×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Microsoft Remotely Deleted Tor From Windows Machines To Stop Botnet

timothy posted about a year ago | from the because-they-can dept.

Security 214

An anonymous reader writes "Microsoft remotely deleted old versions of Tor anonymizing software from Windows machines to prevent them from being exploited by Sefnit, a botnet that spread through the Tor network. It's unclear how many machines were affected, but the total number of computers on the Tor network ballooned from 1 million to 5.5 million as Sefnit spread. 'By October, the Tor network had dropped two million users thanks to Sefnit clients that had been axed. No one, not even the Tor developers themselves, knew how Microsoft had gone on a silent offensive against such a big opponent and won a decisive battle,' the Daily Dot reported. In a blog post, Microsoft claimed it views Tor as a 'good application,' but leaving it installed presented a severe threat to the infected machines."

Sorry! There are no comments related to the filter you selected.

A Microsoft Killswitch (2, Interesting)

gishzida (591028) | about a year ago | (#45980095)

Who knew?

Re:A Microsoft Killswitch (5, Informative)

BasilBrush (643681) | about a year ago | (#45980145)

So called Anti-virus software is a kill switch. So everyone who knew their Windows PC was running Windows Security Essentials or any of the other Microsoft AV products knew.

Re:A Microsoft Killswitch (2, Informative)

Anonymous Coward | about a year ago | (#45980149)

"Despite the warnings about the privacy of Windows users from Jacob Appelbaum while on stage in Germany, Lewman seems less concerned. He surmises that Microsoft used its Microsoft Security Essentials software to eliminate the programs, a program users must install themselves."

Re:A Microsoft Killswitch (5, Informative)

nemesisrocks (1464705) | about a year ago | (#45980575)

He surmises that Microsoft used its Microsoft Security Essentials software to eliminate the programs, a program users must install themselves.

Or he could read Microsoft's own statement [technet.com] , where they say exactly how they eliminated Tor:

October 27, 2013: We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.

November 12, 2013: Signature and remediation is included in Malicious Software Removal Tool and delivered through Windows Update/Microsoft Update.

Re:A Microsoft Killswitch (5, Informative)

LinuxIsGarbage (1658307) | about a year ago | (#45980187)

Who knew?

"Malicious Software Removal Tool" has been a Windows update for years. (Since 2005 http://en.wikipedia.org/wiki/Windows_Malicious_Software_Removal_Tool [wikipedia.org] ) What did you think it did? You have the option of not running it. If the update is selected / run it is a local program run one time after updates are installed that "checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month."

http://www.microsoft.com/en-ca/download/malicious-software-removal-tool-details.aspx [microsoft.com]

Re:A Microsoft Killswitch (-1, Troll)

number17 (952777) | about a year ago | (#45980327)

What did you think it did? You have the option of not running it.

The technical information [microsoft.com] doesn't exactly say it removes TOR or any particular version:

Additional information
The Sefnit family is known to use Tor or SSH provided by PuTTY as its C&C communication channel.

Some variants add a Tor service under the display name "Tor Win32 Service". This a legitimate service that is used by the trojan to anonymize it’s network traffic.

Since August 2013, there has been a considerable increase in the Tor network's incoming connecting users - this is believed to be as result of the Sefnit family using Tor for its C&C communication. This is shown in the following graph from the Tor metrics portal:

Some people find TOR using a Chrome browser. Should they have the authority to remove that too only to tell you about it later in a blog?

Re:A Microsoft Killswitch (2)

mythosaz (572040) | about a year ago | (#45980375)

Well, you grant it that authority, so unless you're suggesting you shouldn't have that authority, I don't know what your point is.

Re:A Microsoft Killswitch (4, Insightful)

Fluffeh (1273756) | about a year ago | (#45980555)

I would go one step further - and say that if you are REALLY on top of your game, then you would have noticed this malware running on your system, removed it yourself and the "eViL WiNdOwS" Malicious Software Removal Tool would have done nothing to your PC anyhow.

If you aren't on the ball enough to notice that your system has become infected, don't be so quick to anger when someone else removes the problem on your behalf.

Re:A Microsoft Killswitch (5, Insightful)

PhunkySchtuff (208108) | about a year ago | (#45980435)

Some people find TOR using a Chrome browser. Should they have the authority to remove that too only to tell you about it later in a blog?

No, of course not. Old, known-bad versions of TOR that have numerous exploits active in the wild are removed. Not Chrome browser as it's not malicious software.

To quote another poster [slashdot.org] a few threads down

If a PC was infected with Sefnit and had the signature old version of Tor in the hidden location, Tor was removed because it's logically the case that Tor was just part of the virus payload. Because of the unique install directory, there wasn't even a remote chance for false positives. Publicly available tools that can be used for good or bad are hijacked by viruses all the time, and it's never a surprise if an anti-virus removes that tool when the virus specific files are removed.

Re:A Microsoft Killswitch (5, Informative)

exomondo (1725132) | about a year ago | (#45980499)

Some people find TOR using a Chrome browser. Should they have the authority to remove that too only to tell you about it later in a blog?

RTFA:
"To fight back, Microsoft remotely removed the program from as many computers as it could, along with the Tor clients it used."

Sounds like they removed the malware and the files it downloaded.

Re:A Microsoft Killswitch (5, Informative)

Bacon Bits (926911) | about a year ago | (#45980559)

Should they have the authority to remove that too only to tell you about it later in a blog?

Microsoft Security Essentials is antivirus software. By definition it must have the authority to remove, isolate, disable, and delete software from your computer. The computer owners installed MS Security Essentials precisely to perform this specific service.

Have any Tor installations been removed that were not associated with Sefnit? It appears to me that the only software that was removed was the specific version of Tor that Sefnit used and, in most cases, when the Tor client has been installed a system service (which is very, very non-standard). MS did not remove the most recent version of the client.

You're just spreading FUD about a non-story. This is less interesting than all those stories about antivirus false positives rendering Windows unable to boot [cnet.com] .

Re:A Microsoft Killswitch (5, Informative)

OneAhead (1495535) | about a year ago | (#45980679)

If you RTFA, you will find that the Microsoft guys first figured out that Sefnit installs Tor in a very specific, unusual way in very specific, unusual location, then contacted the Tor developers to ask if there is any chance a legitimate user would do the same thing. Only then, they proceeded to remove Tor versions that were installed in this very specific way and location. Without any doubt, one of their operating parameters was to avoid collateral damage at all cost; if they screwed up, they could have caused the Microsoft PR disaster of the decade (and boy, is there stiff competition for that title).

Re:A Microsoft Killswitch (5, Interesting)

mechtech256 (2617089) | about a year ago | (#45980219)

This doesn't sound much different to any other anti-virus removal. Microsoft almost certainly used the Microsoft Security Essential update to kill Sefnit, as they do with so many other viruses.

"the total number of computers on the Tor network ballooned from 1 million to 5.5 million as Sefnit spread"

These weren't dedicated Tor nodes that were taken offline because they were being used for malicious purposes, these were infected PCs with a virus that used Tor as the communication protocol. An outdated and vulnerable version of Tor was hidden in a "location that almost no human user would"

If a PC was infected with Sefnit and had the signature old version of Tor in the hidden location, Tor was removed because it's logically the case that Tor was just part of the virus payload. Because of the unique install directory, there wasn't even a remote chance for false positives. Publicly available tools that can be used for good or bad are hijacked by viruses all the time, and it's never a surprise if an anti-virus removes that tool when the virus specific files are removed.

Re:A Microsoft Killswitch (5, Funny)

CohibaVancouver (864662) | about a year ago | (#45980437)

I'm sorry, but your thoughtful and well-written response is counter to the "Me hate Microsoft me LOVE TOR" groupthink on Slashdot, where facts are irrelevant and just muddy the waters.

Please move along.

(You're welcome to join me as I sit quietly in the corner, waiting to get modded down to troll.)

No one spoke out for tor (0)

nurb432 (527695) | about a year ago | (#45980805)

No one spoke out since it didn't effect them...

Re:A Microsoft Killswitch (5, Informative)

Dracolytch (714699) | about a year ago | (#45980463)

Did some more digging. Here are the details (from http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx [technet.com] ) :

Cleanup efforts

Since the Sefnit-caused Tor eruption in August, we have worked to curb this risk. In this process, we consulted with Tor project developers to help plan the cleanup. We retroactively remediated machines that had previously been cleaned of Sefnit but still had a Sefnit-added Tor service:

October 27, 2013: We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.
November 12, 2013: Signature and remediation is included in Malicious Software Removal Tool and delivered through Windows Update/Microsoft Update.

Re:A Microsoft Killswitch (0)

Anonymous Coward | about a year ago | (#45980549)

Holy shit, they did something right.

Re:A Microsoft Killswitch (4, Interesting)

timeOday (582209) | about a year ago | (#45980351)

A spam black hole is exactly the same thing, and so is gmail's spam filter. If some things are in and some are out, then somebody somewhere made that call.

