purpose. I mean, I know that nobody would ever do that, but just imagine if it actually happened. By your logic, M$ can and should remove XP from all systems immediately, as it is an old version known to have many security holes.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
52. Re:A Microsoft Killswitch by Mondor · 2014-01-17 07:28 · Score: 2
  
  A part of every monthly Windows Update is a program called Malicious Software Removal Tool.
53. Re:A Microsoft Killswitch by Anonymous Coward · 2014-01-17 15:11 · Score: 0
  
  Easily defeated: keep the Tor client updated lol
54. Re:A Microsoft Killswitch by Anonymous Coward · 2014-01-17 16:24 · Score: 0
  
  As machines become faster, RAM prices continue to fall, and memory density continues to become greater, the symptoms of an infection are not as easily apparent as they once were. Back in 1995 when I built a machine with a Celeron processor running 333 MHz on a shoestring budget (my first PC), simple popup ads could be enough to impact performance noticeably. On my new machine, I can run very graphically intensive applications that require high performance while browsing the Internet and never notice a stutter.
  It's important that people develop good security and maintenance habits specifically because it's harder to notice a problem these days. But they won't, so they'll have to deal with it when their laziness or apathy is compensated for by a third party to protect others.
55. Re:A Microsoft Killswitch by Kalriath · 2014-01-17 23:45 · Score: 1
  
  As far as I know Microsoft have never removed or updated Flash or Java even if it is insecure.
  Since the people who write Tor are unlikely to sue them, I guess they decided it was OK.
  Oooor... they actually talked to the people who write Tor maybe?
  
  Since the Sefnit-caused Tor eruption in August, we have worked to curb this risk. In this process, we consulted with Tor project developers to help plan the cleanup.
  Ah. So that's exactly what they did. But hey, feel free to keep painting them as evil monopolists.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
56. Re: A Microsoft Killswitch by Thundersnatch · 2014-01-18 14:59 · Score: 1
  
  What, exactly do you think Yum/Apt and other FOSS package systems do do? They give the same root permissions to a random package maintaine; an individual who likely would more easily be swayed by the money of organized crime or the NSA than a fairly rich and likely highly audited MSFT employee. As far as I know, there are no audits at all done of the actual binaries distributed by Linux package managers.
57. Re:A Microsoft Killswitch by Nutria · 2014-01-19 02:39 · Score: 1
  
  Back in 1995 when I built a machine with a Celeron processor running 333 MHz
  
  1995 was the era of the 120MHz Pentium. The first Celerons didn't arrive until 1998. Maybe you're thinking of 1999?
  
  --
  "I don't know, therefore Aliens" Wafflebox1
Battle by Ksevio · 2014-01-16 10:01 · Score: 5, Insightful

No one, not even the Tor developers themselves, knew how Microsoft had gone on a silent offensive against such a big opponent and won a decisive battle
It seems pretty obvious - the people who's machine had Tor removed didn't know it was installed and weren't using it to begin with. When MS removed it, they didn't notice or complain.
1. Re:Battle by Hangtime · 2014-01-16 10:11 · Score: 5, Insightful
  
  Exactly this version of Tor was installed in a non-obvious and non-trivial location to get to and as a service. Microsoft asked the Tor developers "Anybody actually do this?", Answer: "Nope.". Microsoft then nuked the rogue Tor apps either through Microsoft Security Essentials or through Malicious Software Tool removal app.
2. Re:Battle by mrbluze · 2014-01-16 10:26 · Score: 1, Interesting
  
  Exactly this version of Tor was installed in a non-obvious and non-trivial location to get to and as a service. Microsoft asked the Tor developers "Anybody actually do this?", Answer: "Nope.". Microsoft then nuked the rogue Tor apps either through Microsoft Security Essentials or through Malicious Software Tool removal app.
  Was the botnet doing anything bad? Or was it just making Tor faster for everyone?
  
  --
  Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
3. Re:Battle by Lehk228 · 2014-01-16 10:31 · Score: 4, Funny
  
  botnets are like furries, inherantly evil.
  
  --
  Snowden and Manning are heroes.
4. Re:Battle by Anonymous Coward · 2014-01-16 10:34 · Score: 1
  
  Yeah, having thousands of Tor entrance and exit nodes under the control of a mysterious botnet sure would speed up the network!
  I mean, it might make you somewhat less anonymous to whoever controlled the botnet, but it's not like that's the whole goddamn point, is it?
5. Re:Battle by gnick · 2014-01-16 10:35 · Score: 5, Informative
  
  Was the botnet doing anything bad? Or was it just making Tor faster for everyone?
  Even if it was doing nothing but running tor in the background, then for people that don't have unlimited bandwidth use yes it was doing something bad.
  
  --
  He's getting rather old, but he's a good mouse.
6. Re:Battle by KingMotley · 2014-01-16 10:37 · Score: 2
  
  Anything bad? As in taking up computer and network resources without authorization? Yes.
7. Re:Battle by girlintraining · 2014-01-16 10:39 · Score: 5, Informative
  
  Was the botnet doing anything bad? Or was it just making Tor faster for everyone?
  Actually, it shit up the network so badly that Tor developers considered it effectively a DDoS attack. During the peak of the infection, the network was effectively unusable, with latencies exceeding that of the typical TCP connection timeout of 120 seconds. As it turns out, using an anonymizing network doesn't translate into knowing how to build a network-aware application that doesn't stomp on its own dick so hard that the only thing the bot-net ever appears to have done was shit up the Tor network -- it does not appear it was ever activated in any meaningful capacity because the botnet owner, having shit the network it connected to, wasn't able to actually send commands to the majority of clients.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
8. Re:Battle by exomondo · 2014-01-16 10:43 · Score: 2
  
  Was the botnet doing anything bad?
  Mining bitcoins.
9. Re:Battle by maxwell+demon · 2014-01-16 10:51 · Score: 1
  
  What if the botnet has the purpose to DDoS Tor?
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
10. Re:Battle by Bacon+Bits · 2014-01-16 10:52 · Score: 2
  
  Your question is answered in TFA. They were mining BitCoins.
  
  --
  The road to tyranny has always been paved with claims of necessity.
11. Re:Battle by complete+loony · 2014-01-16 10:55 · Score: 1
  
  It wouldn't surprise me if the infected machines were so loaded with other malware, that their CPU, RAM, and available bandwidth were all overloaded.
  
  --
  09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
12. Re:Battle by davidbrit2 · 2014-01-16 10:56 · Score: 1
  
  I'm just tinfoil-hatting here, but do we know that wasn't its intended purpose?
13. Re:Battle by Anonymous Coward · 2014-01-16 11:27 · Score: 1
  
  Then cold fjord will be along shortly to tell everyone what a traitor microsoft is for blocking our holy government's attempt to secure our nation by destroying any and all security.
14. Re:Battle by LordLimecat · 2014-01-16 11:57 · Score: 0
  
  I take it you dont understand what a botnet is, or why theyre the bane of the internet.
  For starters: where do you think these "record size DDOS attacks" you keep hearing about come from?
15. Re:Battle by Anonymous Coward · 2014-01-16 12:15 · Score: 0
  
  I think the lesson for malware authors is to activate your node as a relay. This means that you wouldn't overload the network because as you add bots, you add capacity.
16. Re:Battle by Anonymous Coward · 2014-01-16 12:17 · Score: 0
  
  And yet all these nerds complain about freedoms... this is the best customer service anyone's received in a while. Now if only the post office could find a way to stop picking up the mail from the trolls that spam my mailbox...
17. Re:Battle by girlintraining · 2014-01-16 12:37 · Score: 1
  
  I'm just tinfoil-hatting here, but do we know that wasn't its intended purpose?
  Because of the pathetically few hits on honeypots indicated it managed to attempt two things: Bitcoin mining (lol; a couple million infections over a two month period earned him maybe $100), and click fraud... so basically he defrauded two institutions widely regarded as fraudulent in their own right. Woooo.... big achiever.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
18. Re:Battle by Anonymous Coward · 2014-01-16 17:40 · Score: 0
  
  Unlikely. But if that's the case, it still needs to be deleted :)
  Also, I hear they hand out free jail time for DoS attacks. Maybe the author should go claim his!
19. Re:Battle by steelfood · 2014-01-16 20:15 · Score: 2
  
  My tinfoil hat says it worked as intended. Making TOR unusable in this period of time would discourage its use by non-technical computer users who were probably flocking to it for privacy's sake.
  I mean, nobody'd do straight DDOS over TOR because exit nodes are limited and a DDOS just wouldn't happen by definition. And if somebody wanted to do C&C over TOR, wouldn't you think they'd set the zombies up to act as bridges and relays rather than straight clients? The tinfoil hat says this was deliberately done, as a reaction to current events.
  
