[tor-relays] Tor and Viruses

Roger Dingledine arma at mit.edu
Sun Apr 17 04:34:01 UTC 2011 

On Wed, Apr 13, 2011 at 04:24:04PM -0700, Porcelain Mouse wrote:
> I also sounds like you might be interested in more details.  Actually,  
> Geoff guessed correctly.  Both shutdowns where a result of separate 
> single events in Shadowserver's reports.  The first event was a 
> connection to a known C&C IRC server.  After the second shutdown, but 
> before I received the new logs, I figured I would just update my exit 
> rules to reject IRC ports.  But, the second event was a single connection 
> to one of Shadowserver's honeypot HTTP servers.

Right. If somebody makes a Tor request to a destination that your
ISP commonly associates with an infection, then they'll assume you're
infected. They don't much care about subtlety.

The exciting part here is that security researchers actually use Tor
to examine these infection destinations, because they need to do that
examination anonymously rather than from their university or corporate
IP space. I know several groups that are using Tor to spot-check their
conclusions about bad guys on the Internet -- the double twist is then
that some of the bad guys have started to not infect you if you're coming
from a Tor IP address (because they want to hide from the security
researchers). So in this sense you're safer on the Internet if you're
using Tor. :)

>  I didn't think there 
> would be any use for an exit that rejected HTTP, too.

Well, exiting to whatever you can exit to is still more valuable than not.
More and more stuff is available over port 443 these days, for example.

> grarpamp's suggestion was great, too.  I thought of running my own IDS  
> between the exit and my gateway, and, in fact, it's already on my list of 
> projects.  I'll add Tor to the list of reasons I should put some effort  
> into it.
>
> Moritz - Now that I'm no longer fighting with my provider about exits,  
> perhaps I can spare some time.  I don't know what you might need, but I  
> would be happy to help, if I can.
>
> Oh, and speaking of help.  I volunteer to update the FAQ, provided that's 
> desirable and the Tor project folks are agreeable.  Who should I talk to  
> about that?  tor-assistants at torproject.org ?

Sure. Actually, a better approach would be to open a ticket in the
'website' category on our trac:
https://trac.torproject.org/projects/tor/newticket

--Roger

More information about the tor-relays mailing list