I am actually appreciating more and more, in retrospect, how non-intrusive Microsoft was for all those years and still is. Compared to today's Internet, and the PowerBook that wants a credit card number before I can even do a software update or download XCode (since it's all linked to the App Store now), Microsoft was/is a model of responsibility.

Battle (5, Insightful)

Ksevio (865461) | about a year ago | (#45980105)

No one, not even the Tor developers themselves, knew how Microsoft had gone on a silent offensive against such a big opponent and won a decisive battle

It seems pretty obvious - the people who's machine had Tor removed didn't know it was installed and weren't using it to begin with. When MS removed it, they didn't notice or complain.

Re:Battle (5, Insightful)

Hangtime (19526) | about a year ago | (#45980235)

Exactly this version of Tor was installed in a non-obvious and non-trivial location to get to and as a service. Microsoft asked the Tor developers "Anybody actually do this?", Answer: "Nope.". Microsoft then nuked the rogue Tor apps either through Microsoft Security Essentials or through Malicious Software Tool removal app.

Re:Battle (1, Interesting)

mrbluze (1034940) | about a year ago | (#45980337)

Exactly this version of Tor was installed in a non-obvious and non-trivial location to get to and as a service. Microsoft asked the Tor developers "Anybody actually do this?", Answer: "Nope.". Microsoft then nuked the rogue Tor apps either through Microsoft Security Essentials or through Malicious Software Tool removal app.

Was the botnet doing anything bad? Or was it just making Tor faster for everyone?

Re:Battle (4, Funny)

Lehk228 (705449) | about a year ago | (#45980407)

botnets are like furries, inherantly evil.

Re:Battle (1)

Anonymous Coward | about a year ago | (#45980431)

Yeah, having thousands of Tor entrance and exit nodes under the control of a mysterious botnet sure would speed up the network!

I mean, it might make you somewhat less anonymous to whoever controlled the botnet, but it's not like that's the whole goddamn point, is it?

Re:Battle (5, Informative)

gnick (1211984) | about a year ago | (#45980441)

Was the botnet doing anything bad? Or was it just making Tor faster for everyone?

Even if it was doing nothing but running tor in the background, then for people that don't have unlimited bandwidth use yes it was doing something bad.

Re:Battle (2)

KingMotley (944240) | about a year ago | (#45980461)

Anything bad? As in taking up computer and network resources without authorization? Yes.

Re:Battle (5, Informative)

girlintraining (1395911) | about a year ago | (#45980483)

Was the botnet doing anything bad? Or was it just making Tor faster for everyone?

Actually, it shit up the network so badly that Tor developers considered it effectively a DDoS attack. During the peak of the infection, the network was effectively unusable, with latencies exceeding that of the typical TCP connection timeout of 120 seconds. As it turns out, using an anonymizing network doesn't translate into knowing how to build a network-aware application that doesn't stomp on its own dick so hard that the only thing the bot-net ever appears to have done was shit up the Tor network -- it does not appear it was ever activated in any meaningful capacity because the botnet owner, having shit the network it connected to, wasn't able to actually send commands to the majority of clients.

Re:Battle (1)

maxwell demon (590494) | about a year ago | (#45980573)

What if the botnet has the purpose to DDoS Tor?

Re:Battle (1)

Anonymous Coward | about a year ago | (#45980863)

Then cold fjord will be along shortly to tell everyone what a traitor microsoft is for blocking our holy government's attempt to secure our nation by destroying any and all security.

Re:Battle (1)

complete loony (663508) | about a year ago | (#45980623)

It wouldn't surprise me if the infected machines were so loaded with other malware, that their CPU, RAM, and available bandwidth were all overloaded.

Re:Battle (1)

davidbrit2 (775091) | about a year ago | (#45980635)

I'm just tinfoil-hatting here, but do we know that wasn't its intended purpose?

Re:Battle (2)

exomondo (1725132) | about a year ago | (#45980515)

Was the botnet doing anything bad?

Mining bitcoins.

Re:Battle (2)

Bacon Bits (926911) | about a year ago | (#45980593)

Your question is answered in TFA. They were mining BitCoins.

white hats go to jail (-1)

Anonymous Coward | about a year ago | (#45980113)

unless your worth billions of dollars

Re:white hats go to jail (0)

Anonymous Coward | about a year ago | (#45980319)

now thats some gross spelling their

Re:white hats go to jail (0)

Anonymous Coward | about a year ago | (#45980707)

the train of thought will effect us all

Anyone surprised? (-1)

Anonymous Coward | about a year ago | (#45980123)

Windows Update has doubled as Windows Remote Administration for years.

