Skip to main content

Microsoft remotely deleted Tor-based 'Sefnit Botnet' from more than 2 Million Systems

By
In October 2013, Microsoft adopted a silent, offensive method to tackle infection due to a Tor-based botnet malware called 'Sefnit'.

In an effort to takedown of the Sefnit botnet to protect windows users, Microsoft remotely removes the older versions of installed Tor Browser software and infection from 2 Million systems, even without the knowledge of the system's owner.


Last year in August, after Snowden revelations about the National Security Agency's (NSA) Spying programs, the Internet users were under fear of being spied. During the same time Tor Project leaders noticed almost 600% increase in the number of users over the anonymizing networks of Tor i.e. More than 600,000 users join Tor within few weeks.

In September, researchers identified the major reason of increased Tor users i.e. A Tor-based botnet called 'Sefnit malware', which was infecting millions of computers for click fraud and bitcoin mining.

To achieve the maximum number of infections, cyber criminals were using several ways to spread their botnet. On later investigation, Microsoft discovered some popular softwares like Browser Protector andFileScout, bundled with vulnerable version of Tor Browser & Sefnit components.
'The security problem lies in the fact that during a Sefnit component infection, the Tor client service is also silently installed in the background. Even after Sefnit is removed, unless specific care is taken, the Tor service will be left and still regularly connect to the Tor Network.'
Microsoft remotely uninstalled Tor software from computers to halt botnet
It was not practically possible for Microsoft or the Government to instruct each individual on 'How to remove this Malware', so finally Microsoft took the decision of remotely washing out the infections themselves. 

To clean infected machines, Microsoft began updating definitions for its antimalware apps.
"We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline." and later also in Malicious Software Removal Tool.
But why Tor Browser?
"Even after Sefnit is removed, unless specific care is taken, the Tor service will be left and still regularly connect to the Tor Network. This is a problem not only for the workload it applies to the Tor Network, but also for the security of these computers." Microsoft says.
So they removed it and to Justify their action, Microsoft points out several vulnerabilities in the Tor version bundled with Sefnit malware i.e. Tor version 0.2.3.25, that opens the user to attack through these known vulnerabilities.
"Tor is a good application used to anonymous traffic and usually poses no threat. Unfortunately, the version installed by Sefnit is v0.2.3.25 – and does not self-update. The latest Tor release builds at the time of writing is v0.2.4.20."
Tor Browser
May be this is the right way to neutralize the infections, but the Microsoft's action also clarifies the capability to remotely remove any software from your computer.

Nicholas J. Hopper from University of Minnesota, provided a detailed explanation about 'Protecting Tor from botnet abuse in the long term' in a paper.
Labels:

Comments

Post a Comment

Popular posts from this blog

Click-jacking or UI Redressing

By
Hi! Just want to share my finding, I have found Click-jacking or UI Redressing Vulnerability in   on Google Map , enjoy ;-) This bug was reported to Google Security Team, fixed immediately. About Title:  ClickJacking or UI Redressing on Google Map Business Risk: Normal Discovery Date: October 8, 2013 Author: Jitendra Jaiswal (me) Poc Details   Impact On victim :  1. attacker change victim profile pic by useing his webcam and upload 2. update status acording to attacker Best, Jeet Jaiswal
1 comment
Read more

Evil App Steal Facebook Access Token

By
Evil App Steal Facebook Access Token  Facebook say about this users Responsible for this its not an issue for facebook so After 3 month i am disclose this may be now they make some change but its still work .......  so users not allow any app to access your data on facebook or dont login anywhere using Facebook may be this an Attacker and After steal your Facebook Access Token he Can Hack your facebook Account  Easily....  [#] Title           :   Evil App Steal Facebook Access Token  [#] Status        :  Unfixed [#] Severity     :  very High [#] Works on  :  Any browser with any version [#] Homepage  :  www.facebook.com [#] Author       :  Jitendra Jaiswal [#] Email          :   jeetjaiswal0@gmail.com This Vulnerability is exploitable to all users who are use facebook apps and allow access of apps an attacker can modify all app setting in url Impact of Vulnerability: An attackers can store  user access token with 2 month no Expires also token not expire if user
Post a Comment
Read more

Edward Snowden nominated for Nobel Peace Prize 2014

By
Now there is really great news for all the supporters of Former National Security Agency ( NSA ) contractor Edward Snowden , as he is nominated for the 2014 Nobel Peace Prize by two Norwegian lawmakers. Snorre Valen and Baard Vegar Solhjell , parliamentarians from Norway’s Socialist Left Party said, “ He has contributed to revealing the extreme level of surveillance by nations against other nations and of citizens ,”     Edward Snowden revealed various widely extended NSA spying projects and responsible for handing over the material from one of the world's most secretive organizations the NSA. He faces charges of theft and espionage and is in Russia on temporary asylum. “ Snowden contributed to people knowing about what has happened and spurring public debate ” on trust in government, which he said was “ a fundamental requirement for peace ”. Snorre Valen also added that, “ There’s no doubt that the actions of Edward Snowden may have damaged the securi
Post a Comment
Read more