It was August 2013 when security experts noted a spike in Tor traffic network caused by cybercriminals activities, the malware specialists discovered a botnet based on Mevade malware, in mid-August the number of Tor users had skyrocketed from 500,000 to close to 3 million. The security expert speculated that traffic was generated by communication of bots with C&C servers hidden in the Tor network. Bot agent for the Mevade malware family used “Sefnit” code dated 2009 that included Tor connectivity. The malware implemented a backup mechanism for its C&C communications with a Tor component.
“The botnet of Sefnit hosted proxies are used to relay HTTP traffic to pretend to click on advertisements,” said Microsoft Malware Protection Center researcher Geoff McDonald.
The botnet was infecting millions of computers for click fraud and bitcoin mining, so in October 2013, Microsoft decided decided to go on the attack with a stealth offensive to decapitate the Tot-botnet based on the Sefnit malware, an agent belonging to the same click-fraud scam family malicious code of Mevade .
Microsoft decided to silently remotely remove older versions Tor Browser software from nearly 2 Million systems, the operation was conducted without informing both Microsoft customers neither the Tor developers.
Microsoft experts remarked that Sefnit malware silently installed a Tor client on infected machines, even if it is removed the Tor service will be left and still regularly connect to the Tor Network. The Sefnit removal according Microsoft requests the execution of a specific procedures hard to explain to its customers, that’s why Microsoft decided to remotely erase every component belonging to the botnet.
“’The security problem lies in the fact that during a Sefnit component infection, the Tor client service is also silently installed in the background. Even after Sefnit is removed, unless specific care is taken, the Tor service will be left and still regularly connect to the Tor Network.‘” States the official blog post.
To sanitize the infected machines, Microsoft has updated all its security products including information and instructions to detect the presence of malicious Tor client service and remove it.
“We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.” Reports Microsoft.
Microsoft points out several vulnerabilities in the Tor version v0.2.3.25 used by Sefnit, unfortunately the bundle is not upgradeable to the successive version, so the company decided to close loophole uninstalling the browser instead to simply delete the Sefnit code.
“Tor is a good application used to anonymize traffic and usually poses no threat. Unfortunately, the version installed by Sefnit is v0.2.3.25 – and does not self-update. The latest Tor release builds at the time of writing is v0.2.4.20.“
The side effect was that the decision of Microsoft impacted also all the Tor users that intentionally have installed the anonymizing browser, 2 Million systems were cleaned with this technique.
It is very concerning the fact that the company could arbitrary decide to remove a software on any system based on its OS.
The Internet community has considered the decision of Microsoft to remove Tor browsers without any alert, too arrogant. Many experts are questioning about why Microsoft has not followed the same policy for its IE browser which is known to be suffering from hundreds of vulnerabilities, many of which are critical and which expose the safety of customers at serious risk.
(Security Affairs – Microsoft, Sefnit)