Re:Anyone surprised? (4, Informative)

LinuxIsGarbage (1658307) | about a year ago | (#45980279)

Windows Update has doubled as Windows Remote Administration for years.

Microsoft using their security software (Microsoft Security Essentials and Malicious Software Removal Tool) to tackle a real security hazard, while leaving legitimate Tor users unaffected? The horror!

Re:Anyone surprised? (0)

Anonymous Coward | about a year ago | (#45980723)

And yum, apt, etc, isn't?

Microsoft... (-1)

Anonymous Coward | about a year ago | (#45980129)

By using an unconventional method to exploit Windows, the hackers unwittingly forced Microsoft to show a hand few knew it had: The ability to remotely remove progams en masse from peopleâ(TM)s computers, without them even knowing it.

Maybe the next virus needs to remove Windows from all of those machines.

Re:Microsoft... (0)

Anonymous Coward | about a year ago | (#45980199)

Stamp out the virus, install Linux!

Re:Microsoft... (0)

Anonymous Coward | about a year ago | (#45980227)

This year!

Re:Microsoft... (1)

viperidaenz (2515578) | about a year ago | (#45980265)

It's 1996, the year of the linux desktop!

Re:Microsoft... (1)

lister king of smeg (2481612) | about a year ago | (#45980373)

By using an unconventional method to exploit Windows, the hackers unwittingly forced Microsoft to show a hand few knew it had: The ability to remotely remove progams en masse from peopleâ(TM)s computers, without them even knowing it.

Maybe the next virus needs to remove Windows from all of those machines.

hmm how hard would it be to write virus capable using windows update to install linux bsd etc on all of those unpatched xp machines

Do it right... (1)

nobuddy (952985) | about a year ago | (#45980477)

Do a simple and clean install, saving personal docs and with the right payload (like WhicheverOfficeFork, video player, music player, etc). Do it with one of the XP/IE lookalike themes... the "victim" would only wonder why their PC suddenly started performing well.

no harm, no foul?

Re:Microsoft... (1)

CohibaVancouver (864662) | about a year ago | (#45980519)

The ability to remotely remove progams en masse from people's computers, without them even knowing it.

What the smeg do you think anti-malware software DOES day in and day out? Removing a program without impacting the user is exactly what these programs are supposed to do.

Security Patch (2)

eedwardsjr (1327857) | about a year ago | (#45980133)

There is always the possibility it could have been executed through the security patch subsystem. It has the capacity to execute scripts/executables.

Re:Security Patch (5, Funny)

PCM2 (4486) | about a year ago | (#45980185)

Yeah ... when every few weeks or so Windows Update tells me it's going to download something called the Malicious Software Removal Tool, I've always wondered what it did. We might have a few new clues here.

Re:Security Patch (0)

Anonymous Coward | about a year ago | (#45980201)

Entirely possible. I've noticed usability of my systems have been reduced after a patch Tuesday event.

Next... (-1, Troll)

TechwoIf (1004763) | about a year ago | (#45980141)

Upcoming: MS deletes Firefox, saying it was used to infect millions of computers.

Re:Next... (-1)

Anonymous Coward | about a year ago | (#45980257)

There are some older versions of Firefox which probably could stand to be removed.

Re:Next... (0)

Anonymous Coward | about a year ago | (#45980301)

Upcoming:

MS deletes Firefox, saying it was used to infect millions of computers.

I would make the obvious joke about how everyone uses Chrome nowadays, but given how behind the times Microsoft usually is, I'm now wondering why you didn't take the angle of them deleting Netscape Navigator.

Re:Next... (3, Insightful)

LinuxIsGarbage (1658307) | about a year ago | (#45980357)

Upcoming:

MS deletes Firefox, saying it was used to infect millions of computers.

Microsoft only deleted the install used as part of Sefnit. They didn't disable legitimate installs, and they're not out to squash your freedom. From the blog:
http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx [technet.com]

The Tor client service left behind on a previously-infected machine may seem harmless at first glance - Tor is a good application used to anonymize traffic and usually poses no threat. Unfortunately, the version installed by Sefnit is v0.2.3.25 – and does not self-update. The latest Tor release build at the time of writing is v0.2.4.20.

No killswitch (2, Insightful)

Anonymous Coward | about a year ago | (#45980163)

there's no "killswitch" it just got added to the definitions for removal. nothing to see here.

