I received the following email from my ISP, the IP belongs to the tor exit node. I am wondering if the DHS is sending it out to all tor exit nodes?
We received a notice from Homeland Security that a device using your current IP address is infected the Avalanche Malware. The full details are below. Please run antivirus and network security software on all your devices immediately.
Thank you,
ISP
A trusted third party notified the Department of Homeland Security United States National Cybersecurity & Communications Integration Center (NCCIC) that one or more machines on your network was infected with malware associated with the Avalanche botnet infrastructure during December 2016. Avalanche is a large global network hosting infrastructure used by cyber criminals to conduct phishing and malware distribution campaigns and money mule schemes. A system infected with Avalanche associated malware may be subject to malicious activity including the theft of user credentials and other sensitive data, such as banking and credit card information. Some of the malware has the capability to encrypt user files and demand a ransom be paid by the victim to regain access to those files. In addition, the malware may allow criminals unauthorized remote access to the infected computer. Infected systems could be used to conduct distributed denial-of-service (DDoS) attacks. For additional information, please see the following US-CERT Technical Alert (TA16-336A): https://www.us-cert.gov/ncas/alerts/TA16-336A
Hi Monkey Pet,
On Mon, Jan 23, 2017 at 05:57:42PM -0800, Monkey Pet wrote:
I received the following email from my ISP, the IP belongs to the tor exit node. I am wondering if the DHS is sending it out to all tor exit nodes?
We receive Avalanche e-mails via our ISP, too. It started in early December. As our exit relays are in Germany, the sender is not the DHS but its German counterpart BSI/CERT-Bund reports@reports.cert-bund.de. The English part of these e-mails reads as follows:
======================================================================
Dear Sir or Madam,
this is a notification on systems on your network most likely infected with malware.
With an internationally coordinated operation, law enforcement agencies took down the 'Avalanche' botnet infrastructure. The infrastructure was used by cybercriminals for controlling various botnets. Additional information is available at: https://www.europol.europa.eu/newsroom
In the course of this operation, domain names used by malware related to those botnets for contacting command-and-control servers operated by the criminals have been redirected to so called 'sinkholes'. Additional information on this technique is available at: https://reports.cert-bund.de/en/malware
Any connection to a sinkhole is usually a good indicator for the host sending the request being infected with an associated malware. CERT-Bund receives log data from the sinkholes for notification of the responsible network operators.
Please find below a list of logged requests to the sinkholes from your networks. Each record includes the IP address, a timestamp and the name of the corresponding malware family. If available, the record also includes the source port, target IP, target port and target hostname for each connection.
A value of 'generic' for the malware family means: a) The affected system connected to a domain name related to the Avalanche botnet infrastructure which could not be mapped to a particular malware family yet. or b) The HTTP request sent by the affected system did not include a domain name. Thus, on the sinkhole it could not be decided which domain name the affected system resolved to connect to the respective IP address.
Most of the malware families reported here include functions for identity theft (harvesting of usernames and passwords) and/or online-banking fraud. Further information on the different malware families as well as additional help is available at: https://www.bsi-fuer-buerger.de/EN/avalanche
We would like to ask you to check the issues reported and to take appropriate action to get the infected hosts cleaned up or notify your customers accordingly.
This message is digitally signed using PGP. Information on the signature key is available at: https://reports.cert-bund.de/en/
Please note: This is an automatically generated message. Replying to the sender address is not possible. In case of questions, please contact certbund@bsi.bund.de.
======================================================================
In our understanding, there is nothing we can do. The e-mails do not even demand that we do anything. It is just a friendly warning that other people's computers are infected with malware, which we knew before.
The Tor project offers an RBL containing all current exit relays, so we would ask the sender of these e-mails to consult that list and stop bothering people who run Tor exit relays.
Cheers, Christian
tor-relays@lists.torproject.org
-
Christian Pietsch -
Monkey Pet