  --
  "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
20. Re: Battle by VTBlue · 2014-01-17 00:43 · Score: 0
  
  How the hell did your comment get modded troll?
21. Re:Battle by EndlessNameless · 2014-01-17 04:33 · Score: 1
  
  It was mining bitcoins on the slave machines.
  At a minimum, there is an increase in electrical consumption. Also, potentially: slowdowns, overheating, bandwidth overages (some countries have metered internet), misc compatibility issues.
  
  --
  
  ---
  According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
22. Re:Battle by EndlessNameless · 2014-01-17 04:43 · Score: 1
  
  My tinfoil hat says it worked as intended. Making TOR unusable in this period of time would discourage its use by non-technical computer users who were probably flocking to it for privacy's sake.
  Except for the part where MS security researchers asked the Tor devs if this type of installation was normal, and they said "No."
  That's why the tinfoil hat moniker came about in the first place: to identify FUD and other nonsense.
  At the end of the day, the malware got removed, and there was no public outrage from people losing their legitimate Tor installations---because only the bad ones got wiped.
  If you don't run a Microsoft security product and don't choose the Malicious Software Removal Tool from Windows Update, then nothing happens. Granted these are both default options, but if a user doesn't understand enough to choose alternatives that user probably needs both of these tools.
  
  --
  
  ---
  According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
white hats go to jail by Anonymous Coward · 2014-01-16 10:01 · Score: -1

unless your worth billions of dollars
1. Re:white hats go to jail by Anonymous Coward · 2014-01-16 10:24 · Score: 0
  
  now thats some gross spelling their
2. Re:white hats go to jail by Anonymous Coward · 2014-01-16 11:05 · Score: 0
  
  the train of thought will effect us all
3. Re:white hats go to jail by cbiltcliffe · 2014-01-16 13:09 · Score: 1
  
  Maybe it's punctuation:
  
  White hats go to jail unless....your worth: billions of dollars.
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
Anyone surprised? by Anonymous Coward · 2014-01-16 10:02 · Score: -1

Windows Update has doubled as Windows Remote Administration for years.
1. Re:Anyone surprised? by LinuxIsGarbage · 2014-01-16 10:16 · Score: 4, Informative
  
  Windows Update has doubled as Windows Remote Administration for years.
  Microsoft using their security software (Microsoft Security Essentials and Malicious Software Removal Tool) to tackle a real security hazard, while leaving legitimate Tor users unaffected? The horror!
2. Re:Anyone surprised? by Anonymous Coward · 2014-01-16 11:08 · Score: 0
  
  And yum, apt, etc, isn't?
Microsoft... by Anonymous Coward · 2014-01-16 10:02 · Score: -1

By using an unconventional method to exploit Windows, the hackers unwittingly forced Microsoft to show a hand few knew it had: The ability to remotely remove progams en masse from peopleâ(TM)s computers, without them even knowing it.
Maybe the next virus needs to remove Windows from all of those machines.
1. Re:Microsoft... by Anonymous Coward · 2014-01-16 10:08 · Score: 0
  
  Stamp out the virus, install Linux!
2. Re:Microsoft... by Anonymous Coward · 2014-01-16 10:11 · Score: 0
  
  This year!
3. Re:Microsoft... by viperidaenz · 2014-01-16 10:15 · Score: 1
  
  It's 1996, the year of the linux desktop!
4. Re:Microsoft... by lister+king+of+smeg · 2014-01-16 10:28 · Score: 1
  
  By using an unconventional method to exploit Windows, the hackers unwittingly forced Microsoft to show a hand few knew it had: The ability to remotely remove progams en masse from peopleâ(TM)s computers, without them even knowing it.
  Maybe the next virus needs to remove Windows from all of those machines.
  hmm how hard would it be to write virus capable using windows update to install linux bsd etc on all of those unpatched xp machines
  
  --
  ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
5. Re:Microsoft... by CohibaVancouver · 2014-01-16 10:43 · Score: 1
  
  The ability to remotely remove progams en masse from people's computers, without them even knowing it.
  What the smeg do you think anti-malware software DOES day in and day out? Removing a program without impacting the user is exactly what these programs are supposed to do.
6. Re:Microsoft... by LordLimecat · 2014-01-16 11:59 · Score: 1
  
  I dunno, how hard is it to compromise the official debian repository? And whats the budget disparity between the folks running Windows Update servers and the Debian repos?
  Im thinking "hard".
7. Re:Microsoft... by AK+Marc · 2014-01-16 13:19 · Score: 1
  
  Back in the '90s it would send a warning for every blocked/removed item. But these days, the constant barrage from the average user's machine and browsing habits would have them turning it off. So it's more a wake up call that all AV (yes, sadly, all malware is now a "virus") removes things silently, unless manually configured otherwise. That's only news to people that don't know IT.
  
  --
  Learn to love Alaska
Security Patch by eedwardsjr · 2014-01-16 10:02 · Score: 2

There is always the possibility it could have been executed through the security patch subsystem. It has the capacity to execute scripts/executables.
1. Re:Security Patch by PCM2 · 2014-01-16 10:07 · Score: 5, Funny
  
  Yeah ... when every few weeks or so Windows Update tells me it's going to download something called the Malicious Software Removal Tool, I've always wondered what it did. We might have a few new clues here.
  
  --
  Breakfast served all day!
2. Re:Security Patch by Anonymous Coward · 2014-01-16 10:08 · Score: 0
  
  Entirely possible. I've noticed usability of my systems have been reduced after a patch Tuesday event.
3. Re:Security Patch by Ecuador · 2014-01-16 12:37 · Score: 1
  
  Hmm, I always read it as: "Malicious, Software Removal Tool" and opted out to avoid having it maliciously remove my software. I would even be shocked that MS would even propose such a thing, but I read slashdot, so I did expect such and worse...
  But in retrospect, perhaps you are right, and it is just a Tool that removes Malicious Software?
  Honest mistake, I mean that's how Pythia had all the success...
  
  --
  Violence is the last refuge of the incompetent. Polar Scope Align for iOS
4. Re:Security Patch by McFly777 · 2014-01-17 07:38 · Score: 1
  
  MSRT could also be MicroSoft Removal Tool... but that would just be a Linux install disk of whatever flavor you choose.
  