Nothing to see here... (-1, Redundant)

Hangtime (19526) | about a year ago | (#45980175)

Good security move by Microsoft. We don't know exactly how the rogue applications were eliminated, but good chance it was Microsoft Security Essentials. This was the equivalent of Symantec and McAfee removing a virus only difference was it was Microsoft this time.

Re:Nothing to see here... (5, Informative)

BasilBrush (643681) | about a year ago | (#45980239)

Well we do know if we bother to RTFA.

Re:Nothing to see here... (4, Informative)

LinuxIsGarbage (1658307) | about a year ago | (#45980379)

Well we do know if we bother to RTFA.

Indeed

Since the Sefnit-caused Tor eruption in August, we have worked to curb this risk. In this process, we consulted with Tor project developers to help plan the cleanup. We retroactively remediated machines that had previously been cleaned of Sefnit but still had a Sefnit-added Tor service:

        October 27, 2013: We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.
        November 12, 2013: Signature and remediation is included in Malicious Software Removal Tool and delivered through Windows Update/Microsoft Update.

Windows Update (1)

cyberspittle (519754) | about a year ago | (#45980193)

Malicious software removal tool.

Not sure how I feel about this... (-1)

Alex Vulpes (2836855) | about a year ago | (#45980217)

While the intention was definitely good, I personally would not want to use a machine that the could be remotely accessed in such a mannter.

True, something like anti-virus software self-updating and removing a threat would be acceptable to most users. But this is more akin buying a car and discovering the manufacturer has a master key and a representative can come over and drive it around whenever he/she wants, and it's fully legal and you can't do anything about it.

In the end, for better or for worse, I think it's important that we actually own the devices we buy and pay for. Cases like this, and similar ones with Kindles and mobile devices remotely being accessed and modified or used to spy on us, are strong evidence that we do not. (I know that this particular case is not a big deal in of itself, but the fact that Microsoft can do what it did is not good news.)

Re:Not sure how I feel about this... (5, Informative)

BasilBrush (643681) | about a year ago | (#45980263)

This is no different from anti-virus, because it WAS the Microsoft anti-virus tool that did it. A specific version of TOR in a specific hidden directory being part of the virus payload.

Talk of not owning your own computer is nonsense. You are free to not run AV software if you prefer. It would be a dumb move, but you are free to do it.

Re:Not sure how I feel about this... (1)

Alex Vulpes (2836855) | about a year ago | (#45980545)

Whoops, never mind. I thought it was Windows doing the job itself.

Re: Not sure how I feel about this... (0)

Anonymous Coward | about a year ago | (#45980275)

The software is leased, is it not?

It's more akin to renting a car and driving it around while the owner also has keys to it.

Re:Not sure how I feel about this... (3, Insightful)

mythosaz (572040) | about a year ago | (#45980391)

While the intention was definitely good, I personally would not want to use a machine that the could be remotely accessed in such a mannter.

Well you're in luck!

Using the Malicious Software Removal Tool is entirely voluntary.

Re:Not sure how I feel about this... (1)

Alex Vulpes (2836855) | about a year ago | (#45980557)

Oh... good point. Guess I really should RTFA next time.

Re:Not sure how I feel about this... (1)

hawguy (1600213) | about a year ago | (#45980543)

While the intention was definitely good, I personally would not want to use a machine that the could be remotely accessed in such a mannter.

True, something like anti-virus software self-updating and removing a threat would be acceptable to most users. But this is more akin buying a car and discovering the manufacturer has a master key and a representative can come over and drive it around whenever he/she wants, and it's fully legal and you can't do anything about it.

In the end, for better or for worse, I think it's important that we actually own the devices we buy and pay for. Cases like this, and similar ones with Kindles and mobile devices remotely being accessed and modified or used to spy on us, are strong evidence that we do not. (I know that this particular case is not a big deal in of itself, but the fact that Microsoft can do what it did is not good news.)

How do you think Anti-virus software works if it doesn't have a "master key" to your computer that lets it uninstall any application it thinks is malicious?

Re:Not sure how I feel about this... (1)

tlhIngan (30335) | about a year ago | (#45980609)

While the intention was definitely good, I personally would not want to use a machine that the could be remotely accessed in such a mannter.

  True, something like anti-virus software self-updating and removing a threat would be acceptable to most users. But this is more akin buying a car and discovering the manufacturer has a master key and a representative can come over and drive it around whenever he/she wants, and it's fully legal and you can't do anything about it.

Well, it's just that MSRT runs and executes a find and destroy script. In this case, it looked for a special version of Tor that the malware installed in a special location and configured in a special way. That way it would not destroy legitimate Tor installations.

