On Tue, Jul 29, 2014 at 10:50 AM, manuel@myops.de wrote:
today I received a registered mail by the BKA, the german federal police, alerting me that some stuff related to the Dragonfly aka Energetic Bear backdoor Oldrea/Havex could be traced back to one of my ips. The ip in questions is the one with which I run my tor exit node.
This is *probably* because an infected machine somewhere has been configured to send *all* of its network traffic through Tor, including traffic originated by the malware. I don't know why that would make the BKA concerned enough to bother sending you a registered letter, but here is my boilerplate response to queries like that:
[standard Tor exit explanation, then:]
| Scanners that aim to detect misconfigured, vulnerable, or infected | computers will, from time to time, pick up Tor exits as false | positives, whenever they happen to be emitting traffic that | originates from such computers. By design, we have no way to pass | your report along to the true source of the traffic. We can assure | you that the actual computer at [EXIT'S IP ADDRESS] is not infected | with any malware and is kept up to date with security fixes. | However, you should expect it to continue to appear in your scans as | a false positive.