[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Fwd: [Abuse[...]] GameoverZeus-Infektionen

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Fwd: [Abuse[...]] GameoverZeus-Infektionen
From: Michael Rasmussen <michael@xxxxxxxxxxxxxx>
Date: Sat, 19 Jul 2014 06:13:42 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 19 Jul 2014 09:13:54 -0400
In-reply-to: <53CA4946.2070008@xxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <E1X82zF-0002ev-6E@xxxxxxxxxxxxxxxxx> <53C8E3FF.6000000@xxxxxxx> <53CA4946.2070008@xxxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.21 (2010-09-15)

The real issue here is somewhere there is a Game Over Zeus
infected client that is web browsing through the Tor network.

We have no way of alerting that host to their compromised status.
At least and unless entry nodes have a means for detecting infected
clients. Which I believe is not the case.

Anti virus software is poor at detecting this type of trojan.
It is a difficult problem we would do well to give thought to.



On Sat, Jul 19, 2014 at 11:32:38AM +0100, Thomas White wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Speaking from experience of operating 25 servers doing 4Gbps, I can
> quite safely say that if your host has been supportive of Tor, I would
> simply respond with the normal boilerplate regardless of what the
> complaint is or who made it. I've received threats from countless
> organisations, companies, police and have clashed with Interpol in the
> past, they are yet to bring a single charge against me in the UK
> (albeit I have had some servers seized). I am the exception of Tor
> operators too, not the rule so if they can't charge me I very much
> doubt they could charge somebody operating just a single server. The
> point is that you should be very open that you operate a Tor node,
> ensure you promptly respond to abuse complaints and if your provider
> doesn't seem to be fully convinced by you or are threatening to close
> your service then it could do with some additional explanation. Heck
> if you need it just let me know who to contact and I'll do it for you!
> 
> Running Tor isn't illegal, you are protected by various safe-harbour
> provisions and ultimately if they blacklist you there is little you
> can do. Half of my IP's are on a lot of "blacklists", and I've found
> removing them is useful in the short term perhaps but many are
> automated and so just waste your time. In the long run we need
> education more than anything and in fact I am actually writing up a
> letter at the moment to encourage some blacklists to check if the IP
> is a tor exit node and to prevent their systems spamming operators
> with abuse complaints. (This section I'll follow up with on this
> mailing list with next week)
> 
> My ISP has a policy that as long as the complaints aren't from
> Spamhaus, they aren't too bothered as long as I reply to the abuse
> complaints which I do. You should ask your ISP outright what the
> policy is on these situations. But as far as Spamhaus goes I've not
> received a single complaint from them out of thousands I have received
> in the past year.
> 
> If you want to talk privately, just reply to me off the mailing list
> and I'll be happy to do whatever I can.
> 
> Regards,
> - -T
> 
> On 18/07/2014 10:08, Ch'Gans wrote:
> > Hi there,
> > 
> > I'm here to look for advice or comments on how to handle abuse
> > reports when you run a TOR relay exit on a "server for the mass". 
> > I'm running the TOR exit node
> > 18B6EBAF10814335242ECA5705A04AAD29774078 on Hetzner netowrk
> > (50E/month, this is my contribution to the TOR project) So far I
> > had to deal with few "easy" abuse reports (ssh scan, forum insults,
> > spams, ...), I think i performed pretty well so far (thanks to 
> > Hetzner cooperation?)
> > 
> > But today I just received this botnet related one. I do take this
> > report seriously, I know that malware are more and more using the
> > TOR network as an anonymous covert, I don't like malware, I don't
> > like malicious botnet and I don't like spammers. Still I end up
> > being identify as one of them.
> > 
> > I knew from day one that it was a risky business to run an exit
> > TOR node, but I want to stand up and fight. If only I can convince
> > people of my right doing.
> > 
> > First of all I am quite surprised that cert-bund.de (the