And you have the option of not running it, if you really wanted to - you still own the machine.

It's the same as if you set your Linux box to self-update - are the updates it downloads able to remove other software? Yes. In fact, it's expected during updates that new versions remove old versions. And sometimes they also remove other software that are no longer prerequisites.

Sure you have the option to not do it, just like you have the option to not run the update.

In the end, for better or for worse, I think it's important that we actually own the devices we buy and pay for. Cases like this, and similar ones with Kindles and mobile devices remotely being accessed and modified or used to spy on us, are strong evidence that we do not. (I know that this particular case is not a big deal in of itself, but the fact that Microsoft can do what it did is not good news.)

It's really no different on any OS - updates automatically apply and they can remove stuff at will too.

Probably the most interesting thing is that Apple, of all companies, has not actually shown the need to remove apps remotely. We know they have the capability to disable apps (only the ones using CoreLocation, though), and they have removed apps from the store. But they have not removed apps from people's iTunes libraries, nor removed the ability of deleted apps to run, period. As long as you have a copy somewhere, it can be installed on other devices using iTunes long after it's been removed.

Heck, even when Disney forced the removal of its movies from Amazon and iTunes, they still play if you have a copy on your hard drive! Which can be copied to other devices or streamed to your AppleTV just fine. It only screwed you if you didn't already have a downloaded copy.

Funny how the most "walled" of walled gardens hasn't yet needed to flex its abilities. Even Steam has removed games from people's libraries (granted, the game didn't work anymore, but still - people paid for the game, and Valve deleted it!)

"Malicious Software Removal"? Or more sinister? (0)

DutchUncle (826473) | about a year ago | (#45980221)

Every month's update includes an updated "malicious software" remover. Normal people who have their machines auto-update would get it automatically, and *if* the corrupted Tor wasn't hiding its existence in some way, it could be found and removed. That would be a legitimate use of the trust customers put in MS (as with other antivirus providers). If it turns out there's a backdoor, the way Amazon removed books from peoples' Kindles, then the entire Windows infrastructure would be unsafe.

Re:"Malicious Software Removal"? Or more sinister? (1)

maxwell demon (590494) | about a year ago | (#45980755)

Of course the only difference between malware and legitimate software or other content is the intent, which the tool obviously cannot detect. Therefore any tool that can be used to remove malicious software can also be used to remove legal software or other content.

Exactly how???? (-1, Redundant)

lasermike026 (528051) | about a year ago | (#45980293)

Exactly how does Microsoft gain access and remove software? Well I guess that means Microsoft has complete control of other people PCs. What kind of F@#$%^ up nightmare is this?

Re:Exactly how???? (4, Insightful)

cyberspittle (519754) | about a year ago | (#45980335)

Windows Update - malicious software removal tool. When you install Windows, or other Microsoft software, you agree to the End User License Agreement (EULA). There is nothing unusual about this. If the EULA is not agreeable, another OS should be installed.

Re:Exactly how???? (0)

neoritter (3021561) | about a year ago | (#45980339)

Try reading the article genius.

Re:Exactly how???? (3, Informative)

Bert64 (520050) | about a year ago | (#45980405)

If you install their software then you are trusting them to have control over your machine. Your hardware is doing exactly what microsoft has programmed it to do. And every time you install updates, you are allowing them to install a new set of program code on your machine.

If you don't like it, run something else.

Re:Exactly how???? (2)

OneAhead (1495535) | about a year ago | (#45980581)

I came here to say just this. TFA is a neat story in a general sense, but in the sense of "Microsoft controlling your computer", there's exactly nothing there we didn't know already. It can only be a surprise to people who don't know or are in denial about what it means to update their operating system. Every second Tuesday, Microsoft adds stuff to your windows computers, which is way scarier than removing stuff, if one thinks about it for just a second.

Re:Exactly how???? (3, Interesting)

LinuxIsGarbage (1658307) | about a year ago | (#45980443)

Exactly how does Microsoft gain access and remove software? Well I guess that means Microsoft has complete control of other people PCs. What kind of F@#$%^ up nightmare is this?

Well if we read the article

Since the Sefnit-caused Tor eruption in August, we have worked to curb this risk. In this process, we consulted with Tor project developers to help plan the cleanup. We retroactively remediated machines that had previously been cleaned of Sefnit but still had a Sefnit-added Tor service:

        October 27, 2013: We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.
        November 12, 2013: Signature and remediation is included in Malicious Software Removal Tool and delivered through Windows Update/Microsoft Update.

