Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Remotely Deleted Tor From Windows Machines To Stop Botnet

Posted by timothy on from the because-they-can dept.

An anonymous reader writes "Microsoft remotely deleted old versions of Tor anonymizing software from Windows machines to prevent them from being exploited by Sefnit, a botnet that spread through the Tor network. It's unclear how many machines were affected, but the total number of computers on the Tor network ballooned from 1 million to 5.5 million as Sefnit spread. 'By October, the Tor network had dropped two million users thanks to Sefnit clients that had been axed. No one, not even the Tor developers themselves, knew how Microsoft had gone on a silent offensive against such a big opponent and won a decisive battle,' the Daily Dot reported. In a blog post, Microsoft claimed it views Tor as a 'good application,' but leaving it installed presented a severe threat to the infected machines."

58 of 214 comments (clear)

  1. A Microsoft Killswitch by gishzida · · Score: 2, Interesting

    Who knew?

    1. Re:A Microsoft Killswitch by BasilBrush · · Score: 5, Informative

      So called Anti-virus software is a kill switch. So everyone who knew their Windows PC was running Windows Security Essentials or any of the other Microsoft AV products knew.

    2. Re:A Microsoft Killswitch by Anonymous Coward · · Score: 2, Informative

      "Despite the warnings about the privacy of Windows users from Jacob Appelbaum while on stage in Germany, Lewman seems less concerned. He surmises that Microsoft used its Microsoft Security Essentials software to eliminate the programs, a program users must install themselves."

    3. Re:A Microsoft Killswitch by LinuxIsGarbage · · Score: 5, Informative

      Who knew?

      "Malicious Software Removal Tool" has been a Windows update for years. (Since 2005 http://en.wikipedia.org/wiki/Windows_Malicious_Software_Removal_Tool) What did you think it did? You have the option of not running it. If the update is selected / run it is a local program run one time after updates are installed that "checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month."

      http://www.microsoft.com/en-ca/download/malicious-software-removal-tool-details.aspx

    4. Re:A Microsoft Killswitch by mechtech256 · · Score: 5, Interesting

      This doesn't sound much different to any other anti-virus removal. Microsoft almost certainly used the Microsoft Security Essential update to kill Sefnit, as they do with so many other viruses.

      "the total number of computers on the Tor network ballooned from 1 million to 5.5 million as Sefnit spread"

      These weren't dedicated Tor nodes that were taken offline because they were being used for malicious purposes, these were infected PCs with a virus that used Tor as the communication protocol. An outdated and vulnerable version of Tor was hidden in a "location that almost no human user would"

      If a PC was infected with Sefnit and had the signature old version of Tor in the hidden location, Tor was removed because it's logically the case that Tor was just part of the virus payload. Because of the unique install directory, there wasn't even a remote chance for false positives. Publicly available tools that can be used for good or bad are hijacked by viruses all the time, and it's never a surprise if an anti-virus removes that tool when the virus specific files are removed.

    5. Re:A Microsoft Killswitch by timeOday · · Score: 4, Interesting
      A spam black hole is exactly the same thing, and so is gmail's spam filter. If some things are in and some are out, then somebody somewhere made that call.

      I am actually appreciating more and more, in retrospect, how non-intrusive Microsoft was for all those years and still is. Compared to today's Internet, and the PowerBook that wants a credit card number before I can even do a software update or download XCode (since it's all linked to the App Store now), Microsoft was/is a model of responsibility.

    6. Re:A Microsoft Killswitch by mythosaz · · Score: 2

      Well, you grant it that authority, so unless you're suggesting you shouldn't have that authority, I don't know what your point is.

    7. Re:A Microsoft Killswitch by PhunkySchtuff · · Score: 5, Insightful

      Some people find TOR using a Chrome browser. Should they have the authority to remove that too only to tell you about it later in a blog?

      No, of course not. Old, known-bad versions of TOR that have numerous exploits active in the wild are removed. Not Chrome browser as it's not malicious software.

