[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Tor and Viruses

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Tor and Viruses
From: "Geoff Down" <geoffdown@xxxxxxxxxxxx>
Date: Wed, 13 Apr 2011 15:02:08 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 13 Apr 2011 10:02:28 -0400
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=messagingengine.com; h=message-id:from:to:mime-version:content-transfer-encoding:content-type:references:subject:in-reply-to:date; s=smtpout; bh=h6JBPL0fa9v5g/3CPujhXrk7+lA=; b=HRA6b+cv6j1Rr7QH1kpmhEyIxw2hItbl0ndWzZAiLol3CoeOUVc+JcA3+e5mvCsU9Poe+CjipTjdk7YHMegRmd/KiU7Ln8I5CWbAbBbJhRrGD/wfRqvG9dO1IvYWI/mdizA9jA/sT7IoH4xTtUK3A1aOWanPvVOrsxiN3d+6Uho=
In-reply-to: <alpine.LFD.2.02.1104122018100.5770@xxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for support and questions about running Tor relays \(exit, non-exit, bridge\)." <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <alpine.LFD.2.02.1104122018100.5770@xxxxxxxxxxxxxxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx


On Tue, 12 Apr 2011 20:46 -0700, "Porcelain Mouse"
<porcelain_mouse@xxxxx> wrote:
> Greetings All,
> 
>  	I've been running an exit for about 5 months, but had to stop due 
> to virus abuses.  In the last two weeks, my ISP has partially blocked my 
> Internet access twice due to suspected virus infections.  I'll spare you 
> the long story, but I was able to get a copy of their "evidence" and I'm 
> fairly certain it was connections made through my Tor relay.
> 
>   1) How common is it that Tor is abused by viruses?  What is the trend?
>   2) Is this just standard virus-kit material, these days?
> 
> I guess I was a little surprised.  Obviously, this is a great idea for 
> hiding the infection site, so I'm sure it's being done.  But still, I've 
> been fighting viruses for quite a while and I don't think I've read a 
> single virus description that mentioned Tor.  I'm sure it's happening,
> but 
> I've never heard a single statistic about it, so I thought I would ask.
> 
> Also, this type of abuse is *not* mentioned on the Tor wiki's Abuse FAQ 
> under "What should I expect if I run an exit relay?"  I read that section 
> carefully and was prepared for most of the things mentioned.  Again, I'm 
> not completely shocked.  I'm just saying it didn't seem likely, according 
> to the FAQ.  It would be nice to know how likely is this kind of abuse, 
> and what is the trend.  (And, maybe someone can add the results to the
> FAQ 
> when we have an answer.)
> 
> Thanks,
> PMouse

It's still not common. I assume a zombie computer somewhere was trying
to connect to a Command&Control server via Tor - a C&C which is being
sinkholed by anti-malware researchers or is otherwise flagged. So your
exit machine looks as if it is infected.
We should start thinking hard about how to stop botnets using Tor.
GD

-- 
http://www.fastmail.fm - The way an email service should be

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] Tor and Viruses
  - From: Bryon Eldridge

References:
- [tor-relays] Tor and Viruses
  - From: Porcelain Mouse

Prev by Author: Re: [tor-relays] Network Scan through Tor Exit Node (Port 80)
Next by Author: [tor-relays] high cpu usage, normal ?
Previous by thread: Re: [tor-relays] Tor and Viruses
Next by thread: Re: [tor-relays] Tor and Viruses
Index(es):
- Author
- Thread