Microsoft Security Essentials is a popular antivirus program that people tout as being a good free option to Symantec or McAfee. In this case it seems it did a good job of squashing a botnet. Malicious Software Removal Tool is an update that comes monthly, with Windows updates, that can be disabled or deselected if you wish. The idea is that "This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month. " So even if you don't use MSE or any other AV software, if you do updates, you will get the worst of the worst. Such as this millions infected with Sefnit.

No hidden remote kill switch. No evil. The security tools did what they advertized to remove a threat, while leaving legitimate Tor users untouched.

Re:Exactly how???? (1)

maxwell demon (590494) | about a year ago | (#45980637)

Well, there's a program called "Malicious Software Removal Tool". What do you think it does?

A classic Example (0)

Anonymous Coward | about a year ago | (#45980331)

A classic Example of someone trying to point the finger when there is nothing to point at. You removed my botnet nad now i'm mad. STFU. Save your complaining for legitimate problems.

Fucking assholes (-1)

Anonymous Coward | about a year ago | (#45980333)

I don't want ANYBODY going into my computer. That's no different than breaking into my house, and stealing.
FUCK MICROSOFT

Re:Fucking assholes (2)

cyberspittle (519754) | about a year ago | (#45980415)

Dude, you may want to step away from the keyboard and take a deep breath. This is not some uninvited guest helping themselves to your snacks. You allow them in via EULA. Perhaps taking a moment to breath will prevent a knee-jerk reaction.

Had you bothered to read the article (2)

nobuddy (952985) | about a year ago | (#45980505)

you would realize how silly you look here.

You: "hi. come on in! Welcome to my home. Have a seat, make yourself comfortable...... WHAT THE FUCK? HOW DID YOU GET IN MY HOUSE??"

Re:Fucking assholes (1)

hawguy (1600213) | about a year ago | (#45980563)

I don't want ANYBODY going into my computer. That's no different than breaking into my house, and stealing.
FUCK MICROSOFT

Microsoft Updates and anti-virus protection are completely optional. If you don't want anyone changing files on your computer, you ought to turn off WIndows Updates immediately, and don't run any anti-virus software.

It's a little more like hiring someone to fix your leaky windows, then accusing them of stealing after they replaced the moldy wood framing around the window when they put in the new one because you really loved that wood frame even if it was moldy and you want it returned.

Re:Fucking assholes (1)

maxwell demon (590494) | about a year ago | (#45980653)

If you don't want anybody in your computer, then simply don't invite him there. It's not as if the Malicious Software Removal Tool installed itself on the computer.

Microsoft malicious software removal tool.. (3, Informative)

gallondr00nk (868673) | about a year ago | (#45980343)

Removes malicious software, that just happens to use Tor.

Come on /., you can do better than this.

Re:Microsoft malicious software removal tool.. (2)

mythosaz (572040) | about a year ago | (#45980423)

It's not even good trolling on the author's part.

It'd be like a piece of malware that installs an old copy of VNC for spying purposes, in a hidden folder, with a obscure named .EXE, starting in an arcane point in the registry, and then leading with a headline of: Microsoft Removes VNC From Computers!.

All Tor Clients? (0)

PPH (736903) | about a year ago | (#45980389)

Or only those on infected machines? And was this removal targeted only at the botnet-installed Tor client (TFA seems to imply this).

If this was the case, then good for them (Microsoft). Although they could have been a bit more open about their removal with the Tor developers, so as to reassure them that they were not attacking Tor. And to get feedback on anything that could cause a false positive and removal.

Re:All Tor Clients? (2)

mythosaz (572040) | about a year ago | (#45980473)

RTFA? Or any of the dozens of comments above yours?

TFA is fucking garbage.

MSRT removed a specific version of Tor in a specific arcane/obscured directory used only by a botnet.

Re:All Tor Clients? (1)

Desler (1608317) | about a year ago | (#45980947)

They were open with the Tor devs. Even said so explicitly in the article.

Legal? (0)

Dcnjoe60 (682885) | about a year ago | (#45980457)

Isn't it illegal to secretly infiltrate a computer system and remove legal software from it?

Re:Legal? (2)

Ksevio (865461) | about a year ago | (#45980569)

Isn't it illegal to secretly infiltrate a computer system and remove legal software from it?

Yes it is.

Fortunately, the software isn't exactly legal (it was illegally installed by a virus that is), and the machine isn't being secretly infiltrated (you get notified about the Malicious Software Removal if you look at the Windows Updates), so that's kind of a moot point.