      To quote another poster a few threads down

      If a PC was infected with Sefnit and had the signature old version of Tor in the hidden location, Tor was removed because it's logically the case that Tor was just part of the virus payload. Because of the unique install directory, there wasn't even a remote chance for false positives. Publicly available tools that can be used for good or bad are hijacked by viruses all the time, and it's never a surprise if an anti-virus removes that tool when the virus specific files are removed.

      --
      Specialist Mac support for creative pros, Melbourne
    8. Re:A Microsoft Killswitch by CohibaVancouver · · Score: 5, Funny

      I'm sorry, but your thoughtful and well-written response is counter to the "Me hate Microsoft me LOVE TOR" groupthink on Slashdot, where facts are irrelevant and just muddy the waters.

      Please move along.

      (You're welcome to join me as I sit quietly in the corner, waiting to get modded down to troll.)

    9. Re:A Microsoft Killswitch by Dracolytch · · Score: 5, Informative

      Did some more digging. Here are the details (from http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx) :

      Cleanup efforts

      Since the Sefnit-caused Tor eruption in August, we have worked to curb this risk. In this process, we consulted with Tor project developers to help plan the cleanup. We retroactively remediated machines that had previously been cleaned of Sefnit but still had a Sefnit-added Tor service:

      October 27, 2013: We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.
      November 12, 2013: Signature and remediation is included in Malicious Software Removal Tool and delivered through Windows Update/Microsoft Update.

      --
      This sig has been enciphered with a one-time pad. It could say almost anything.
    10. Re:A Microsoft Killswitch by exomondo · · Score: 5, Informative

      Some people find TOR using a Chrome browser. Should they have the authority to remove that too only to tell you about it later in a blog?

      RTFA:
      "To fight back, Microsoft remotely removed the program from as many computers as it could, along with the Tor clients it used."

      Sounds like they removed the malware and the files it downloaded.

    11. Re:A Microsoft Killswitch by Fluffeh · · Score: 4, Insightful

      I would go one step further - and say that if you are REALLY on top of your game, then you would have noticed this malware running on your system, removed it yourself and the "eViL WiNdOwS" Malicious Software Removal Tool would have done nothing to your PC anyhow.

      If you aren't on the ball enough to notice that your system has become infected, don't be so quick to anger when someone else removes the problem on your behalf.

      --
      Moved to http://soylentnews.org/. You are invited to join us too!
    12. Re:A Microsoft Killswitch by Bacon+Bits · · Score: 5, Informative

      Should they have the authority to remove that too only to tell you about it later in a blog?

      Microsoft Security Essentials is antivirus software. By definition it must have the authority to remove, isolate, disable, and delete software from your computer. The computer owners installed MS Security Essentials precisely to perform this specific service.

      Have any Tor installations been removed that were not associated with Sefnit? It appears to me that the only software that was removed was the specific version of Tor that Sefnit used and, in most cases, when the Tor client has been installed a system service (which is very, very non-standard). MS did not remove the most recent version of the client.

      You're just spreading FUD about a non-story. This is less interesting than all those stories about antivirus false positives rendering Windows unable to boot.

      --
      The road to tyranny has always been paved with claims of necessity.
    13. Re:A Microsoft Killswitch by nemesisrocks · · Score: 5, Informative

      He surmises that Microsoft used its Microsoft Security Essentials software to eliminate the programs, a program users must install themselves.

      Or he could read Microsoft's own statement, where they say exactly how they eliminated Tor:

      October 27, 2013: We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.

      November 12, 2013: Signature and remediation is included in Malicious Software Removal Tool and delivered through Windows Update/Microsoft Update.

