[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Possible tor usage by Dragonfly aka Energetic Bear

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Possible tor usage by Dragonfly aka Energetic Bear
From: Zack Weinberg <zackw@xxxxxxx>
Date: Tue, 29 Jul 2014 14:19:04 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 29 Jul 2014 14:32:00 -0400
In-reply-to: <20140729145030.15171.30135@tough>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <20140729145030.15171.30135@tough>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

On Tue, Jul 29, 2014 at 10:50 AM,  <manuel@xxxxxxxx> wrote:
> today I received a registered mail by the BKA, the german federal
> police, alerting me that some stuff related to the Dragonfly aka
> Energetic Bear backdoor Oldrea/Havex could be traced back to one
> of my ips. The ip in questions is the one with which I run my tor
> exit node.

This is *probably* because an infected machine somewhere has been
configured to send *all* of its network traffic through Tor, including
traffic originated by the malware. I don't know why that would make
the BKA concerned enough to bother sending you a registered letter,
but here is my boilerplate response to queries like that:

[standard Tor exit explanation, then:]

| Scanners that aim to detect misconfigured, vulnerable, or infected
| computers will, from time to time, pick up Tor exits as false
| positives, whenever they happen to be emitting traffic that
| originates from such computers. By design, we have no way to pass
| your report along to the true source of the traffic. We can assure
| you that the actual computer at [EXIT'S IP ADDRESS] is not infected
| with any malware and is kept up to date with security fixes.
| However, you should expect it to continue to appear in your scans as
| a false positive.
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] Possible tor usage by Dragonfly aka Energetic Bear
  - From: manuel

Prev by Author: Re: [tor-relays] Fwd: [Abuse[...]] GameoverZeus-Infektionen
Next by Author: Re: [tor-relays] Relays or exits: which is needed?
Previous by thread: [tor-relays] Possible tor usage by Dragonfly aka Energetic Bear
Next by thread: Re: [tor-relays] Possible tor usage by Dragonfly aka Energetic Bear
Index(es):
- Author
- Thread