[tor-relays] Fwd: [Abuse[...]] GameoverZeus-Infektionen

Ch'Gans chgans at gna.org
Fri Jul 18 09:08:15 UTC 2014

Hi there,

I'm here to look for advice or comments on how to handle abuse reports 
when you run a TOR relay exit on a "server for the mass".
I'm running the TOR exit node 18B6EBAF10814335242ECA5705A04AAD29774078 
on Hetzner netowrk (50E/month, this is my contribution to the TOR project)
So far I had to deal with few "easy" abuse reports (ssh scan, forum 
insults, spams, ...), I think i performed pretty well so far (thanks to 
Hetzner cooperation?)

But today I just received this botnet related one. I do take this report 
seriously, I know that malware are more and more using the TOR network 
as an anonymous covert, I don't like malware, I don't like malicious 
botnet and I don't like spammers. Still I end up being identify as one 
of them.

I knew from day one that it was a risky business to run an exit TOR 
node, but I want to stand up and fight. If only I can convince people of 
my right doing.

First of all I am quite surprised that cert-bund.de (the complainant) 
didn't notice that I am a TOR exit node, so my first question (for 
people familiar with these guys) is:
- How legit are these guys? Do they run for the German government? Are 
their simply trying to scare the shit out of me by citing 
europol.europa.eu, and us-cert.gov? (see redacted forwarded message 
below, my own opinion is "Yes")
- Do they simply spam hosting company each time they have a probe 
sensing something somewhere (I know it's vague, but I can use that as a 
"this complainant is a spammer" kind of argument)

Any other thoughts/remarks/comment on that matter?


Thought of the day:
Nowadays it looks like server administrator tend to send abuse report 
each time they receive an illegal ping request!
Testimony of the day:
Last time I received an "SSH scan" abuse report, I sent back my SSH 
honeypot logs, which contains more than 5k login attempts per day.

-------- Original Message --------
----- attachment -----
Dear Sir or Madam

"Gameover Zeus" is malicious software which is primarily used by
cybercriminals to carry out online banking fraud and to spy out
login credentials for online services on infected PCs. It can also
be used to install further malicious software (including
blackmailing trojans such as "CryptoLocker" ransomware) on PCs
or to carry out DDoS attacks.

In a joint international campaign since the end of May 2014,
law enforcement agencies, with the support of private sector partners,
have taken action against the "Gameover Zeus" botnet [1].

As part of this campaign, it has now been possible to identify the
IP addresses of systems infected with "Gameover Zeus" [2].

We are sending you a list of infected systems in your net area.

Would you please examine the situation thoroughly and take appropriate
measures to cleanse the systems.


[1] Europol: International action against 'Gameover Zeus' botnet and
     'CryptoLocker' ransomware

[2] ShadowServer: Gameover Zeus & Cryptolocker

[3] US-CERT: GameOver Zeus P2P Malware

A list of infected systems in your net area:

Kind regards,
Team CERT-Bund

More information about the tor-relays mailing list