Greetings All,
I've been running an exit for about 5 months, but had to stop due to virus abuses. In the last two weeks, my ISP has partially blocked my Internet access twice due to suspected virus infections. I'll spare you the long story, but I was able to get a copy of their "evidence" and I'm fairly certain it was connections made through my Tor relay.
1) How common is it that Tor is abused by viruses? What is the trend? 2) Is this just standard virus-kit material, these days?
I guess I was a little surprised. Obviously, this is a great idea for hiding the infection site, so I'm sure it's being done. But still, I've been fighting viruses for quite a while and I don't think I've read a single virus description that mentioned Tor. I'm sure it's happening, but I've never heard a single statistic about it, so I thought I would ask.
Also, this type of abuse is *not* mentioned on the Tor wiki's Abuse FAQ under "What should I expect if I run an exit relay?" I read that section carefully and was prepared for most of the things mentioned. Again, I'm not completely shocked. I'm just saying it didn't seem likely, according to the FAQ. It would be nice to know how likely is this kind of abuse, and what is the trend. (And, maybe someone can add the results to the FAQ when we have an answer.)
Thanks, PMouse
my ISP has partially blocked my Internet access twice due to suspected virus infections.
Virus is likely not the right word for things. Anyways...
There's really no reason an operator cannot run something like bro-ids.org and sink known bad traffic in real time. Yeah, sure, everyone will bitch at me. But it is operator fiat, and they're not sinking specific users, so well within common carrier exceptions on that aspect. No different than operators who block 'torrent' ports, smtp, etc.
Speaking of smtp, one could even redirect that into their system despam/clamav it and send it on its way. Better than nothing. Especially for the legit senders.
Hi,
On 13.04.2011 05:46, Porcelain Mouse wrote:
- How common is it that Tor is abused by viruses? What is the trend?
- Is this just standard virus-kit material, these days?
I am not sure we mean the same kind of stuff when talking about "viruses" on Tor. Since June 2010 we run Tor exits at more than 300 Mbps, lately more than a Gbit, and have never received a single complaint about abuse that I would categorize as "virus".
And, yes, we want to publish more detailed stats about the amount and class of abuse we see over our exits, but we're a bit understaffed and could use some more volunteers to help out with things.
On Tue, Apr 12, 2011 at 10:46 PM, Porcelain Mouse porcelain_mouse@q.com wrote:
Greetings All,
I've been running an exit for about 5 months, but had to stop due to virus abuses. In the last two weeks, my ISP has partially blocked my Internet access twice due to suspected virus infections. I'll spare you the long story, but I was able to get a copy of their "evidence" and I'm fairly certain it was connections made through my Tor relay.
1) How common is it that Tor is abused by viruses? What is the trend? 2) Is this just standard virus-kit material, these days?
I guess I was a little surprised. Obviously, this is a great idea for hiding the infection site, so I'm sure it's being done. But still, I've been fighting viruses for quite a while and I don't think I've read a single virus description that mentioned Tor. I'm sure it's happening, but I've never heard a single statistic about it, so I thought I would ask.
Also, this type of abuse is *not* mentioned on the Tor wiki's Abuse FAQ under "What should I expect if I run an exit relay?" I read that section carefully and was prepared for most of the things mentioned. Again, I'm not completely shocked. I'm just saying it didn't seem likely, according to the FAQ. It would be nice to know how likely is this kind of abuse, and what is the trend. (And, maybe someone can add the results to the FAQ when we have an answer.)
Thanks, PMouse _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
I have watched my virus checker and I get several virus blocks attempting to access web pages that were attempted by the user who was using Tor. It is not viruses from Tor, but the web site and/or pages that the user wants/is trying to access. I have had no issues with my provider concerning it.
Jon
On Tue, 12 Apr 2011 20:46 -0700, "Porcelain Mouse" porcelain_mouse@q.com wrote:
Greetings All,
I've been running an exit for about 5 months, but had to stop due to virus abuses. In the last two weeks, my ISP has partially blocked my Internet access twice due to suspected virus infections. I'll spare you the long story, but I was able to get a copy of their "evidence" and I'm fairly certain it was connections made through my Tor relay.
- How common is it that Tor is abused by viruses? What is the trend?
- Is this just standard virus-kit material, these days?
I guess I was a little surprised. Obviously, this is a great idea for hiding the infection site, so I'm sure it's being done. But still, I've been fighting viruses for quite a while and I don't think I've read a single virus description that mentioned Tor. I'm sure it's happening, but I've never heard a single statistic about it, so I thought I would ask.
Also, this type of abuse is *not* mentioned on the Tor wiki's Abuse FAQ under "What should I expect if I run an exit relay?" I read that section carefully and was prepared for most of the things mentioned. Again, I'm not completely shocked. I'm just saying it didn't seem likely, according to the FAQ. It would be nice to know how likely is this kind of abuse, and what is the trend. (And, maybe someone can add the results to the FAQ when we have an answer.)
Thanks, PMouse
It's still not common. I assume a zombie computer somewhere was trying to connect to a Command&Control server via Tor - a C&C which is being sinkholed by anti-malware researchers or is otherwise flagged. So your exit machine looks as if it is infected. We should start thinking hard about how to stop botnets using Tor. GD
It's still not common. I assume a zombie computer somewhere was trying to connect to a Command&Control server via Tor - a C&C which is being sinkholed by anti-malware researchers or is otherwise flagged. So your exit machine looks as if it is infected.
It's likely that the malware just uses the system's default proxy to connect, and is not specifically looking to use Tor.
All,
Thanks for your excellent responses. I sounds like my experience is not exactly typical, but not unexpected, either.
I also sounds like you might be interested in more details. Actually, Geoff guessed correctly. Both shutdowns where a result of separate single events in Shadowserver's reports. The first event was a connection to a known C&C IRC server. After the second shutdown, but before I received the new logs, I figured I would just update my exit rules to reject IRC ports. But, the second event was a single connection to one of Shadowserver's honeypot HTTP servers. I didn't think there would be any use for an exit that rejected HTTP, too.
grarpamp's suggestion was great, too. I thought of running my own IDS between the exit and my gateway, and, in fact, it's already on my list of projects. I'll add Tor to the list of reasons I should put some effort into it.
Moritz - Now that I'm no longer fighting with my provider about exits, perhaps I can spare some time. I don't know what you might need, but I would be happy to help, if I can.
Oh, and speaking of help. I volunteer to update the FAQ, provided that's desirable and the Tor project folks are agreeable. Who should I talk to about that? tor-assistants at torproject.org ?
Many Thanks, PMouse
On Wed, Apr 13, 2011 at 04:24:04PM -0700, Porcelain Mouse wrote:
I also sounds like you might be interested in more details. Actually, Geoff guessed correctly. Both shutdowns where a result of separate single events in Shadowserver's reports. The first event was a connection to a known C&C IRC server. After the second shutdown, but before I received the new logs, I figured I would just update my exit rules to reject IRC ports. But, the second event was a single connection to one of Shadowserver's honeypot HTTP servers.
Right. If somebody makes a Tor request to a destination that your ISP commonly associates with an infection, then they'll assume you're infected. They don't much care about subtlety.
The exciting part here is that security researchers actually use Tor to examine these infection destinations, because they need to do that examination anonymously rather than from their university or corporate IP space. I know several groups that are using Tor to spot-check their conclusions about bad guys on the Internet -- the double twist is then that some of the bad guys have started to not infect you if you're coming from a Tor IP address (because they want to hide from the security researchers). So in this sense you're safer on the Internet if you're using Tor. :)
I didn't think there would be any use for an exit that rejected HTTP, too.
Well, exiting to whatever you can exit to is still more valuable than not. More and more stuff is available over port 443 these days, for example.
grarpamp's suggestion was great, too. I thought of running my own IDS between the exit and my gateway, and, in fact, it's already on my list of projects. I'll add Tor to the list of reasons I should put some effort into it.
Moritz - Now that I'm no longer fighting with my provider about exits, perhaps I can spare some time. I don't know what you might need, but I would be happy to help, if I can.
Oh, and speaking of help. I volunteer to update the FAQ, provided that's desirable and the Tor project folks are agreeable. Who should I talk to about that? tor-assistants at torproject.org ?
Sure. Actually, a better approach would be to open a ticket in the 'website' category on our trac: https://trac.torproject.org/projects/tor/newticket
--Roger
tor-relays@lists.torproject.org
-
Bryon Eldridge -
Geoff Down -
grarpamp -
Jon -
Moritz Bartl -
Porcelain Mouse -
Roger Dingledine