Article Lead Image

Microsoft’s secret battle against the Tor botnet

In the battle to clean up millions of infected computers, Microsoft revealed it can remove programs remotely, without users even knowing.


Patrick Howell O'Neill


In August 2013, 4 million infected computers woke up and waited instructions from their master.

The pathogen was Sefnit, a nasty bit of malware that makes infected computers mine bitcoins. Once the computers woke up, they worked under the command of Ukranian and Israeli hackers named Scorpion and Dekadent. The malware communicated with the two by downloading Tor, the powerful anonymizing software, and talking over encrypted channels. It was the first time a botnet, as a collection of slave computers is called, used Tor in such a potentially powerful way.

By using an unconventional method to exploit Windows, the hackers unwittingly forced Microsoft to show a hand few knew it had: The ability to remotely remove progams en masse from people’s computers, without them even knowing it.

All of a sudden, the anonymous network grew from about 1 million users to 5.5 million, a jump that frightened even Tor’s developers.

“If this had been a real attacker, if the botnet had been turned against the Tor network, it probably would have been fatal, I think,”  developer Jacob Appelbaum said in a speech at the Chaos Communication Congress in December.

On one level, Sefnit’s use of Tor was a mistake. That surge in users brought unwanted attention to the botnet at a time of heightened interested in the Tor network. And the malware, which has existed in various versions of Tor since 2009, specifically targeted Windows users, a fact that got Microsoft’s attention quickly.

To fight back, Microsoft remotely removed Sefnit from as many computers as it could but, contrary our original report, it left the Tor clients behind. 

“That’s a lot of power that Microsoft has there,” Applebaum continued, raising his voice and laughing at the implications. “If you’re using Windows trying to be anonymous, word to the wise: Bad idea.”

Why also remove Tor? Microsoft did not respond to our questions directly. But shortly after we reached out, Microsoft’s Geoff McDonald wrote a blog post about the issue. McDonald wrote, “This Tor service is a security risk to the machines even after Sefnit has been removed.”

Although Microsoft considers up-to-date Tor software as a “good application,” the old versions that Sefnit downloaded opened the infected machines up to even more problems thanks to Tor’s “history of high-severity vulnerabilities.”

Microsoft’s efforts worked.

By October, the Tor network had dropped two million users thanks to Sefnit clients had been axed. No one, not even the Tor developers themselves, knew how Microsoft had gone on a silent offensive against such a big opponent and won a decisive battle.

During this time, the only communication between Microsoft and Tor came when Microsoft’s security team asked them a question: “Is it possible a normal user using our installer would install Tor in the directory paths and as a service?”

“We said very, very unlikely,” Andrew Lewman, Tor’s executive director, told the Daily Dot.

This exchange was a sign that Microsoft had found at least one unique characteristic of the Sefnit program. Sefnit had a tendency to install Tor into a location that almost no human user would. Microsoft zeroed in on that location, which was enough to start eliminating millions of Tor clients.

Despite the warnings about the privacy of Windows users from Jacob Appelbaum while on stage in Germany, Lewman seems less concerned. He surmises that Microsoft used its Microsoft Security Essentials software to eliminate the programs, a program users must install themselves.

“I don’t know if Jacob and Roger [Dingledine, director of the Tor Project] understood what was going on,” he said. “I don’t think they’ve used Microsoft products ever. I keep a few flavors of Windows around for when users ask for help. Microsoft Security Essentials and the like are nothing new.”

It’s no small thing that Microsoft has the ability to reach into certain Windows installations and tear out the parts they deem dangerous, but Lewman says there’s little to worry about in this case.

“It sounds scary,” Lewman concluded, “until you realize users opt-in for the most part and agree to have their OS kept ‘secure’ by Microsoft.”

So, yes, Microsoft has the ability to reach into certain computers and delete programs. But, Lewman says, this is the way it’s always been—as long as the user agrees to it first.

Update: A Microsoft spokesman told the Daily Dot: “MMPC has protections to remove the services started by the Sefnit malware, but it does not uninstall Tor, remove any Tor binaries, or prevent users from using Tor.”

Photo by OSC AG/Flickr

The Daily Dot