Skip to main content

Microsoft remotely deleted Tor-based 'Sefnit Botnet' from more than 2 Million Systems

In October 2013, Microsoft adopted a silent, offensive method to tackle infection due to a Tor-based botnet malware called 'Sefnit'.

In an effort to takedown of the Sefnit botnet to protect windows users, Microsoft remotely removes the older versions of installed Tor Browser software and infection from 2 Million systems, even without the knowledge of the system's owner.


Last year in August, after Snowden revelations about the National Security Agency's (NSA) Spying programs, the Internet users were under fear of being spied. During the same time Tor Project leaders noticed almost 600% increase in the number of users over the anonymizing networks of Tor i.e. More than 600,000 users join Tor within few weeks.

In September, researchers identified the major reason of increased Tor users i.e. A Tor-based botnet called 'Sefnit malware', which was infecting millions of computers for click fraud and bitcoin mining.

To achieve the maximum number of infections, cyber criminals were using several ways to spread their botnet. On later investigation, Microsoft discovered some popular softwares like Browser Protector andFileScout, bundled with vulnerable version of Tor Browser & Sefnit components.
'The security problem lies in the fact that during a Sefnit component infection, the Tor client service is also silently installed in the background. Even after Sefnit is removed, unless specific care is taken, the Tor service will be left and still regularly connect to the Tor Network.'
Microsoft remotely uninstalled Tor software from computers to halt botnet
It was not practically possible for Microsoft or the Government to instruct each individual on 'How to remove this Malware', so finally Microsoft took the decision of remotely washing out the infections themselves. 

To clean infected machines, Microsoft began updating definitions for its antimalware apps.
"We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline." and later also in Malicious Software Removal Tool.
But why Tor Browser?
"Even after Sefnit is removed, unless specific care is taken, the Tor service will be left and still regularly connect to the Tor Network. This is a problem not only for the workload it applies to the Tor Network, but also for the security of these computers." Microsoft says.
So they removed it and to Justify their action, Microsoft points out several vulnerabilities in the Tor version bundled with Sefnit malware i.e. Tor version 0.2.3.25, that opens the user to attack through these known vulnerabilities.
"Tor is a good application used to anonymous traffic and usually poses no threat. Unfortunately, the version installed by Sefnit is v0.2.3.25 – and does not self-update. The latest Tor release builds at the time of writing is v0.2.4.20."
Tor Browser
May be this is the right way to neutralize the infections, but the Microsoft's action also clarifies the capability to remotely remove any software from your computer.

Nicholas J. Hopper from University of Minnesota, provided a detailed explanation about 'Protecting Tor from botnet abuse in the long term' in a paper.

Comments

Popular posts from this blog

HC WeB : A Browser for HACKERS...

A Browser for HACKERS... Try for Free... Download HC WeB Setup Gallery: Online Penetration Testing Tools Index Information Gathering Whois DNS Location Info Enumeration and Fingerprint Data Mining Search Engines Editors Online Text Editors Share Text Snippets Network Utilities Ping HTTP HTTPS VNC Remote Desktop SSH DNS Sniffers Misc Forensics Frameworks URL Cloaking E-mail Password Cracking Encoders and Decoders Encoders Decoders Malwares Malware Analysis Identify Malicious Websites Suspected Malicious IPs and URLs Application Auditing SQL Injection Cross Site Scripting File Inclusion Anonymity Proxy Others Hackery Open Penetration Testing Bookmarks Collection Hacker Media Blogs, Forums, Magazines and Videos. Methodologies Penetration testing frameworks, standards and methodologies. OSINT Presentations, People, Organizations and Infrastructure.  Exploits and Ad

Edward Snowden nominated for Nobel Peace Prize 2014

Now there is really great news for all the supporters of Former National Security Agency ( NSA ) contractor Edward Snowden , as he is nominated for the 2014 Nobel Peace Prize by two Norwegian lawmakers. Snorre Valen and Baard Vegar Solhjell , parliamentarians from Norway’s Socialist Left Party said, “ He has contributed to revealing the extreme level of surveillance by nations against other nations and of citizens ,”     Edward Snowden revealed various widely extended NSA spying projects and responsible for handing over the material from one of the world's most secretive organizations the NSA. He faces charges of theft and espionage and is in Russia on temporary asylum. “ Snowden contributed to people knowing about what has happened and spurring public debate ” on trust in government, which he said was “ a fundamental requirement for peace ”. Snorre Valen also added that, “ There’s no doubt that the actions of Edward Snowden may have damaged the securi

Facebook Open URL Redirection Vulnerability

About 2 week ago, I discovered an open url redirection vulnerability in Facebook that allowed me to have a facebook.com link redirect to any website without restrictions & users  confirmation Description: [#] Title           :  Facebook Open URL Redirection  [#] Status        :  fixed [#] Severity     :  High [#] Works on  :  Any browser with any version [#] Homepage  : www.facebook.com [#] Author       :  Jitendra Jaiswal ( India ) The flaw exists in the way facebook handled the u parameter. Visiting the link below would always redirect to the facebook homepage: http://www.facebook.com/a.php?u=http%3A%2F%2Fjeet.com But I noticed that changing the url to a another url , for example: http://www.facebook.com/a.php?u=http%3A%2F%2Fyahoo.com in that the target destination yahoo.com and it will redirect successfully: http://www.facebook.com/a.php?u=http%3A%2F%2Fyahoo.com Facebook have the ability to filter and ban particular websites from redirect