    14. Re:A Microsoft Killswitch by OneAhead · · Score: 5, Informative

      If you RTFA, you will find that the Microsoft guys first figured out that Sefnit installs Tor in a very specific, unusual way in very specific, unusual location, then contacted the Tor developers to ask if there is any chance a legitimate user would do the same thing. Only then, they proceeded to remove Tor versions that were installed in this very specific way and location. Without any doubt, one of their operating parameters was to avoid collateral damage at all cost; if they screwed up, they could have caused the Microsoft PR disaster of the decade (and boy, is there stiff competition for that title).

    15. Re:A Microsoft Killswitch by Anonymous Coward · · Score: 2, Insightful

      *whew*

      "Microsoft Remotely Deleted Tor From Windows Machines To Stop Botnet" with no context screams "we can just remote into your system whenever we like". Having an infected client added to the malware list seems like a really responsible way to react to the threat.

      That being said, I'm still pretty sure they can just remote in whenever they like...

    16. Re:A Microsoft Killswitch by Runaway1956 · · Score: 2

      Bingo. In those years that I ran Windows, I always had a good idea of how my machine was running, how it was using resources, and what was calling for those resources. In the earlier days of virus infections, I seldom recognized a virus, and virus detectors failed to identify viruses. But, the fact that 60%+ of system resources were devoted to something that I couldn't identify was a sure tipoff.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    17. Re:A Microsoft Killswitch by __aaltlg1547 · · Score: 2

      They can certainly target any software they like by the same methods. I can't see them going after legitl software that you installed yourself on purpose. That would open them up to the mother of all anti-trust lawsuits. Going after what everybody agrees are bad guys is safe.

    18. Re:A Microsoft Killswitch by bill_mcgonigle · · Score: 2

      Not Chrome browser as it's not malicious software.

      Hypothetically, one could write a botnet client that ran under Chrome's native code (making it platform-specific to Chrome). The results would be interesting on several axes - I'm sure Microsoft is praying nobody does that. The Shadows(b5) would write one to see what happens.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    19. Re:A Microsoft Killswitch by morgauxo · · Score: 2, Funny

      Hardly! They never could have uninstalled so many that way. Don't you know Windows Update doesn't run on pirated copies of Windows anymore?

    20. Re:A Microsoft Killswitch by Cenan · · Score: 4, Informative

      It might have been done through Windows Update.

      Not at first, although the signature for Tor v0.2.3.25 used in Sefnit was added later to the Malicious Software Removal Tool that Windows Update regularly pushes out.

      --
      ... whatever ...
    21. Re: A Microsoft Killswitch by VTBlue · · Score: 2

      So true. I just got modded down from +3 interesting to troll for posing the legal QUESTION of patents and indemnity for Linux in a the previous JP Morgan ATM thread. The stupidest comments got modded up.

    22. Re:A Microsoft Killswitch by hairyfeet · · Score: 2

      What I don't understand is why anybody would get their panties in a bunch over this. I mean how many years did we hear "MS don't do enough to protect its users" while all those worms and bugs ran amok? Now we see MSFT getting rid of a program that 1.- Is out of date, 2.- Many users may not even know they have, 3.- Isn't being used by the users (or else it would have been updated) and most importantly 4.- Is being used in a major malware infection.

      As someone who fixes and sells PCs I can tell you that if you want to have ANY effect against the thousands of new nasties that appear every week you WILL have to do things like in TFA to help remove control and keep things from spreading. Heck most of my customers if they saw the word Tor in the ad remove programs would assume it is something important and would be afraid to touch it.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    23. Re:A Microsoft Killswitch by Mondor · · Score: 2

      A part of every monthly Windows Update is a program called Malicious Software Removal Tool.

  2. Battle by Ksevio · · Score: 5, Insightful

    No one, not even the Tor developers themselves, knew how Microsoft had gone on a silent offensive against such a big opponent and won a decisive battle

    It seems pretty obvious - the people who's machine had Tor removed didn't know it was installed and weren't using it to begin with. When MS removed it, they didn't notice or complain.