  --
  
  McFly777
  - - -
  "What do people mean when they say the computer went down on them?" -Marilyn Pittman
Next... by TechwoIf · 2014-01-16 10:03 · Score: -1, Troll

Upcoming: MS deletes Firefox, saying it was used to infect millions of computers.
1. Re:Next... by Anonymous Coward · 2014-01-16 10:13 · Score: -1
  
  There are some older versions of Firefox which probably could stand to be removed.
2. Re:Next... by Anonymous Coward · 2014-01-16 10:21 · Score: 0
  
  Upcoming:
  MS deletes Firefox, saying it was used to infect millions of computers.
  I would make the obvious joke about how everyone uses Chrome nowadays, but given how behind the times Microsoft usually is, I'm now wondering why you didn't take the angle of them deleting Netscape Navigator.
3. Re:Next... by LinuxIsGarbage · 2014-01-16 10:27 · Score: 3, Insightful
  
  Upcoming:
  MS deletes Firefox, saying it was used to infect millions of computers.
  Microsoft only deleted the install used as part of Sefnit. They didn't disable legitimate installs, and they're not out to squash your freedom. From the blog:
  http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx
  
  The Tor client service left behind on a previously-infected machine may seem harmless at first glance - Tor is a good application used to anonymize traffic and usually poses no threat. Unfortunately, the version installed by Sefnit is v0.2.3.25 – and does not self-update. The latest Tor release build at the time of writing is v0.2.4.20.
4. Re:Next... by Anonymous Coward · 2014-01-16 11:56 · Score: -1
  
  Upcoming:
  MS deletes Firefox, saying it was used to infect millions of computers.
  Upcoming: MS deletes Firefox, Safari, Chrome, and any other "free" internet software it can find on your machine because it was identified by an Irish politician as being the "cause of child porn, tax evasion, and other issues".
5. Re:Next... by Anonymous Coward · 2014-01-16 13:04 · Score: 0
  
  Upcoming: MS deletes Firefox, saying it was used to infect millions of computers.
  I'm moderating, but I didn't moderate your post. Whether you realise it or not, MS have done similar things in the past, just not with the software in discussion.
  Sorry about your "troll" rating, it's wrong, but I don't think it's important enough to use any of my moderator points correcting it.
  ~ Demonoid Penguin
6. Re:Next... by vlueboy · 2014-01-16 18:40 · Score: -1, Troll
  
  Upcoming:
  MS deletes Firefox, saying it was used to infect millions of computers.
  Microsoft only deleted the install used as part of Sefnit. They didn't disable legitimate installs, and they're not out to squash your freedom.
  Which does not prevent them from dumping extension garbage silently in Firefox. I forget if they do the same with Silverlight and .Net.
  It seems they calmed down since 2010, but I still have or see it in some old systems, which we all know are going to stick around forever given Windows XP + Firefox's tag team.
  Losing potential search hits due to Bing search redirects is probably why Chrome 25 introduced blocking of these silent extensions.
No killswitch by Anonymous Coward · 2014-01-16 10:05 · Score: 2, Insightful

there's no "killswitch" it just got added to the definitions for removal. nothing to see here.
Nothing to see here... by Hangtime · 2014-01-16 10:06 · Score: -1, Redundant

Good security move by Microsoft. We don't know exactly how the rogue applications were eliminated, but good chance it was Microsoft Security Essentials. This was the equivalent of Symantec and McAfee removing a virus only difference was it was Microsoft this time.
1. Re:Nothing to see here... by BasilBrush · 2014-01-16 10:12 · Score: 5, Informative
  
  Well we do know if we bother to RTFA.
2. Re:Nothing to see here... by LinuxIsGarbage · 2014-01-16 10:29 · Score: 4, Informative
  
  Well we do know if we bother to RTFA.
  Indeed
  
  Since the Sefnit-caused Tor eruption in August, we have worked to curb this risk. In this process, we consulted with Tor project developers to help plan the cleanup. We retroactively remediated machines that had previously been cleaned of Sefnit but still had a Sefnit-added Tor service:
  October 27, 2013: We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.
  November 12, 2013: Signature and remediation is included in Malicious Software Removal Tool and delivered through Windows Update/Microsoft Update.
3. Re:Nothing to see here... by AK+Marc · 2014-01-16 13:35 · Score: 1
  
  The first cleaning took out the main virus, but missed the C&C hidden in a legitimate program. The second clean removed the virus's C&C, affecting no uninfected computers. How is that news?
  
  --
  Learn to love Alaska
Windows Update by cyberspittle · 2014-01-16 10:08 · Score: 1

Malicious software removal tool.
Not sure how I feel about this... by Alex+Vulpes · 2014-01-16 10:10 · Score: -1

While the intention was definitely good, I personally would not want to use a machine that the could be remotely accessed in such a mannter.

True, something like anti-virus software self-updating and removing a threat would be acceptable to most users. But this is more akin buying a car and discovering the manufacturer has a master key and a representative can come over and drive it around whenever he/she wants, and it's fully legal and you can't do anything about it.

In the end, for better or for worse, I think it's important that we actually own the devices we buy and pay for. Cases like this, and similar ones with Kindles and mobile devices remotely being accessed and modified or used to spy on us, are strong evidence that we do not. (I know that this particular case is not a big deal in of itself, but the fact that Microsoft can do what it did is not good news.)
1. Re:Not sure how I feel about this... by BasilBrush · 2014-01-16 10:15 · Score: 5, Informative
  
  This is no different from anti-virus, because it WAS the Microsoft anti-virus tool that did it. A specific version of TOR in a specific hidden directory being part of the virus payload.
  Talk of not owning your own computer is nonsense. You are free to not run AV software if you prefer. It would be a dumb move, but you are free to do it.
2. Re: Not sure how I feel about this... by Anonymous Coward · 2014-01-16 10:16 · Score: 0
  
  The software is leased, is it not?
  It's more akin to renting a car and driving it around while the owner also has keys to it.
3. Re:Not sure how I feel about this... by mythosaz · 2014-01-16 10:30 · Score: 3, Insightful
  
  While the intention was definitely good, I personally would not want to use a machine that the could be remotely accessed in such a mannter.
  Well you're in luck!
  Using the Malicious Software Removal Tool is entirely voluntary.
4. Re:Not sure how I feel about this... by hawguy · 2014-01-16 10:46 · Score: 1
  
  While the intention was definitely good, I personally would not want to use a machine that the could be remotely accessed in such a mannter.
  True, something like anti-virus software self-updating and removing a threat would be acceptable to most users. But this is more akin buying a car and discovering the manufacturer has a master key and a representative can come over and drive it around whenever he/she wants, and it's fully legal and you can't do anything about it.
  In the end, for better or for worse, I think it's important that we actually own the devices we buy and pay for. Cases like this, and similar ones with Kindles and mobile devices remotely being accessed and modified or used to spy on us, are strong evidence that we do not. (I know that this particular case is not a big deal in of itself, but the fact that Microsoft can do what it did is not good news.)
  How do you think Anti-virus software works if it doesn't have a "master key" to your computer that lets it uninstall any application it thinks is malicious?
5. Re:Not sure how I feel about this... by Alex+Vulpes · 2014-01-16 10:46 · Score: 1
  
  Whoops, never mind. I thought it was Windows doing the job itself.
6. Re:Not sure how I feel about this... by Alex+Vulpes · 2014-01-16 10:49 · Score: 1
  
  Oh... good point. Guess I really should RTFA next time.
7. Re:Not sure how I feel about this... by tlhIngan · 2014-01-16 10:53 · Score: 1
  
  While the intention was definitely good, I personally would not want to use a machine that the could be remotely accessed in such a mannter.
  True, something like anti-virus software self-updating and removing a threat would be acceptable to most users. But this is more akin buying a car and discovering the manufacturer has a master key and a representative can come over and drive it around whenever he/she wants, and it's fully legal and you can't do anything about it.
  
  Well, it's just that MSRT runs and executes a find and destroy script. In this case, it looked for a special version of Tor that the malware installed in a special location and configured in a special way. That way it would not destroy legitimate Tor installations.
  And you have the option of not running it, if you really wanted to - you still own the machine.
  It's the same as if you set your Linux box to self-update - are the updates it downloads able to remove other software? Yes. In fact, it's expected during updates that new versions remove old versions. And sometimes they also remove other software that are no longer prerequisites.
  Sure you have the option to not do it, just like you have the option to not run the update.
  
