[tor-relays] Tor and Viruses

Geoff Down geoffdown at fastmail.net
Wed Apr 13 14:02:08 UTC 2011



On Tue, 12 Apr 2011 20:46 -0700, "Porcelain Mouse"
<porcelain_mouse at q.com> wrote:
> Greetings All,
> 
>  	I've been running an exit for about 5 months, but had to stop due 
> to virus abuses.  In the last two weeks, my ISP has partially blocked my 
> Internet access twice due to suspected virus infections.  I'll spare you 
> the long story, but I was able to get a copy of their "evidence" and I'm 
> fairly certain it was connections made through my Tor relay.
> 
>   1) How common is it that Tor is abused by viruses?  What is the trend?
>   2) Is this just standard virus-kit material, these days?
> 
> I guess I was a little surprised.  Obviously, this is a great idea for 
> hiding the infection site, so I'm sure it's being done.  But still, I've 
> been fighting viruses for quite a while and I don't think I've read a 
> single virus description that mentioned Tor.  I'm sure it's happening,
> but 
> I've never heard a single statistic about it, so I thought I would ask.
> 
> Also, this type of abuse is *not* mentioned on the Tor wiki's Abuse FAQ 
> under "What should I expect if I run an exit relay?"  I read that section 
> carefully and was prepared for most of the things mentioned.  Again, I'm 
> not completely shocked.  I'm just saying it didn't seem likely, according 
> to the FAQ.  It would be nice to know how likely is this kind of abuse, 
> and what is the trend.  (And, maybe someone can add the results to the
> FAQ 
> when we have an answer.)
> 
> Thanks,
> PMouse

It's still not common. I assume a zombie computer somewhere was trying
to connect to a Command&Control server via Tor - a C&C which is being
sinkholed by anti-malware researchers or is otherwise flagged. So your
exit machine looks as if it is infected.
We should start thinking hard about how to stop botnets using Tor.
GD

-- 
http://www.fastmail.fm - The way an email service should be



More information about the tor-relays mailing list