Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: Researchers discover Spoiled Onions: Evil Tor exit relays spying on Facebook users

Ms Smith (Network World) | Jan. 23, 2014
First Microsoft remotely deleted Tor from 2 million PCs to takedown the Sefnit botnet, then researchers found a few malicious exit relays running in Russia for MitM attacks.

Tor, The Onion Router that helps protect users' privacy, just can't catch a break lately. First Microsoft remotely deleted Tor from Windows machines during an attempt to takedown the Sefnit botnet. Then the research paper, Spoiled Onions: Exposing Malicious Tor Exit Relays [pdf], explained how evil nodes in Russia were being used to spy on Facebook users as well as Tor users browsing other sites.

Microsoft deleting Tor
In an attempt to takedown the Sefnit botnet, Microsoft remotely removed Tor from about two million Windows machines. Win32/Sefnit has been a problem for the Tor network since last August. Geoff McDonald, of Microsoft Malware Protection Center, wrote, "Based on the Tor Network's connecting-user estimates, evidence suggests this resulted in more than four million Sefnit-installed Tor client services pushed in just over two weeks."

Although "Tor is a good application used to anonymize traffic and usually poses no threat," McDonald added that "Tor has a history of high-severity vulnerabilities."

Some of these vulnerabilities can be exploited for the remote execution of arbitrary code without authentication - essentially giving an attacker access to take over the machine remotely. This Tor service is a security risk to the machines even after Sefnit has been removed, since it is probable that a serious security vulnerability will be identified in the future. In summary, this means that a malicious actor may be able to infect millions of machines with any malware at some point in the future.

Sefnit installs Tor v0.2.3.25, which "does not self-update," and the malware installed that Tor version, so Microsoft included the Signature in its "Malicious Software Removal Tool and delivered through Windows Update/Microsoft Update." McDonald explained:

The security problem lies in the fact that during a Sefnit component infection, the Tor client service is also silently installed in the background. Even after Sefnit is removed, unless specific care is taken, the Tor service will be left and still regularly connect to the Tor Network. This is a problem not only for the workload it applies to the Tor Network, but also for the security of these computers.

Microsoft takedown of Tor infected with Sefnit botnet
Click on graph to enlarge

Although Sefnit/Tor was remotely removed from two million machines, Microsoft said "more work is needed to address an estimated two million machines that have yet to be reached. Many of the unreached machines are likely not running Microsoft security software, and we need your help to reduce this risk further."

What does Tor Project think about Microsoft remotely removing Tor? Andrew Lewman, Tor's executive director, told the Daily Dot, "It sounds scary until you realize users opt-in for the most part and agree to have their OS kept 'secure' by Microsoft."


1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.