  In the end, for better or for worse, I think it's important that we actually own the devices we buy and pay for. Cases like this, and similar ones with Kindles and mobile devices remotely being accessed and modified or used to spy on us, are strong evidence that we do not. (I know that this particular case is not a big deal in of itself, but the fact that Microsoft can do what it did is not good news.)
  It's really no different on any OS - updates automatically apply and they can remove stuff at will too.
  Probably the most interesting thing is that Apple, of all companies, has not actually shown the need to remove apps remotely. We know they have the capability to disable apps (only the ones using CoreLocation, though), and they have removed apps from the store. But they have not removed apps from people's iTunes libraries, nor removed the ability of deleted apps to run, period. As long as you have a copy somewhere, it can be installed on other devices using iTunes long after it's been removed.
  Heck, even when Disney forced the removal of its movies from Amazon and iTunes, they still play if you have a copy on your hard drive! Which can be copied to other devices or streamed to your AppleTV just fine. It only screwed you if you didn't already have a downloaded copy.
  Funny how the most "walled" of walled gardens hasn't yet needed to flex its abilities. Even Steam has removed games from people's libraries (granted, the game didn't work anymore, but still - people paid for the game, and Valve deleted it!)
8. Re:Not sure how I feel about this... by fast+turtle · 2014-01-16 11:45 · Score: 1
  
  the only problem is that MS wont give you some updates if you refuse to run the malicious software removal tool. This includes things like Security Eseentials along with Important updates to the OS that solve other problems, meaning they're shooting themselves in the foot trying to prevent a botnet from expanding by denying updates that may block it to begin with. Damned if you do. Damned if you don't
  
  --
  Mod me up/Mod me down: I wont frown as I've no crown
9. Re:Not sure how I feel about this... by BasilBrush · 2014-01-16 11:54 · Score: 1
  
  Security Essentials removes this TOR payload anyway.
10. Re:Not sure how I feel about this... by TrekkieGod · 2014-01-16 12:34 · Score: 1
  
  This is no different from anti-virus, because it WAS the Microsoft anti-virus tool that did it. A specific version of TOR in a specific hidden directory being part of the virus payload.
  Talk of not owning your own computer is nonsense. You are free to not run AV software if you prefer. It would be a dumb move, but you are free to do it.
  You know, I haven't seen a virus scanner log on any of my computers come up with any positive results since early 2000s, so maybe things have changed. However, the way it was done back then, and the way I assumed it was still done today, is that the anti-virus would flag the potentially malicious files, and then tell you in big red letters, "We detected virus blah. What would you like to do? Ignore / Delete / Quarantine"
  In this mode of operation, nothing is being done without explicit user authorization. I actually don't even see anything wrong with having an option for automatically deleting anything that it detects as malicious as long as it's not the default option, which would therefore still be considered an user-authorized action. However, to have any anti-virus software delete files or uninstall software without any consent other than the decision to run anti-virus software is most certainly unacceptable. Even if you disagree with me from an ethical perspective, even looking at it from a practical viewpoint it's a bad idea. After all, there are such things as false positives in virus-scans.
  
  --
  Warning: Opinions known to be heavily biased.
11. Re:Not sure how I feel about this... by AK+Marc · 2014-01-16 13:37 · Score: 1
  
  Users would click "ignore" and the virus would not be removed. So the industry moved to default installs that silently remove them. You can re-enable the chattty mode in most programs, but they turn chatty off because users clicked the "wrong" button.
  
  --
  Learn to love Alaska
12. Re:Not sure how I feel about this... by puto · 2014-01-16 16:14 · Score: 1
  
  While the intention was definitely good, I personally would not want to use a machine that the could be remotely accessed in such a mannter.
  True, something like anti-virus software self-updating and removing a threat would be acceptable to most users. But this is more akin buying a car and discovering the manufacturer has a master key and a representative can come over and drive it around whenever he/she wants, and it's fully legal and you can't do anything about it.
  Well, it's just that MSRT runs and executes a find and destroy script. In this case, it looked for a special version of Tor that the malware installed in a special location and configured in a special way. That way it would not destroy legitimate Tor installations.
  And you have the option of not running it, if you really wanted to - you still own the machine.
  It's the same as if you set your Linux box to self-update - are the updates it downloads able to remove other software? Yes. In fact, it's expected during updates that new versions remove old versions. And sometimes they also remove other software that are no longer prerequisites.
  Sure you have the option to not do it, just like you have the option to not run the update.
  
  In the end, for better or for worse, I think it's important that we actually own the devices we buy and pay for. Cases like this, and similar ones with Kindles and mobile devices remotely being accessed and modified or used to spy on us, are strong evidence that we do not. (I know that this particular case is not a big deal in of itself, but the fact that Microsoft can do what it did is not good news.)
  It's really no different on any OS - updates automatically apply and they can remove stuff at will too.
  Probably the most interesting thing is that Apple, of all companies, has not actually shown the need to remove apps remotely. We know they have the capability to disable apps (only the ones using CoreLocation, though), and they have removed apps from the store. But they have not removed apps from people's iTunes libraries, nor removed the ability of deleted apps to run, period. As long as you have a copy somewhere, it can be installed on other devices using iTunes long after it's been removed.
  Heck, even when Disney forced the removal of its movies from Amazon and iTunes, they still play if you have a copy on your hard drive! Which can be copied to other devices or streamed to your AppleTV just fine. It only screwed you if you didn't already have a downloaded copy.
  Funny how the most "walled" of walled gardens hasn't yet needed to flex its abilities. Even Steam has removed games from people's libraries (granted, the game didn't work anymore, but still - people paid for the game, and Valve deleted it!)
  Apple has stopped apps from working, which is the same from removing apps. Look at Siri on iphones from the 4 on down. It is apples to apples, and there are many others they have stopped.
  
  --
  The Revolution Will Not Be Televised
13. Re:Not sure how I feel about this... by BasilBrush · 2014-01-17 10:21 · Score: 1
  
  You know, I haven't seen a virus scanner log on any of my computers come up with any positive results since early 2000s, so maybe things have changed. However, the way it was done back then, and the way I assumed it was still done today, is that the anti-virus would flag the potentially malicious files, and then tell you in big red letters, "We detected virus blah. What would you like to do? Ignore / Delete / Quarantine"
  I don't know the way Microsoft Security Essentials does it, as I moved to the Mac a long time ago. But having the dialog you mention as a default would be a big mistake. 99.9% of users wouldn't know what to do, and it would be a pure fluke if they selected the most appropriate action.
  Developers shouldn't delegate the hard decisions to users. They should work out the right thing to do, and do it. In cases where there is no doubt that this is a malware that might be to delete immediately. In cases where false positives are possible, that might mean quarantining, and deleting at some time in the future.
  From the sounds of it, this sounds like a delete immediately case. It happens on machines that are known to have the malware, and the TOR client is an old version installed in a specific hidden directory. There is no chance of a false positive.
  Of course it's probably a good idea for virus checkers to have a mode with a dialog such as you describe, for use by virus researchers etc. But it should be a well hidden option, not the default.
14. Re:Not sure how I feel about this... by TrekkieGod · 2014-01-17 12:53 · Score: 1
  
  But having the dialog you mention as a default would be a big mistake. 99.9% of users wouldn't know what to do, and it would be a pure fluke if they selected the most appropriate action.
  Well, I gave you the wrong idea about the dialog, if you think that's true. They certainly made the option to "ignore" seem like the worst of all choices, a scary and dangerous decision. If you ever clicked it, it would further nag you about how that was likely to be incredibly unwise and ask you to confirm that option. Then, on every subsequent scan, it would keep flagging that file anyway, and you'd have to ignore it every time.
  Personally, I never treated anti-virus software as software to *clean* viruses. I use them for their virus scanner feature, and if they ever come up positive, it's time to reformat the box and start from scratch, hoping your BIOS is clean. The way I see it, if your system has been compromised, your anti-virus could be compromised. I think clicking, "delete" and getting that nice message on how your system is now clean at the end gives the user a dangerous feeling of false comfort. They're really not that much safer than if they had clicked ignore, they're fairly likely to be just as screwed.
  
