On Tue, 12 Apr 2011 20:46 -0700, "Porcelain Mouse" porcelain_mouse@q.com wrote:
Greetings All,
I've been running an exit for about 5 months, but had to stop due to virus abuses. In the last two weeks, my ISP has partially blocked my Internet access twice due to suspected virus infections. I'll spare you the long story, but I was able to get a copy of their "evidence" and I'm fairly certain it was connections made through my Tor relay.
- How common is it that Tor is abused by viruses? What is the trend?
- Is this just standard virus-kit material, these days?
I guess I was a little surprised. Obviously, this is a great idea for hiding the infection site, so I'm sure it's being done. But still, I've been fighting viruses for quite a while and I don't think I've read a single virus description that mentioned Tor. I'm sure it's happening, but I've never heard a single statistic about it, so I thought I would ask.
Also, this type of abuse is *not* mentioned on the Tor wiki's Abuse FAQ under "What should I expect if I run an exit relay?" I read that section carefully and was prepared for most of the things mentioned. Again, I'm not completely shocked. I'm just saying it didn't seem likely, according to the FAQ. It would be nice to know how likely is this kind of abuse, and what is the trend. (And, maybe someone can add the results to the FAQ when we have an answer.)
Thanks, PMouse
It's still not common. I assume a zombie computer somewhere was trying to connect to a Command&Control server via Tor - a C&C which is being sinkholed by anti-malware researchers or is otherwise flagged. So your exit machine looks as if it is infected. We should start thinking hard about how to stop botnets using Tor. GD