[tor-relays] Fwd: [Abuse[...]] GameoverZeus-Infektionen

Fri Jul 18 20:24:31 UTC 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Chris and many thanks for running a fast exit!

CERT Bund is the CSIRT of the German Federal Office for Information
Security (BSI = Bundesamt fuer Sicherheit in der Informationstechnik).
(1)(2). They surely know Tor, because they distribute security advices
for our anonymizer project (3)(4)(5).

But in your case I guess that their operator did not know that you run
an exit, or at least did not look on the exit-list.

When I do a Whois lookup of your server (6), there is only the link to
Hetzner. When I do the same for exits of Zwiebelfreunde or CCC, there
is the hint at Tor:
"This network is used for research in anonymisation services and
provides a TOR exit node to end users." (7)(8). I case of
Zwiebelfreunde there is also a server running on the exit with a
homepage (9).

Probably such a hint will help against a few complaints in future.

Best regards and stay wiretapped!

Anton

1)
https://www.bsi.bund.de/EN/Topics/IT-Crisis-Management/Cert-Bund/cert-bund_node.html
2) https://www.bsi.bund.de/EN/Home/home_node.html
3) https://www.cert-bund.de/advisoryshort/CB-K13-0005
4) https://www.cert-bund.de/advisoryshort/CB-K14-0112
5) https://www.cert-bund.de/advisoryshort/CB-K14-0722
6) https://apps.db.ripe.net/search/query.html?searchtext=5.9.21.19
7) https://apps.db.ripe.net/search/query.html?searchtext=77.247.181.164
8) https://apps.db.ripe.net/search/query.html?searchtext=77.244.254.227
9) http://77.247.181.164

- -- 
no.thing_to-hide at cryptopathie dot eu
0x30C3CDF0, RSA 2048, 24 Mar 2014
0FF8 A811 8857 1B7E 195B 649E CC26 E1A5 30C3 CDF0
Bitmessage (no metadata): BM-2cXixKZaqzJmTfz6ojiyLzmKg2JbzDnApC

On 18/07/14 11:08, Ch'Gans wrote:
> Hi there,
> 
> I'm here to look for advice or comments on how to handle abuse
> reports when you run a TOR relay exit on a "server for the mass". 
> I'm running the TOR exit node
> 18B6EBAF10814335242ECA5705A04AAD29774078 on Hetzner netowrk
> (50E/month, this is my contribution to the TOR project) So far I
> had to deal with few "easy" abuse reports (ssh scan, forum insults,
> spams, ...), I think i performed pretty well so far (thanks to 
> Hetzner cooperation?)
> 
> But today I just received this botnet related one. I do take this
> report seriously, I know that malware are more and more using the
> TOR network as an anonymous covert, I don't like malware, I don't
> like malicious botnet and I don't like spammers. Still I end up
> being identify as one of them.
> 
> I knew from day one that it was a risky business to run an exit
> TOR node, but I want to stand up and fight. If only I can convince
> people of my right doing.
> 
> First of all I am quite surprised that cert-bund.de (the
> complainant) didn't notice that I am a TOR exit node, so my first
> question (for people familiar with these guys) is: - How legit are
> these guys? Do they run for the German government? Are their simply
> trying to scare the shit out of me by citing europol.europa.eu, and
> us-cert.gov? (see redacted forwarded message below, my own opinion
> is "Yes") Then - Do they simply spam hosting company each time they
> have a probe sensing something somewhere (I know it's vague, but I
> can use that as a "this complainant is a spammer" kind of
> argument)
> 
> Any other thoughts/remarks/comment on that matter?
> 
> Regards, Chris
> 
> Thought of the day: Nowadays it looks like server administrator
> tend to send abuse report each time they receive an illegal ping
> request! Testimony of the day: Last time I received an "SSH scan"
> abuse report, I sent back my SSH honeypot logs, which contains more
> than 5k login attempts per day.
> 
> 
> -------- Original Message -------- [..] ----- attachment ----- Dear
> Sir or Madam
> 
> "Gameover Zeus" is malicious software which is primarily used by 
> cybercriminals to carry out online banking fraud and to spy out 
> login credentials for online services on infected PCs. It can also 
> be used to install further malicious software (including 
> blackmailing trojans such as "CryptoLocker" ransomware) on PCs or
> to carry out DDoS attacks.
> 
> In a joint international campaign since the end of May 2014, law
> enforcement agencies, with the support of private sector partners, 
> have taken action against the "Gameover Zeus" botnet [1].
> 
> As part of this campaign, it has now been possible to identify the 
> IP addresses of systems infected with "Gameover Zeus" [2].
> 
> We are sending you a list of infected systems in your net area.
> 
> Would you please examine the situation thoroughly and take
> appropriate measures to cleanse the systems.
> 
> Sources:
> 
> [1] Europol: International action against 'Gameover Zeus' botnet
> and 'CryptoLocker' ransomware 
> <https://www.europol.europa.eu/content/international-action-against-
>
> 
gameover-zeus-botnet-and-cryptolocker-ransomware>
> 
> [2] ShadowServer: Gameover Zeus & Cryptolocker 
> <http://blog.shadowserver.org/2014/06/08/gameover-zeus-cryptolocker/>
>
>  [3] US-CERT: GameOver Zeus P2P Malware 
> <https://www.us-cert.gov/ncas/alerts/TA14-150A>
> 
> A list of infected systems in your net area: [...]
> 
> Kind regards, Team CERT-Bund
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJTyYJ9AAoJEMwm4aUww83w2/IH/1gAhX1oV/vfdFCL5oai4vdF
RONKF53IYywlFISSoz9fDjQc1VAiTPDKphTtvxKVCiVdP2BmN3iQszmfaV25Tn5h
8tWkdkwEUZR1kTHoSOV+ksBX52rzNJWmbHONG9aYIWObjZEQns2dtcRvc/4fS8cj
7vdg/KHNT4qr1EB0jDnB25hClefhea82ycLn7Qpb6i2uHCcRC8n0UhHPT9QpYo3Q
AhNp6hOMl7BJDMidohvdo0KOKKsS/aEupurUtYXnRUi/RvuehXgzXiiwDT+qWMRw
CZ8aXoW1XyaX7CT1DjBYpbxBKxvOfahP4e3ju9b/qqwHDWWhm+uFadRS3i6si7s=
=cNon
-----END PGP SIGNATURE-----