Re:Legal? (1)

LinuxIsGarbage (1658307) | about a year ago | (#45980571)

Isn't it illegal to secretly infiltrate a computer system and remove legal software from it?

This looks real secret:
http://i39.tinypic.com/21kz7na.jpg [tinypic.com]

Re:Legal? (0)

Anonymous Coward | about a year ago | (#45980597)

RTFA

Re:Legal? (1)

maxwell demon (590494) | about a year ago | (#45980689)

Yes. But installing Malicious Software Removal Tool is not something which secretly happens in the background, but which the user does knowingly, fully being aware that the tool is not only able to remove malicious software, but it is actually it's purpose.

Also, the botnet hardly is legal software, and the fact that it contains a concealed outdated copy of the Tor client doesn't change that fact.

Re:Legal? (1)

maxwell demon (590494) | about a year ago | (#45980697)

Err ... "its purpose", of course ...

Re:Legal? (1)

davidbrit2 (775091) | about a year ago | (#45980693)

Yes. Fortunately, nothing like that happened here.

Re:Legal? (-1)

Anonymous Coward | about a year ago | (#45980709)

Isn't it illegal to secretly infiltrate a computer system and remove legal software from it?

Ordinarily yes, but not if you've indoctrinated the users for decades that
"it's for their own good" and
"we only attack the bad guys.. why are you complaining? you're not a bad guy, are you??"
and "you can trust Microsoft, because everyone is using Microsoft, which proves it's good--you're not assuming everyone is just following others, surely!"
and "you can't begin to imagine the horrors of a life without Microsoft where you'd be using an *alternative* O.S., which is something only weirdos and nerds would want".

*retch*

Re:Legal? (3, Informative)

mcl630 (1839996) | about a year ago | (#45980895)

Yes, but that's not what happened here. If you read TFA, it was removed by Microsoft Security Essentials and the Malicious Software Removal Tool (from Windows Update) and it only removed a specific version of Tor installed in a specific folder. No legit install of Tor would have been in that specific folder.

If you don't want MSE, don't use it. If you don't want Windows Updates, disable it. Otherwise accept that you're giving some control over your system to Microsoft.

User install VS trojan install (1)

Anonymous Coward | about a year ago | (#45980485)

If we look BEYOND the misleading headline, we will understand that when a TROJAN illegally and secretly installs software n a user's machine, it does so in a way that will leave a clear signature. So, a trojan that installs Tor, for instance, will do so in a way that minimises visibility of the app to users. Microsoft can and SHOULD (if a user is willingly using a Microsoft anti-trojan tool) attempt to identify apps that have been illegitimately installed, even if the app itself can ordinarily be a legitimate user install, and remove that app.

If the user did NOT consent for app X to be placed on their machine, there can be no controversy if a user activated Microsoft security product removes X without explicit user permission.

Now if Microsoft DARED to remove copies of Tor that a user had explicitly installed, the situation would be a very, very different one. So why are the owners of Slashdot trying to imply something that isn't true? And don't give me crap that it is the fault of the authors of the original article. When Slashdot promotes a story, the content of that story (and the misleading Slashdot summary) are Slashdot's responsibility.

apt-get (0)

Anonymous Coward | about a year ago | (#45980553)

How is this different form apt-get upgrade or dist-upgrade?

Microsoft Did Not Remotely Delete Tor (1)

blanu2 (1324201) | about a year ago | (#45980633)

This incident was discussed in the 30c3 talk on Tor. Roger Dingledine stated that Microsoft removed the botnet, but left Tor installed. Therefore the headline that Microsoft deleted Tor is not correct. You can watch the video here: http://www.youtube.com/watch?v=CJNxbpbHA-I [youtube.com]

just wow (1)

luther349 (645380) | about a year ago | (#45980761)

so Microsoft removes a virus with there removal tool and somehow they did a bad thing. and removed the infected version of tor not the new ones.

Alternate headline (1)

wonkey_monkey (2592601) | about a year ago | (#45980779)

Microsoft remotely deleted a characteristic version of Tor and other maliciously installed software which a botnet had installed from Windows machines to stop said botnet, just as it does for all kinds of malicious software via its (get this) Malicious Software Removal tool (which regularly appears in Windows Update) and/or Microsoft Security Essentials, which you, the user, gave it permission to do.

...but it didn't fit*.

*in length or in terms of agenda.

Class Action? (0)

nurb432 (527695) | about a year ago | (#45980795)

Ok Attorneys: Could this qualify for a class action suit to shut them down forever and burn them to the ground?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?