    1. Re:Battle by Hangtime · · Score: 5, Insightful

      Exactly this version of Tor was installed in a non-obvious and non-trivial location to get to and as a service. Microsoft asked the Tor developers "Anybody actually do this?", Answer: "Nope.". Microsoft then nuked the rogue Tor apps either through Microsoft Security Essentials or through Malicious Software Tool removal app.

    2. Re:Battle by Lehk228 · · Score: 4, Funny

      botnets are like furries, inherantly evil.

      --
      Snowden and Manning are heroes.
    3. Re:Battle by gnick · · Score: 5, Informative

      Was the botnet doing anything bad? Or was it just making Tor faster for everyone?

      Even if it was doing nothing but running tor in the background, then for people that don't have unlimited bandwidth use yes it was doing something bad.

      --
      He's getting rather old, but he's a good mouse.
    4. Re:Battle by KingMotley · · Score: 2

      Anything bad? As in taking up computer and network resources without authorization? Yes.

    5. Re:Battle by girlintraining · · Score: 5, Informative

      Was the botnet doing anything bad? Or was it just making Tor faster for everyone?

      Actually, it shit up the network so badly that Tor developers considered it effectively a DDoS attack. During the peak of the infection, the network was effectively unusable, with latencies exceeding that of the typical TCP connection timeout of 120 seconds. As it turns out, using an anonymizing network doesn't translate into knowing how to build a network-aware application that doesn't stomp on its own dick so hard that the only thing the bot-net ever appears to have done was shit up the Tor network -- it does not appear it was ever activated in any meaningful capacity because the botnet owner, having shit the network it connected to, wasn't able to actually send commands to the majority of clients.

      --
      #fuckbeta #iamslashdot #dicemustdie
    6. Re:Battle by exomondo · · Score: 2

      Was the botnet doing anything bad?

      Mining bitcoins.

    7. Re:Battle by Bacon+Bits · · Score: 2

      Your question is answered in TFA. They were mining BitCoins.

      --
      The road to tyranny has always been paved with claims of necessity.
    8. Re:Battle by steelfood · · Score: 2

      My tinfoil hat says it worked as intended. Making TOR unusable in this period of time would discourage its use by non-technical computer users who were probably flocking to it for privacy's sake.

      I mean, nobody'd do straight DDOS over TOR because exit nodes are limited and a DDOS just wouldn't happen by definition. And if somebody wanted to do C&C over TOR, wouldn't you think they'd set the zombies up to act as bridges and relays rather than straight clients? The tinfoil hat says this was deliberately done, as a reaction to current events.

      --
      "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
  3. Security Patch by eedwardsjr · · Score: 2

    There is always the possibility it could have been executed through the security patch subsystem. It has the capacity to execute scripts/executables.

    1. Re:Security Patch by PCM2 · · Score: 5, Funny

      Yeah ... when every few weeks or so Windows Update tells me it's going to download something called the Malicious Software Removal Tool, I've always wondered what it did. We might have a few new clues here.

      --
      Breakfast served all day!
  4. No killswitch by Anonymous Coward · · Score: 2, Insightful

    there's no "killswitch" it just got added to the definitions for removal. nothing to see here.

  5. Re:Nothing to see here... by BasilBrush · · Score: 5, Informative

    Well we do know if we bother to RTFA.

  6. Re:Not sure how I feel about this... by BasilBrush · · Score: 5, Informative

    This is no different from anti-virus, because it WAS the Microsoft anti-virus tool that did it. A specific version of TOR in a specific hidden directory being part of the virus payload.

    Talk of not owning your own computer is nonsense. You are free to not run AV software if you prefer. It would be a dumb move, but you are free to do it.

  7. Re:Anyone surprised? by LinuxIsGarbage · · Score: 4, Informative

    Windows Update has doubled as Windows Remote Administration for years.

    Microsoft using their security software (Microsoft Security Essentials and Malicious Software Removal Tool) to tackle a real security hazard, while leaving legitimate Tor users unaffected? The horror!