  From the sounds of it, this sounds like a delete immediately case. It happens on machines that are known to have the malware, and the TOR client is an old version installed in a specific hidden directory. There is no chance of a false positive.
  Yeah, I'm not all up in arms against Microsoft for deleting this particular program, mind you. If anything I said implied that, then I was unclear in how I phrased my thoughts. Microsoft appeared very responsible in dealing with this particular case, down to contacting the Tor developers and making sure there was no legitimate reason why Tor would ever have been installed in that way. Kudos.
  What gives me pause is that they have the capability of choosing to delete anything off a box. Because there's no guarantee they're going to be responsible with that tool tomorrow, and the next thing you know, a false positive gets deleted. I don't think such an action should even be legal, without explicit consent.
  
  I moved to the Mac a long time ago...Developers shouldn't delegate the hard decisions to users. They should work out the right thing to do, and do it.
  Well, that's certainly the Apple philosophy. I'm not saying that disparagingly, and I recognize the advantages of that philosophy, but I will like to point out that it's a preference, not a universal truth. Since you subscribe to it, you're probably very happy with that move to the Mac. I did the Mac thing myself for many years as a result of Apple switching to x86 compatible machines, and as a result of Mac OS X being UNIX. My latest laptop, however, is not an Apple, precisely because I personally hate that Apple philosophy, and it got in my way much more often than it was ever helpful.
  I am a software developer. My philosophy, as a developer and as a user, is that a developer doesn't make decisions ever, regardless of whether they're easy or hard. A developer makes suggestions, when the choice appear obvious, in the form of defaults that can be changed in an advanced menu. If it's a hard decision, either because you're not sure what should be chosen, or because the stakes are high (files are going to get deleted, overwritten, the user will have to log out or reboot, etc.), then you don't even pick a default. You ask the question, and allow the user to set his answer as the default in the future, if he so chooses.
  Once again, I'm not trying to tell you my philosophy is right and yours is wrong here, I'm just explaining my own preferences. My philosophy is right for me, and I look to use, buy, and create software that abides by it. This is Windows vs. Mac, KDE vs. Gnome stuff...you always have to trade off control for initial user friendliness, and people draw the line of where the cutoff should be differently.
  
  --
  Warning: Opinions known to be heavily biased.
"Malicious Software Removal"? Or more sinister? by DutchUncle · 2014-01-16 10:10 · Score: 0

Every month's update includes an updated "malicious software" remover. Normal people who have their machines auto-update would get it automatically, and *if* the corrupted Tor wasn't hiding its existence in some way, it could be found and removed. That would be a legitimate use of the trust customers put in MS (as with other antivirus providers). If it turns out there's a backdoor, the way Amazon removed books from peoples' Kindles, then the entire Windows infrastructure would be unsafe.
Exactly how???? by lasermike026 · 2014-01-16 10:19 · Score: -1, Redundant

Exactly how does Microsoft gain access and remove software? Well I guess that means Microsoft has complete control of other people PCs. What kind of F@#$%^ up nightmare is this?
1. Re:Exactly how???? by cyberspittle · 2014-01-16 10:25 · Score: 4, Insightful
  
  Windows Update - malicious software removal tool. When you install Windows, or other Microsoft software, you agree to the End User License Agreement (EULA). There is nothing unusual about this. If the EULA is not agreeable, another OS should be installed.
2. Re:Exactly how???? by neoritter · 2014-01-16 10:26 · Score: 0
  
  Try reading the article genius.
3. Re:Exactly how???? by Bert64 · 2014-01-16 10:31 · Score: 3, Informative
  
  If you install their software then you are trusting them to have control over your machine. Your hardware is doing exactly what microsoft has programmed it to do. And every time you install updates, you are allowing them to install a new set of program code on your machine.
  If you don't like it, run something else.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
4. Re:Exactly how???? by LinuxIsGarbage · 2014-01-16 10:35 · Score: 3, Interesting
  
  Exactly how does Microsoft gain access and remove software? Well I guess that means Microsoft has complete control of other people PCs. What kind of F@#$%^ up nightmare is this?
  Well if we read the article
  
  Since the Sefnit-caused Tor eruption in August, we have worked to curb this risk. In this process, we consulted with Tor project developers to help plan the cleanup. We retroactively remediated machines that had previously been cleaned of Sefnit but still had a Sefnit-added Tor service:
  October 27, 2013: We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.
  November 12, 2013: Signature and remediation is included in Malicious Software Removal Tool and delivered through Windows Update/Microsoft Update.
  Microsoft Security Essentials is a popular antivirus program that people tout as being a good free option to Symantec or McAfee. In this case it seems it did a good job of squashing a botnet. Malicious Software Removal Tool is an update that comes monthly, with Windows updates, that can be disabled or deselected if you wish. The idea is that "This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month. " So even if you don't use MSE or any other AV software, if you do updates, you will get the worst of the worst. Such as this millions infected with Sefnit.
  No hidden remote kill switch. No evil. The security tools did what they advertized to remove a threat, while leaving legitimate Tor users untouched.
5. Re:Exactly how???? by OneAhead · 2014-01-16 10:51 · Score: 2
  
  I came here to say just this. TFA is a neat story in a general sense, but in the sense of "Microsoft controlling your computer", there's exactly nothing there we didn't know already. It can only be a surprise to people who don't know or are in denial about what it means to update their operating system. Every second Tuesday, Microsoft adds stuff to your windows computers, which is way scarier than removing stuff, if one thinks about it for just a second.
6. Re:Exactly how???? by maxwell+demon · 2014-01-16 10:56 · Score: 1
  
  Well, there's a program called "Malicious Software Removal Tool". What do you think it does?
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
7. Re:Exactly how???? by Anonymous Coward · 2014-01-16 13:14 · Score: 0
  
  I heard the sky was falling... you should probably just kill yourself!
8. Re:Exactly how???? by AK+Marc · 2014-01-16 13:41 · Score: 1
  
  The real question should be, how can Symantec/McAfee gain access and remove software? After all, this "virus" was moved by more than just MS. Maybe someday, you should learn how AV works.
  
  --
  Learn to love Alaska
9. Re:Exactly how???? by shentino · 2014-01-16 14:37 · Score: 1
  
  You don't need to be an auto mechanic to drive, and you shouldn't have to be a codemonkey to operate a computer.
  Users should be entitled to take whatever the vendor says at face value without being screwed.
10. Re:Exactly how???? by istartedi · 2014-01-16 16:06 · Score: 1
  
  Well I guess that means Microsoft has complete control of other people PCs.
  You mean, like they write software that oh... operates the system or something?
  
  --
  For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
11. Re:Exactly how???? by Anonymous Coward · 2014-01-16 22:50 · Score: 0
  
  If you install their software then you are trusting them to have control over your machine. Your hardware is doing exactly what microsoft has programmed it to do. And every time you install updates, you are allowing them to install a new set of program code on your machine.
  If you don't like it, run something else.
  No, this is not about "trust". Trust comes into play when you suspect abuse. However, the Microsoft EULA explicitly reserves the right to Microsoft to control all software installations remotely, enable and disable any components written either by themselves or by others as they see fit, and, if it so happens, brick your machine without recompensation.
  When you run a current version of Microsoft Windows, you explicitly "I agree" that the computer, for all purposes, remains the property of Microsoft to dispose of as they see fit.
  The consumer has repeatedly spoken about the Microsoft EULAs increasingly spiraling out of control for every new version, and his verdict has been "Baaah! Baaaah! Baaah!".
  So that's what he's getting.
  Bah.
12. Re:Exactly how???? by Anonymous Coward · 2014-01-16 22:56 · Score: 1
  
  Well, there's a program called "Malicious Software Removal Tool". What do you think it does?
  According to its title, I would expect it to maliciously remove software.
A classic Example by Anonymous Coward · 2014-01-16 10:25 · Score: 0

