Microsoft remotely deleted Tor Browser from more than 2 Million Systems

Posted on Posted in Hacker News

In October 2013, Microsoft adopted a silent, offensive method to tackle infection due to a Tor-based botnet malware called ‘Sefnit‘.

In an effort to takedown of the Sefnit botnet to protect windows users, Microsoft remotely removes the older versions of installed Tor Browser software from 2 Million systems, even without the knowledge of system owner or the Tor developers.

Last year in August, after Snowden revelations about the National Security Agency’s (NSA) Spying programs, the Internet users were under fear of being spied.

During the same time Tor Project leaders noticed almost 600% increase in the number of user over the anonymizing networks of Tor i.e. the total users became 1.2 million, from 600,000 within weeks.

In September, researchers identified the major reason of increased Tor users i.e. A Tor-based botnet called ‘Sefnit malware‘, which was infecting millions of computers for click fraud and bitcoin mining.
To achieve the maximum number of infections, cyber criminals were using several ways to spread their botnet. On later investigation, Microsoft discovered some popular softwares like Browser Protector and FileScout, bundled with vulnerable version of Tor Browser & Sefnit components.
‘The security problem lies in the fact that during a Sefnit component infection, the Tor client service is also silently installed in the background. Even after Sefnit is removed, unless specific care is taken, the Tor service will be left and still regularly connect to the Tor Network.‘
Microsoft remotely uninstalled Tor software from computers to halt botnet
It was not practically possible for Microsoft or the Government to instruct each individual on ‘How to remove this Malware’, so finally Microsoft took the decision of remotely washing out the infections themselves.
To clean infected machines, Microsoft began updating definitions for its antimalware apps.
“We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.” and later also in Malicious Software Removal Tool.

But why Tor Browser, rather than removing Malware executables?

To Justify their action, Microsoft points out several vulnerabilities in the Tor version used by Sefnit i.e., opens the user to attack through these known vulnerabilities.
“Tor is a good application used to anonymize traffic and usually poses no threat. Unfortunately, the version installed by Sefnit is v0.2.3.25 – and does not self-update. The latest Tor release builds at the time of writing is v0.2.4.20.“
Tor Browser

But out of these 2 Million systems, obviously many of them would have Tor browser install intentionally for keeping themselves anonymous on the Internet.

Why not Internet Explorer?
Microsoft’s own Internet Explorer browser having more than 221 known vulnerabilities, many of them with severity ‘critical‘ in nature, allow remote attackers to execute arbitrary code or cause a denial of service attacks.

Why Microsoft haven’t deleted or removed Internet Explorer remotely from windows users’ to protect them?

The action also clarifies the capability of Microsoft i.e. able to remove any software from your computer. Is it not worrying?



Leave a Reply