  8. Re:Exactly how???? by cyberspittle · · Score: 4, Insightful

    Windows Update - malicious software removal tool. When you install Windows, or other Microsoft software, you agree to the End User License Agreement (EULA). There is nothing unusual about this. If the EULA is not agreeable, another OS should be installed.

  9. Microsoft malicious software removal tool.. by gallondr00nk · · Score: 3, Informative

    Removes malicious software, that just happens to use Tor.

    Come on /., you can do better than this.

    1. Re:Microsoft malicious software removal tool.. by mythosaz · · Score: 2

      It's not even good trolling on the author's part.

      It'd be like a piece of malware that installs an old copy of VNC for spying purposes, in a hidden folder, with a obscure named .EXE, starting in an arcane point in the registry, and then leading with a headline of: Microsoft Removes VNC From Computers!.

  10. Re:Next... by LinuxIsGarbage · · Score: 3, Insightful

    Upcoming:

    MS deletes Firefox, saying it was used to infect millions of computers.

    Microsoft only deleted the install used as part of Sefnit. They didn't disable legitimate installs, and they're not out to squash your freedom. From the blog:
    http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx

    The Tor client service left behind on a previously-infected machine may seem harmless at first glance - Tor is a good application used to anonymize traffic and usually poses no threat. Unfortunately, the version installed by Sefnit is v0.2.3.25 – and does not self-update. The latest Tor release build at the time of writing is v0.2.4.20.

  11. Re:Nothing to see here... by LinuxIsGarbage · · Score: 4, Informative

    Well we do know if we bother to RTFA.

    Indeed

    Since the Sefnit-caused Tor eruption in August, we have worked to curb this risk. In this process, we consulted with Tor project developers to help plan the cleanup. We retroactively remediated machines that had previously been cleaned of Sefnit but still had a Sefnit-added Tor service:

            October 27, 2013: We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.
            November 12, 2013: Signature and remediation is included in Malicious Software Removal Tool and delivered through Windows Update/Microsoft Update.

  12. Re:Not sure how I feel about this... by mythosaz · · Score: 3, Insightful

    While the intention was definitely good, I personally would not want to use a machine that the could be remotely accessed in such a mannter.

    Well you're in luck!

    Using the Malicious Software Removal Tool is entirely voluntary.

  13. Re:Exactly how???? by Bert64 · · Score: 3, Informative

    If you install their software then you are trusting them to have control over your machine. Your hardware is doing exactly what microsoft has programmed it to do. And every time you install updates, you are allowing them to install a new set of program code on your machine.

    If you don't like it, run something else.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  14. Re:Fucking assholes by cyberspittle · · Score: 2

    Dude, you may want to step away from the keyboard and take a deep breath. This is not some uninvited guest helping themselves to your snacks. You allow them in via EULA. Perhaps taking a moment to breath will prevent a knee-jerk reaction.

  15. Re:Exactly how???? by LinuxIsGarbage · · Score: 3, Interesting

    Exactly how does Microsoft gain access and remove software? Well I guess that means Microsoft has complete control of other people PCs. What kind of F@#$%^ up nightmare is this?

    Well if we read the article

    Since the Sefnit-caused Tor eruption in August, we have worked to curb this risk. In this process, we consulted with Tor project developers to help plan the cleanup. We retroactively remediated machines that had previously been cleaned of Sefnit but still had a Sefnit-added Tor service:

            October 27, 2013: We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.
            November 12, 2013: Signature and remediation is included in Malicious Software Removal Tool and delivered through Windows Update/Microsoft Update.

    Microsoft Security Essentials is a popular antivirus program that people tout as being a good free option to Symantec or McAfee. In this case it seems it did a good job of squashing a botnet. Malicious Software Removal Tool is an update that comes monthly, with Windows updates, that can be disabled or deselected if you wish. The idea is that "This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month. " So even if you don't use MSE or any other AV software, if you do updates, you will get the worst of the worst. Such as this millions infected with Sefnit.