A classic Example of someone trying to point the finger when there is nothing to point at. You removed my botnet nad now i'm mad. STFU. Save your complaining for legitimate problems.
Fucking assholes by Anonymous Coward · 2014-01-16 10:25 · Score: -1

I don't want ANYBODY going into my computer. That's no different than breaking into my house, and stealing.
FUCK MICROSOFT
1. Re:Fucking assholes by cyberspittle · 2014-01-16 10:32 · Score: 2
  
  Dude, you may want to step away from the keyboard and take a deep breath. This is not some uninvited guest helping themselves to your snacks. You allow them in via EULA. Perhaps taking a moment to breath will prevent a knee-jerk reaction.
2. Re:Fucking assholes by hawguy · 2014-01-16 10:49 · Score: 1
  
  I don't want ANYBODY going into my computer. That's no different than breaking into my house, and stealing.
  FUCK MICROSOFT
  Microsoft Updates and anti-virus protection are completely optional. If you don't want anyone changing files on your computer, you ought to turn off WIndows Updates immediately, and don't run any anti-virus software.
  It's a little more like hiring someone to fix your leaky windows, then accusing them of stealing after they replaced the moldy wood framing around the window when they put in the new one because you really loved that wood frame even if it was moldy and you want it returned.
3. Re:Fucking assholes by maxwell+demon · 2014-01-16 10:58 · Score: 1
  
  If you don't want anybody in your computer, then simply don't invite him there. It's not as if the Malicious Software Removal Tool installed itself on the computer.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
Microsoft malicious software removal tool.. by gallondr00nk · 2014-01-16 10:26 · Score: 3, Informative

Removes malicious software, that just happens to use Tor.
Come on /., you can do better than this.
1. Re:Microsoft malicious software removal tool.. by mythosaz · 2014-01-16 10:33 · Score: 2
  
  It's not even good trolling on the author's part.
  It'd be like a piece of malware that installs an old copy of VNC for spying purposes, in a hidden folder, with a obscure named .EXE, starting in an arcane point in the registry, and then leading with a headline of: Microsoft Removes VNC From Computers!.
2. Re:Microsoft malicious software removal tool.. by Anonymous Coward · 2014-01-16 17:53 · Score: 0
  
  and that it why I'm starting to come here less and less and less .... /:
All Tor Clients? by PPH · 2014-01-16 10:30 · Score: 0

Or only those on infected machines? And was this removal targeted only at the botnet-installed Tor client (TFA seems to imply this).
If this was the case, then good for them (Microsoft). Although they could have been a bit more open about their removal with the Tor developers, so as to reassure them that they were not attacking Tor. And to get feedback on anything that could cause a false positive and removal.

--
Have gnu, will travel.
1. Re:All Tor Clients? by mythosaz · 2014-01-16 10:38 · Score: 2
  
  RTFA? Or any of the dozens of comments above yours?
  TFA is fucking garbage.
  MSRT removed a specific version of Tor in a specific arcane/obscured directory used only by a botnet.
2. Re:All Tor Clients? by Desler · 2014-01-16 11:40 · Score: 1
  
  They were open with the Tor devs. Even said so explicitly in the article.
3. Re:All Tor Clients? by Anonymous Coward · 2014-01-16 11:55 · Score: 0
  
  From what I can tell it's those installs that are
  1) of the vulnerable version and
  2) installed in the location chosen by the malware which "install[ed] Tor into a location that almost no human user would"
Legal? by Dcnjoe60 · 2014-01-16 10:36 · Score: 0

Isn't it illegal to secretly infiltrate a computer system and remove legal software from it?
1. Re:Legal? by Ksevio · 2014-01-16 10:50 · Score: 2
  
  Isn't it illegal to secretly infiltrate a computer system and remove legal software from it?
  Yes it is.
  
  Fortunately, the software isn't exactly legal (it was illegally installed by a virus that is), and the machine isn't being secretly infiltrated (you get notified about the Malicious Software Removal if you look at the Windows Updates), so that's kind of a moot point.
2. Re:Legal? by LinuxIsGarbage · 2014-01-16 10:51 · Score: 1
  
  Isn't it illegal to secretly infiltrate a computer system and remove legal software from it?
  This looks real secret:
  http://i39.tinypic.com/21kz7na.jpg
3. Re:Legal? by Anonymous Coward · 2014-01-16 10:52 · Score: 0
  
  RTFA
4. Re:Legal? by maxwell+demon · 2014-01-16 11:02 · Score: 1
  
  Yes. But installing Malicious Software Removal Tool is not something which secretly happens in the background, but which the user does knowingly, fully being aware that the tool is not only able to remove malicious software, but it is actually it's purpose.
  Also, the botnet hardly is legal software, and the fact that it contains a concealed outdated copy of the Tor client doesn't change that fact.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
5. Re:Legal? by davidbrit2 · 2014-01-16 11:03 · Score: 1
  
  Yes. Fortunately, nothing like that happened here.
6. Re:Legal? by maxwell+demon · 2014-01-16 11:03 · Score: 1
  
  Err ... "its purpose", of course ...
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
7. Re:Legal? by Anonymous Coward · 2014-01-16 11:06 · Score: -1
  
  Isn't it illegal to secretly infiltrate a computer system and remove legal software from it?
  Ordinarily yes, but not if you've indoctrinated the users for decades that
  "it's for their own good" and
  "we only attack the bad guys.. why are you complaining? you're not a bad guy, are you??"
  and "you can trust Microsoft, because everyone is using Microsoft, which proves it's good--you're not assuming everyone is just following others, surely!"
  and "you can't begin to imagine the horrors of a life without Microsoft where you'd be using an *alternative* O.S., which is something only weirdos and nerds would want".
  
  *retch*
8. Re:Legal? by mcl630 · 2014-01-16 11:31 · Score: 3, Informative
  
  Yes, but that's not what happened here. If you read TFA, it was removed by Microsoft Security Essentials and the Malicious Software Removal Tool (from Windows Update) and it only removed a specific version of Tor installed in a specific folder. No legit install of Tor would have been in that specific folder.
  If you don't want MSE, don't use it. If you don't want Windows Updates, disable it. Otherwise accept that you're giving some control over your system to Microsoft.
9. Re:Legal? by Anonymous Coward · 2014-01-16 11:57 · Score: 1
  
  The user (by running the updates) gave permission to do this. There was no infiltration, any more than there's no infiltration when your chosen AV client removes a virus.
10. Re:Legal? by Anonymous Coward · 2014-01-16 18:59 · Score: -1
  
  Fortunately, the software isn't exactly legal (it was illegally installed by a virus that is), and the machine isn't being secretly infiltrated (you get notified about the Malicious Software Removal if you look at the Windows Updates), so that's kind of a moot point.
  I recall some old viruses would harden machines against other known viruses to gain a monopoly of that system's resources against other potential illegal controllers.
  Didn't some slashdot story have threads exploring how bad it is for vigilantes to create 100% "good" viruses to remove other viruses, or vaccinate against bad installs?
  Bias or not, what makes anyone company or government "right" to take the steps, if it's wrong for us ? If MS wants to fix stuff, then there are many, many design choices their tools should fix before going against other people's code. Candidates are old holes like Windows' defaulting to have port 137 open, which 13 years of Windows updates haven't fixed despite the final days of XP looming close.
11. Re:Legal? by Saffaya · 2014-01-16 19:04 · Score: 0
  
  " If you don't want Windows Updates, disable it."
  You conveniently forgot that microsoft can update windows update, even with windows update turned off.
  In a nutshell, using a windows OS mean you don't actually own your machine anymore.
12. Re:Legal? by Anonymous Coward · 2014-01-17 01:28 · Score: 0
  