> > complainant) didn't notice that I am a TOR exit node, so my first
> > question (for people familiar with these guys) is: - How legit are
> > these guys? Do they run for the German government? Are their simply
> > trying to scare the shit out of me by citing europol.europa.eu, and
> > us-cert.gov? (see redacted forwarded message below, my own opinion
> > is "Yes") Then - Do they simply spam hosting company each time they
> > have a probe sensing something somewhere (I know it's vague, but I
> > can use that as a "this complainant is a spammer" kind of
> > argument)
> > 
> > Any other thoughts/remarks/comment on that matter?
> > 
> > Regards, Chris
> > 
> > Thought of the day: Nowadays it looks like server administrator
> > tend to send abuse report each time they receive an illegal ping
> > request! Testimony of the day: Last time I received an "SSH scan"
> > abuse report, I sent back my SSH honeypot logs, which contains more
> > than 5k login attempts per day.
> > 
> > 
> > -------- Original Message -------- [..] ----- attachment ----- Dear
> > Sir or Madam
> > 
> > "Gameover Zeus" is malicious software which is primarily used by 
> > cybercriminals to carry out online banking fraud and to spy out 
> > login credentials for online services on infected PCs. It can also 
> > be used to install further malicious software (including 
> > blackmailing trojans such as "CryptoLocker" ransomware) on PCs or
> > to carry out DDoS attacks.
> > 
> > In a joint international campaign since the end of May 2014, law
> > enforcement agencies, with the support of private sector partners, 
> > have taken action against the "Gameover Zeus" botnet [1].
> > 
> > As part of this campaign, it has now been possible to identify the 
> > IP addresses of systems infected with "Gameover Zeus" [2].
> > 
> > We are sending you a list of infected systems in your net area.
> > 
> > Would you please examine the situation thoroughly and take
> > appropriate measures to cleanse the systems.
> > 
> > Sources:
> > 
> > [1] Europol: International action against 'Gameover Zeus' botnet
> > and 'CryptoLocker' ransomware 
> > <https://www.europol.europa.eu/content/international-action-against-
> >
> > 
> gameover-zeus-botnet-and-cryptolocker-ransomware>
> > 
> > [2] ShadowServer: Gameover Zeus & Cryptolocker 
> > <http://blog.shadowserver.org/2014/06/08/gameover-zeus-cryptolocker/>
> >
> >  [3] US-CERT: GameOver Zeus P2P Malware 
> > <https://www.us-cert.gov/ncas/alerts/TA14-150A>
> > 
> > A list of infected systems in your net area: [...]
> > 
> > Kind regards, Team CERT-Bund
> > 
> > 
> > 
> > _______________________________________________ tor-relays mailing
> > list tor-relays@xxxxxxxxxxxxxxxxxxxx 
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
> 
> iQIcBAEBAgAGBQJTyklGAAoJEE2uQiaesOsLauoP+gLTI6UG5Ch+vaY68TK6+bT6
> rUI0Q53XN+I4Yd0NDiS26I11OpXMJaUlP1gEk64Zs3VrCUkLaIGSn7xAp4b2dSHD
> vTylavLk/x8zqVFY+aDk0kBMXofHC8bkgUUUB1uCuHr13DsVotIO8AIXLRdlFQsY
> PVHVB8tgizRfm6ePv3hT+LcW1osJ5+PviixE8jlBXcGxXr+olcqjaWAdGN+eXdhr
> 944vlL9Yk7rNWw8Xkhs0rTg/Prqz4Wlqc2pzit+mRVLs/mkTPihzcbgrIEi4kBHW
> L/srUhIoaGpNNG5Qmow8/Ky99k0KAIbnvAeiOOFWwOb3X4XlzsuBS6KYIVkHD7qr
> g0cZj7gjCkkAtMS+6Wb0uk/Idx2LlntCoOOJZVlgMKv6lfV8PP5C/DJQvGoz6ADn
> 0d1jS9VNdLSp+h6daSkRQs19WswH67kdWG5Qbl0TxnBEXULrq/Q36/FfFVbNfGqo
> /b8zux0jHe4LM0zYLvAo+0bjeVhGXnzg4xOPgo0zDU3/JdXLdMvUYzScvu1EYUs8
> /XOzgF0n4eR4mkufoL7a4hCYc1DGB61m45co9mY0+8piTt+OuKxHG6mcVIweucdc
> BYaowXV0pe1mAc4wc07UqtrgDBWNyFnFp6hzgdoEsfEG6qsjLAxj5LKtTu7+9qgo
> BiRSx3NMi4GMPT2z4O6o
> =JFZA
> -----END PGP SIGNATURE-----
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 

-- 
      Michael Rasmussen, Portland Oregon  
    Be Appropriate && Follow Your Curiosity
I'd save the goat urine to wash the taste of Accelerade out of my mouth.
	~  Kent Peterson
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] Fwd: [Abuse[...]] GameoverZeus-Infektionen
  - From: Ch'Gans
- Re: [tor-relays] Fwd: [Abuse[...]] GameoverZeus-Infektionen
  - From: Thomas White

Prev by Author: [tor-relays] Relay not on Atlas or Globe?
Next by Author: [tor-relays] Relays or exits: which is needed?
Previous by thread: Re: [tor-relays] Fwd: [Abuse[...]] GameoverZeus-Infektionen
Next by thread: Re: [tor-relays] Fwd: [Abuse[...]] GameoverZeus-Infektionen
Index(es):
- Author
- Thread