In October 2013, Microsoft adopted a silent, offensive method to tackle infection due to a Tor-based botnet malware called '
Sefnit'.
In an effort to takedown of the Sefnit botnet to protect windows users, Microsoft remotely
removes the older versions of installed Tor Browser software and
infection from 2 Million systems, even without the knowledge of the
system's owner.
Last year in August, after Snowden revelations about the National Security Agency's (NSA) Spying programs, the Internet users were under fear of being spied. During the same time Tor Project leaders noticed almost 600% increase in the number of users over the anonymizing networks of Tor i.e. More than 600,000 users join Tor within few weeks.
In September, researchers identified the major reason of increased Tor users i.e. A Tor-based botnet called 'Sefnit malware', which was infecting millions of computers for click fraud and bitcoin mining.
To achieve the maximum number of infections, cyber
criminals were using several ways to spread their botnet. On later
investigation, Microsoft discovered some popular softwares like Browser Protector and FileScout, bundled with vulnerable version of Tor Browser & Sefnit components.
'The security problem lies in the
fact that during a Sefnit component infection, the Tor client service is
also silently installed in the background. Even after Sefnit is
removed, unless specific care is taken, the Tor service will be left and
still regularly connect to the Tor Network.'
It was not practically possible for Microsoft or the Government to instruct each individual on 'How to remove this Malware', so finally Microsoft took the decision of remotely washing out the infections themselves.
To clean infected machines, Microsoft began updating definitions for its antimalware apps.
"We modified our signatures to remove the Sefnit-added Tor client
service. Signature and remediation are included in all Microsoft
security software, including Microsoft Security Essentials, Windows
Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center
Endpoint Protection, and Windows Defender Offline." and later also in Malicious Software Removal Tool.
But why Tor Browser?
"Even after Sefnit is removed, unless specific care is taken, the Tor
service will be left and still regularly connect to the Tor Network.
This is a problem not only for the workload it applies to the Tor Network, but also for the security of these computers." Microsoft says.
So they removed it and to Justify their action, Microsoft points out
several vulnerabilities in the Tor version bundled with Sefnit malware
i.e. Tor version 0.2.3.25, that opens the user to attack through these known vulnerabilities.
"Tor is a good application used to anonymous traffic and usually
poses no threat. Unfortunately, the version installed by Sefnit is
v0.2.3.25 – and does not self-update. The latest Tor release builds at
the time of writing is v0.2.4.20."
May be this is the right way to neutralize the infections, but the
Microsoft's action also clarifies the capability to remotely remove any
software from your computer.
Source : THN