  Citation need, liar.
Do it right... by nobuddy · 2014-01-16 10:38 · Score: 1

Do a simple and clean install, saving personal docs and with the right payload (like WhicheverOfficeFork, video player, music player, etc). Do it with one of the XP/IE lookalike themes... the "victim" would only wonder why their PC suddenly started performing well.
no harm, no foul?
User install VS trojan install by Anonymous Coward · 2014-01-16 10:39 · Score: 1

If we look BEYOND the misleading headline, we will understand that when a TROJAN illegally and secretly installs software n a user's machine, it does so in a way that will leave a clear signature. So, a trojan that installs Tor, for instance, will do so in a way that minimises visibility of the app to users. Microsoft can and SHOULD (if a user is willingly using a Microsoft anti-trojan tool) attempt to identify apps that have been illegitimately installed, even if the app itself can ordinarily be a legitimate user install, and remove that app.
If the user did NOT consent for app X to be placed on their machine, there can be no controversy if a user activated Microsoft security product removes X without explicit user permission.
Now if Microsoft DARED to remove copies of Tor that a user had explicitly installed, the situation would be a very, very different one. So why are the owners of Slashdot trying to imply something that isn't true? And don't give me crap that it is the fault of the authors of the original article. When Slashdot promotes a story, the content of that story (and the misleading Slashdot summary) are Slashdot's responsibility.
1. Re:User install VS trojan install by Anonymous Coward · 2014-01-16 12:31 · Score: 0
  
  Now if Microsoft DARED to remove copies of Tor that a user had explicitly installed, the situation would be a very, very different one. So why are the owners of Slashdot trying to imply something that isn't true? And don't give me crap that it is the fault of the authors of the original article. When Slashdot promotes a story, the content of that story (and the misleading Slashdot summary) are Slashdot's responsibility.
  When has Slashdot ever not tried to imply something that wasn't true? Its called Hyperbole and featured gratuitously in every article.
  When was the last time you heard a close friend in real life exclaim "I heard it on the Internet" ...
  This is just slashdots way of keeping you from being that person... See Dice holdings has your back and cares very much about you not looking like an fool...well in real life anyway...
Had you bothered to read the article by nobuddy · 2014-01-16 10:42 · Score: 2

you would realize how silly you look here.
You: "hi. come on in! Welcome to my home. Have a seat, make yourself comfortable...... WHAT THE FUCK? HOW DID YOU GET IN MY HOUSE??"
apt-get by Anonymous Coward · 2014-01-16 10:48 · Score: 0

How is this different form apt-get upgrade or dist-upgrade?
Microsoft Did Not Remotely Delete Tor by blanu2 · 2014-01-16 10:56 · Score: 1

This incident was discussed in the 30c3 talk on Tor. Roger Dingledine stated that Microsoft removed the botnet, but left Tor installed. Therefore the headline that Microsoft deleted Tor is not correct. You can watch the video here: http://www.youtube.com/watch?v=CJNxbpbHA-I
Re:"Malicious Software Removal"? Or more sinister? by maxwell+demon · 2014-01-16 11:14 · Score: 1

Of course the only difference between malware and legitimate software or other content is the intent, which the tool obviously cannot detect. Therefore any tool that can be used to remove malicious software can also be used to remove legal software or other content.

--
The Tao of math: The numbers you can count are not the real numbers.
just wow by luther349 · 2014-01-16 11:15 · Score: 1

so Microsoft removes a virus with there removal tool and somehow they did a bad thing. and removed the infected version of tor not the new ones.
Alternate headline by wonkey_monkey · 2014-01-16 11:16 · Score: 1

Microsoft remotely deleted a characteristic version of Tor and other maliciously installed software which a botnet had installed from Windows machines to stop said botnet, just as it does for all kinds of malicious software via its (get this) Malicious Software Removal tool (which regularly appears in Windows Update) and/or Microsoft Security Essentials, which you, the user, gave it permission to do.
...but it didn't fit*.
*in length or in terms of agenda.

--
systemd is Roko's Basilisk.
1. Re:Alternate headline by Anonymous Coward · 2014-01-16 12:25 · Score: 0
  
  Microsoft remotely deleted a characteristic version of Tor and other maliciously installed software which a botnet had installed from Windows machines to stop said botnet, just as it does for all kinds of malicious software via its (get this) Malicious Software Removal tool (which regularly appears in Windows Update) and/or Microsoft Security Essentials, which you, the user, gave it permission to do.
  ...but it didn't fit*.
  *in length or in terms of agenda.**
  **That's what she said.
Class Action? by nurb432 · 2014-01-16 11:18 · Score: 0

Ok Attorneys: Could this qualify for a class action suit to shut them down forever and burn them to the ground?

--
---- Booth was a patriot ----
1. Re:Class Action? by Desler · 2014-01-16 11:41 · Score: 1
  
  No how would it?
2. Re:Class Action? by Joe+U · 2014-01-16 11:53 · Score: 1
  
  Ok Attorneys: Could this qualify for a class action suit to shut them down forever and burn them to the ground?
  Short answer: No.
  Long answer: No. And you need to actually read how it was done before commenting.
3. Re:Class Action? by LordLimecat · 2014-01-16 12:02 · Score: 0
  
  Class action against who? The people on slashdot who cant be bothered to read the article before they comment on it?
  Count me in.
4. Re:Class Action? by Mashiki · 2014-01-16 13:43 · Score: 1
  
  Uh what for? Removing a botnet,
  
  --
  Om, nomnomnom...
No one spoke out for tor by nurb432 · 2014-01-16 11:19 · Score: 0

No one spoke out since it didn't effect them...

--
---- Booth was a patriot ----
1. Re:No one spoke out for tor by Anonymous Coward · 2014-01-16 12:54 · Score: 1
  
  First they came for the viruses.
  Then they came for the malware.
  Then they came for the potentially unwanted programs.
  When they came for my porn they didn't find any
  Because the bastards had removed everything that caused pop up ads for porn sites.
2. Re:No one spoke out for tor by AK+Marc · 2014-01-16 13:12 · Score: 2
  
  As it affected no one, nobody noticed or cared, and nobody was inconvenienced, other than botnet owners.
  
  --
  Learn to love Alaska
3. Re:No one spoke out for tor by Anonymous Coward · 2014-01-16 18:42 · Score: 0
  
  Oh COME ON. This was a version of TOR installed by malware, not by any conscious decision of the owner of the machine.
  It was removed by Microsoft's anti-malware tool, not some hidden killswitch.
  I suppose we should all speak out about the fact that anti-malware tools remove applications which the user *DID NOT* choose to install?
Cost of ownership by gmuslera · 2014-01-16 11:52 · Score: -1, Troll

So much effort defending Windows against Linux using cost of ownership as argument and this proves that Microsoft is still owning the Windows you "bought".
1. Re:Cost of ownership by bloodhawk · 2014-01-16 12:02 · Score: 3, Insightful
  
  Perhaps you should try something original... like reading the actual article.
2. Re:Cost of ownership by LordLimecat · 2014-01-16 12:04 · Score: 0
  
  Wow, a 4-digit UID and you cant be bothered to RTFA or any of the dozen other comments explaining why your comment is false.
  The really sad thing is your UID indicates youve been into technology for at least a decade-- but it apparently doesnt stop you from making comments on stuff that you have absolutely no clue about.
  Heres a hint: It was through MSRT / Security Essentials.
3. Re:Cost of ownership by gmuslera · 2014-01-16 13:40 · Score: 2
  
  I did, also read this politician calling for banning open source and anonymizing software. The precedent is set, just wait a few months.
These sort of articles are great by LordLimecat · 2014-01-16 12:07 · Score: 0

If we could just implement a script on slashdot to mute or auto-downmod users who post comments which clearly indicate both ignorance and not having read the article, maybe we could clean the site up.
1. Re:These sort of articles are great by Anonymous Coward · 2014-01-16 13:14 · Score: 0
  