    No hidden remote kill switch. No evil. The security tools did what they advertized to remove a threat, while leaving legitimate Tor users untouched.

  16. Re:All Tor Clients? by mythosaz · · Score: 2

    RTFA? Or any of the dozens of comments above yours?

    TFA is fucking garbage.

    MSRT removed a specific version of Tor in a specific arcane/obscured directory used only by a botnet.

  17. Had you bothered to read the article by nobuddy · · Score: 2

    you would realize how silly you look here.

    You: "hi. come on in! Welcome to my home. Have a seat, make yourself comfortable...... WHAT THE FUCK? HOW DID YOU GET IN MY HOUSE??"

  18. Re:Legal? by Ksevio · · Score: 2

    Isn't it illegal to secretly infiltrate a computer system and remove legal software from it?

    Yes it is.

    Fortunately, the software isn't exactly legal (it was illegally installed by a virus that is), and the machine isn't being secretly infiltrated (you get notified about the Malicious Software Removal if you look at the Windows Updates), so that's kind of a moot point.

  19. Re:Exactly how???? by OneAhead · · Score: 2

    I came here to say just this. TFA is a neat story in a general sense, but in the sense of "Microsoft controlling your computer", there's exactly nothing there we didn't know already. It can only be a surprise to people who don't know or are in denial about what it means to update their operating system. Every second Tuesday, Microsoft adds stuff to your windows computers, which is way scarier than removing stuff, if one thinks about it for just a second.

  20. Re:Legal? by mcl630 · · Score: 3, Informative

    Yes, but that's not what happened here. If you read TFA, it was removed by Microsoft Security Essentials and the Malicious Software Removal Tool (from Windows Update) and it only removed a specific version of Tor installed in a specific folder. No legit install of Tor would have been in that specific folder.

    If you don't want MSE, don't use it. If you don't want Windows Updates, disable it. Otherwise accept that you're giving some control over your system to Microsoft.

  21. Re:Cost of ownership by bloodhawk · · Score: 3, Insightful

    Perhaps you should try something original... like reading the actual article.

  22. Comments from Jacob Appelbaum and Roger Dingledine by NeBan · · Score: 3, Informative

    Jacob Appelbaum and Roger Dingledine talked about this at the 30c3 conference last December. Here's a link to the video: https://www.youtube.com/watch?v=CJNxbpbHA-I They talk about this around the 39:55 mark. Basically they weren't thrilled about microsoft doing such a thing, but on the other hand if the attack had been malicious it would have taken down the entire TOR network.

  23. At the risk of feeding the troll.... by rts008 · · Score: 2

    Well, I don't really detect sarcasm, and same for troll detection, yet I have a hard time accepting these as real questions, but what the hell....

    According to TFA, the botnet was mining bitcoins for the two botnet 'herders'.

    'Doing anything bad?'
    1.) Taking control away from the PC's owner and covertly installing malware
    2.) Using significant amounts of energy at the owners expense without agreement
    3.) Tor network users jumped from approx. 1 million users, to over 5 million users when this botnet went online. I imagine that would have the opposite effect of 'making Tor faster for everyone'
    4.) In some cases, clogging and disrupting users networks

    In other words, not doing anything good, and a whole lot of bad.

    This is one time that Microsoft was acting responsibly, and did the right thing, IMHO.
    The Microsoft anti-malware tools worked as designed, although a bit more proactive than the normal reactive incident.

    --
    Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
  24. Re:No one spoke out for tor by AK+Marc · · Score: 2

    As it affected no one, nobody noticed or cared, and nobody was inconvenienced, other than botnet owners.

    --
    Learn to love Alaska
  25. Re:Cost of ownership by gmuslera · · Score: 2

    I did, also read this politician calling for banning open source and anonymizing software. The precedent is set, just wait a few months.