Sefnit botnet-Microsoft has silently uprooted Tor Browser from more than 2 Million PC

Microsoft has uprooted Tor Browser from more than 2 Million Systems to eradicate Sefnit botnet. It has done it silently without user agreement.

It was August 2013 when security experts noted a spike in Tor traffic network caused by cybercriminals activities, the malware specialists discovered a botnet based on Mevade malware, in mid-August the number of Tor users had skyrocketed from 500,000 to close to 3 million. The security expert speculated that traffic was generated by communication of bots with C&C servers hidden in the Tor network. Bot agent for the Mevade malware family used “Sefnit” code dated 2009 that included Tor connectivity. The malware implemented a backup mechanism for its C&C communications with a Tor component.

“The botnet of Sefnit hosted proxies are used to relay HTTP traffic to pretend to click on advertisements,” said Microsoft Malware Protection Center researcher Geoff McDonald.

The botnet was infecting millions of computers for click fraud and bitcoin mining, so in October 2013, Microsoft decided decided to go on the attack with a stealth offensive to decapitate the Tot-botnet based on the Sefnit malware, an agent belonging to the same click-fraud scam family malicious code of Mevade  .

Microsoft decided to silently remotely remove older versions Tor Browser software from nearly 2 Million systems, the operation was conducted without informing both Microsoft customers neither the Tor developers.

Microsoft points out several vulnerabilities in the Tor version v0.2.3.25  used by Sefnit, unfortunately the bundle is not upgradeable to the successive version, so the company decided to close loophole uninstalling the browser instead to simply delete the Sefnit code.

“Tor is a good application used to anonymize traffic and usually poses no threat. Unfortunately, the version installed by Sefnit is v0.2.3.25 – and does not self-update. The latest Tor release builds at the time of writing is v0.2.4.20.“

The side effect was that the decision of Microsoft impacted also all the Tor users that intentionally have installed the anonymizing browser, 2 Million systems were cleaned with this technique.

It is very concerning the fact that the company could arbitrary decide to remove a software on any system based on its OS.

The Internet community has considered the decision of Microsoft to remove Tor browsers without any alert, too arrogant. Many experts are questioning about why Microsoft has not followed the same policy for its IE browser which is known to be suffering from hundreds of vulnerabilities, many of which are critical and which expose the safety of customers at serious risk.

Pierluigi Paganini

(Security Affairs –  Microsoft, Sefnit)