The real issue here is somewhere there is a Game Over Zeus infected client that is web browsing through the Tor network.
We have no way of alerting that host to their compromised status. At least and unless entry nodes have a means for detecting infected clients. Which I believe is not the case.
Anti virus software is poor at detecting this type of trojan. It is a difficult problem we would do well to give thought to.
On Sat, Jul 19, 2014 at 11:32:38AM +0100, Thomas White wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Speaking from experience of operating 25 servers doing 4Gbps, I can quite safely say that if your host has been supportive of Tor, I would simply respond with the normal boilerplate regardless of what the complaint is or who made it. I've received threats from countless organisations, companies, police and have clashed with Interpol in the past, they are yet to bring a single charge against me in the UK (albeit I have had some servers seized). I am the exception of Tor operators too, not the rule so if they can't charge me I very much doubt they could charge somebody operating just a single server. The point is that you should be very open that you operate a Tor node, ensure you promptly respond to abuse complaints and if your provider doesn't seem to be fully convinced by you or are threatening to close your service then it could do with some additional explanation. Heck if you need it just let me know who to contact and I'll do it for you!
Running Tor isn't illegal, you are protected by various safe-harbour provisions and ultimately if they blacklist you there is little you can do. Half of my IP's are on a lot of "blacklists", and I've found removing them is useful in the short term perhaps but many are automated and so just waste your time. In the long run we need education more than anything and in fact I am actually writing up a letter at the moment to encourage some blacklists to check if the IP is a tor exit node and to prevent their systems spamming operators with abuse complaints. (This section I'll follow up with on this mailing list with next week)
My ISP has a policy that as long as the complaints aren't from Spamhaus, they aren't too bothered as long as I reply to the abuse complaints which I do. You should ask your ISP outright what the policy is on these situations. But as far as Spamhaus goes I've not received a single complaint from them out of thousands I have received in the past year.
If you want to talk privately, just reply to me off the mailing list and I'll be happy to do whatever I can.
Regards,
- -T
On 18/07/2014 10:08, Ch'Gans wrote:
Hi there,
I'm here to look for advice or comments on how to handle abuse reports when you run a TOR relay exit on a "server for the mass". I'm running the TOR exit node 18B6EBAF10814335242ECA5705A04AAD29774078 on Hetzner netowrk (50E/month, this is my contribution to the TOR project) So far I had to deal with few "easy" abuse reports (ssh scan, forum insults, spams, ...), I think i performed pretty well so far (thanks to Hetzner cooperation?)
But today I just received this botnet related one. I do take this report seriously, I know that malware are more and more using the TOR network as an anonymous covert, I don't like malware, I don't like malicious botnet and I don't like spammers. Still I end up being identify as one of them.
I knew from day one that it was a risky business to run an exit TOR node, but I want to stand up and fight. If only I can convince people of my right doing.
First of all I am quite surprised that cert-bund.de (the complainant) didn't notice that I am a TOR exit node, so my first question (for people familiar with these guys) is: - How legit are these guys? Do they run for the German government? Are their simply trying to scare the shit out of me by citing europol.europa.eu, and us-cert.gov? (see redacted forwarded message below, my own opinion is "Yes") Then - Do they simply spam hosting company each time they have a probe sensing something somewhere (I know it's vague, but I can use that as a "this complainant is a spammer" kind of argument)
Any other thoughts/remarks/comment on that matter?
Regards, Chris
Thought of the day: Nowadays it looks like server administrator tend to send abuse report each time they receive an illegal ping request! Testimony of the day: Last time I received an "SSH scan" abuse report, I sent back my SSH honeypot logs, which contains more than 5k login attempts per day.
-------- Original Message -------- [..] ----- attachment ----- Dear Sir or Madam
"Gameover Zeus" is malicious software which is primarily used by cybercriminals to carry out online banking fraud and to spy out login credentials for online services on infected PCs. It can also be used to install further malicious software (including blackmailing trojans such as "CryptoLocker" ransomware) on PCs or to carry out DDoS attacks.
In a joint international campaign since the end of May 2014, law enforcement agencies, with the support of private sector partners, have taken action against the "Gameover Zeus" botnet [1].
As part of this campaign, it has now been possible to identify the IP addresses of systems infected with "Gameover Zeus" [2].
We are sending you a list of infected systems in your net area.
Would you please examine the situation thoroughly and take appropriate measures to cleanse the systems.
Sources:
[1] Europol: International action against 'Gameover Zeus' botnet and 'CryptoLocker' ransomware <https://www.europol.europa.eu/content/international-action-against-
gameover-zeus-botnet-and-cryptolocker-ransomware>
[2] ShadowServer: Gameover Zeus & Cryptolocker http://blog.shadowserver.org/2014/06/08/gameover-zeus-cryptolocker/
[3] US-CERT: GameOver Zeus P2P Malware https://www.us-cert.gov/ncas/alerts/TA14-150A
A list of infected systems in your net area: [...]
Kind regards, Team CERT-Bund
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32)
iQIcBAEBAgAGBQJTyklGAAoJEE2uQiaesOsLauoP+gLTI6UG5Ch+vaY68TK6+bT6 rUI0Q53XN+I4Yd0NDiS26I11OpXMJaUlP1gEk64Zs3VrCUkLaIGSn7xAp4b2dSHD vTylavLk/x8zqVFY+aDk0kBMXofHC8bkgUUUB1uCuHr13DsVotIO8AIXLRdlFQsY PVHVB8tgizRfm6ePv3hT+LcW1osJ5+PviixE8jlBXcGxXr+olcqjaWAdGN+eXdhr 944vlL9Yk7rNWw8Xkhs0rTg/Prqz4Wlqc2pzit+mRVLs/mkTPihzcbgrIEi4kBHW L/srUhIoaGpNNG5Qmow8/Ky99k0KAIbnvAeiOOFWwOb3X4XlzsuBS6KYIVkHD7qr g0cZj7gjCkkAtMS+6Wb0uk/Idx2LlntCoOOJZVlgMKv6lfV8PP5C/DJQvGoz6ADn 0d1jS9VNdLSp+h6daSkRQs19WswH67kdWG5Qbl0TxnBEXULrq/Q36/FfFVbNfGqo /b8zux0jHe4LM0zYLvAo+0bjeVhGXnzg4xOPgo0zDU3/JdXLdMvUYzScvu1EYUs8 /XOzgF0n4eR4mkufoL7a4hCYc1DGB61m45co9mY0+8piTt+OuKxHG6mcVIweucdc BYaowXV0pe1mAc4wc07UqtrgDBWNyFnFp6hzgdoEsfEG6qsjLAxj5LKtTu7+9qgo BiRSx3NMi4GMPT2z4O6o =JFZA -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays