Hi,
today I received a registered mail by the BKA, the german federal police, alerting me that some stuff related to the Dragonfly aka Energetic Bear backdoor Oldrea/Havex could be traced back to one of my ips. The ip in questions is the one with which I run my tor exit node. I phoned the BKA and asked if they would be aware that Dragonfly uses the tor network to connect to their C&C servers. At least the BKA-person at the phone wasn't aware.
Just thought to let you know.
Regards, M.
On Tue, Jul 29, 2014 at 10:50 AM, manuel@myops.de wrote:
today I received a registered mail by the BKA, the german federal police, alerting me that some stuff related to the Dragonfly aka Energetic Bear backdoor Oldrea/Havex could be traced back to one of my ips. The ip in questions is the one with which I run my tor exit node.
This is *probably* because an infected machine somewhere has been configured to send *all* of its network traffic through Tor, including traffic originated by the malware. I don't know why that would make the BKA concerned enough to bother sending you a registered letter, but here is my boilerplate response to queries like that:
[standard Tor exit explanation, then:]
| Scanners that aim to detect misconfigured, vulnerable, or infected | computers will, from time to time, pick up Tor exits as false | positives, whenever they happen to be emitting traffic that | originates from such computers. By design, we have no way to pass | your report along to the true source of the traffic. We can assure | you that the actual computer at [EXIT'S IP ADDRESS] is not infected | with any malware and is kept up to date with security fixes. | However, you should expect it to continue to appear in your scans as | a false positive.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello Manuel and many thanks for running an exit!
When I check your IP, I see the website with the hint at Tor (1). But when I ask RIPE, I only get the info of your ISP Contabo without any information about Tor (2). Perhaps it would help when inserting an additional comment in the "remarks" field, like CCC does (3).
=> A question to other exit operators: Does it help, when the Whois record contains an information about Tor? Or does the police contact you anyway?
Best regards and stay wiretapped!
Anton
1) http://193.37.152.241 2) https://apps.db.ripe.net/search/query.html?searchtext=193.37.152.241 3) https://apps.db.ripe.net/search/query.html?searchtext=77.244.254.227 - -- no.thing_to-hide at cryptopathie dot eu 0x30C3CDF0, RSA 2048, 24 Mar 2014 0FF8 A811 8857 1B7E 195B 649E CC26 E1A5 30C3 CDF0 Bitmessage (no metadata): BM-2cXixKZaqzJmTfz6ojiyLzmKg2JbzDnApC
On 29/07/14 16:50, manuel@myops.de wrote:
Hi,
today I received a registered mail by the BKA, the german federal police, alerting me that some stuff related to the Dragonfly aka Energetic Bear backdoor Oldrea/Havex could be traced back to one of my ips. The ip in questions is the one with which I run my tor exit node. I phoned the BKA and asked if they would be aware that Dragonfly uses the tor network to connect to their C&C servers. At least the BKA-person at the phone wasn't aware.
Just thought to let you know.
Regards, M.
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
manuel@myops.de -
no.thing_to-hide@cryptopathie.eu -
Zack Weinberg