  If we could just implement a script on slashdot to mute or auto-downmod users who post comments which clearly indicate both ignorance and not having read the article, maybe we could clean the site up.
  There goes 90% of the posts made in the last 2 years.... and many of them'd be made by people who are the target audience of this site's advertising. The problem is not the number of idiots, trolls and shills - the low-signal-to-noise ratio is mainly due to the mass exodus of intelligent posters resulting from changes made by the current site owners that bring us the stories brought about by people(?) like Soulskill.
  ~ Demoid Penguin
where does NSA fit in? by Anonymous Coward · 2014-01-16 12:14 · Score: 0

power to uninstall is also the power to install
1. Re:where does NSA fit in? by Anonymous Coward · 2014-01-17 03:59 · Score: 0
  
  Of course. Just like the NSA could add some modified packages into your Linux distribution's repository for you to get with the next security updates. Especially if the Linux distribution is made by an American company.
Comments from Jacob Appelbaum and Roger Dingledine by NeBan · 2014-01-16 12:41 · Score: 3, Informative

Jacob Appelbaum and Roger Dingledine talked about this at the 30c3 conference last December. Here's a link to the video: https://www.youtube.com/watch?v=CJNxbpbHA-I They talk about this around the 39:55 mark. Basically they weren't thrilled about microsoft doing such a thing, but on the other hand if the attack had been malicious it would have taken down the entire TOR network.
Agreed, Bill got it right... by Anonymous Coward · 2014-01-16 12:41 · Score: 0

They did it the right way. Good job.
At the risk of feeding the troll.... by rts008 · 2014-01-16 12:50 · Score: 2

Well, I don't really detect sarcasm, and same for troll detection, yet I have a hard time accepting these as real questions, but what the hell....
According to TFA, the botnet was mining bitcoins for the two botnet 'herders'.
'Doing anything bad?'
1.) Taking control away from the PC's owner and covertly installing malware
2.) Using significant amounts of energy at the owners expense without agreement
3.) Tor network users jumped from approx. 1 million users, to over 5 million users when this botnet went online. I imagine that would have the opposite effect of 'making Tor faster for everyone'
4.) In some cases, clogging and disrupting users networks
In other words, not doing anything good, and a whole lot of bad.
This is one time that Microsoft was acting responsibly, and did the right thing, IMHO.
The Microsoft anti-malware tools worked as designed, although a bit more proactive than the normal reactive incident.

--
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
crashed my machine by Anonymous Coward · 2014-01-16 13:42 · Score: -1

Except the fuckers crashed my machine when they pushed out the update. I click reboot and walk away, system may hang for hours because an application, usually M$ application has a fucking modal open asking me if I really want to close it. Windows Update sends the reboot, the fucker is going to reboot. Exactly the opposite needs to be true. When I say reboot, especially as an admin, I expect the fucking system to reboot. When M$ says reboot, I expect the machine to ask permission.
1. Re:crashed my machine by DavidRawling · 2014-01-16 16:59 · Score: 1
  
  Except the fuckers crashed my machine when they pushed out the update.
  Citation needed, since I recall no such major outcry. Your machine is probably one of the ones with 25 browser toolbars, or ten download accelerators, or fifty outdated browser plugins, or a couple of undetected rookits etc., which is usually the reason behind a security patch "crashing your machine".
  And if Windows closed the app with unsaved work, you'd be here whinging that Microsoft destroyed your work. And if you really gave a crap, you'd go in and change the Windows Update setting from "Automatically install" to "Ask me first".
  Microsoft has done some seriously stupid stuff. And some bad stuff. But if you want to abuse them, at least abuse them for the stupid stuff not the sane stuff.
Re:"Malicious Software Removal"? Or more sinister? by DutchUncle · 2014-01-16 15:47 · Score: 1

Very true. If Microsoft decided that, say, *any* copy of Tor was malicious, or anything listed on Sourceforge . . . . Or any .iso with a name that matches a movie . .
Is this journalism? by Anonymous Coward · 2014-01-16 20:33 · Score: 0

WTF kind of story is this?
BREAKING NEWS: AV software removes threat!
If this story were about ClamWIN it would all be w00t open source FTW!
But apparently a free MS product did its job - boo, hiss, etc
Re: by Anonymous Coward · 2014-01-16 20:35 · Score: 0

Show me a machine that has Firefox installed by malware without the user's consent, and I'll show you a machine that should have Firefox removed.
YES! \o/ by Anonymous Coward · 2014-01-16 22:31 · Score: 0

Now there are only nine hundred ninety nine millions, nine hundred ninety nine thousand and nine hundred ninety nine failures to fix on windows.
TAILS Linux: Even Bruce Schneier Uses It! by Anonymous Coward · 2014-01-16 23:11 · Score: 0

Try TAILS Linux.
Should have focused on POS machines at Target. by Anonymous Coward · 2014-01-17 00:26 · Score: 0

Should have focused on POS machines at Target. This headline is just a ruse to let the MS huggers hide the biggest malware heist in history. Unpatched windows running on cash registers?
Skype/MS bans IP's running Tor Exit Nodes by astro128 · 2014-01-17 01:24 · Score: 1

I used to run an active, unlimited TOR exit node on my office PC during non-work hours, that is until for some unknown reason our office had our Skype account blocked - I called Skype, my network provider, everyone trying to figure why we couldn't access Skype at all from any of the computers on our office network (we have a fixed IP which could have added to the problem). I read some threads on the Skype forums that this has happened to several people - apparently once Microsoft integrated Skype over the last year, anyone running an Exit Node was blacklisted. Note that we got any kind of notification, just a banned IP, they would not even confirm we were banned. I shut down my Exit Node and about 2 weeks later Skype returned. Not exactly what I call a positive treatment for a so called "good application."
Ridiculous by Anonymous Coward · 2014-01-17 04:02 · Score: 0

Microsoft antivirus program removes a virus. Slashdot collectively goes retarded. News at 11.
Not such a big deal by danh1 · 2014-01-17 04:14 · Score: 1

Microsoft has been silently removing malware from users' computers for years now. What do you think the Windows Malicious Software Removal Tool does? The only new thing here is that this particular piece of malware contained an otherwise-legitimate open-source component, which Microsoft decided to remove as well. I believe there's nothing wrong with that decision since it's been used as part of the malware and for malicious purposes. In this case the decision is even more justified since having Tor installed, even without the original malware, can have consequences to the user, such as a substantial drop in available bandwidth. Even then, Microsoft made sure that they only remove instances of Tor installed by the malware and not copies that users knowingly installed so I really see no problem here. When Microsoft decides to remove Firefox or VLC or any other open-source stuff just because it competes with their products, please inform me and I'll ditch Windows altogether. Until then, I'll keep the Windows MRT installed and updated.
M$ are criminals. by Anonymous Coward · 2014-01-17 04:25 · Score: 0

We use that application for official business, and Microsoft arrogently thinks it's okay for them to control what is install on OUR system? that WE paid for?
Somebody is likely going to make a military response against them, and it will be M$ fault.
1. Re:M$ are criminals. by Kalriath · 2014-01-18 00:05 · Score: 1
  
  Well, it won't be a problem for you, unless you install an old version of Tor as a Windows Service in a specific unlikely location on your computer that the Tor Project stated "no normal human ever would" and then disabled updating.
  Or you could just read the fucking article. But god forbid people on slashdot actually miss a chance to bash Microsoft.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Breaking News! by Anonymous Coward · 2014-01-17 04:44 · Score: 0

Someone on Slashdot doesn't know what the hell they are talking about! what a surprise! :P
derp by Anonymous Coward · 2014-01-17 04:46 · Score: 0

No offense..but..if you are using Microsoft wares for security checks then you are either gullible or just plain ol' stupid.
1. Re:derp by Dekker3D · 2014-01-19 11:02 · Score: 1
  
  Which would likely be the owners of 90% of the computers in botnets. Gullible of plain ol' stupid. So, I guess that's a match made in heaven.