In October 2013, Microsoft adopted a silent, offensive method to tackle infection due to a Tor-based botnet malware called ‘Sefnit‘.
In an effort to takedown of the Sefnit botnet to protect windows users, Microsoft remotely removes the older versions of installed Tor Browser software and infection from 2 Million systems, even without the knowledge of the system’s owner.
Last year in August, after Snowden revelations about the National Security Agency’s (NSA) Spying programs, the Internet users were under fear of being spied. During the same time Tor Project leaders noticed almost 600% increase in the number of users over the anonymizing networks of Tor i.e. More than 600,000 users join Tor within few weeks.
In September, researchers identified the major reason of increased Tor users i.e. A Tor-based botnet called ‘Sefnit malware‘, which was infecting millions of computers for click fraud and bitcoin mining.
To achieve the maximum number of infections, cyber criminals were using several ways to spread their botnet. On later investigation, Microsoft discovered some popular softwares like Browser Protector and FileScout, bundled with vulnerable version of Tor Browser & Sefnit components.
‘The security problem lies in the fact that during a Sefnit component infection, the Tor client service is also silently installed in the background. Even after Sefnit is removed, unless specific care is taken, the Tor service will be left and still regularly connect to the Tor Network.‘
It was not practically possible for Microsoft or the Government to instruct each individual on ‘How to remove this Malware’, so finally Microsoft took the decision of remotely washing out the infections themselves.
To clean infected machines, Microsoft began updating definitions for its antimalware apps.
“We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.” and later also in Malicious Software Removal Tool.
But why Tor Browser?
“Even after Sefnit is removed, unless specific care is taken, the Tor service will be left and still regularly connect to the Tor Network. This is a problem not only for the workload it applies to the Tor Network, but also for the security of these computers.” Microsoft says.
So they removed it and to Justify their action, Microsoft points out several vulnerabilities in the Tor version bundled with Sefnit malware i.e. Tor version 0.2.3.25, that opens the user to attack through these known vulnerabilities.
“Tor is a good application used to anonymous traffic and usually poses no threat. Unfortunately, the version installed by Sefnit is v0.2.3.25 – and does not self-update. The latest Tor release builds at the time of writing is v0.2.4.20.“
May be this is the right way to neutralize the infections, but the Microsoft’s action also clarifies the capability to remotely remove any software from your computer.