[tor-relays] Possible tor usage by Dragonfly aka Energetic Bear

Zack Weinberg zackw at cmu.edu
Tue Jul 29 18:19:04 UTC 2014

On Tue, Jul 29, 2014 at 10:50 AM,  <manuel at myops.de> wrote:
> today I received a registered mail by the BKA, the german federal
> police, alerting me that some stuff related to the Dragonfly aka
> Energetic Bear backdoor Oldrea/Havex could be traced back to one
> of my ips. The ip in questions is the one with which I run my tor
> exit node.

This is *probably* because an infected machine somewhere has been
configured to send *all* of its network traffic through Tor, including
traffic originated by the malware. I don't know why that would make
the BKA concerned enough to bother sending you a registered letter,
but here is my boilerplate response to queries like that:

[standard Tor exit explanation, then:]

| Scanners that aim to detect misconfigured, vulnerable, or infected
| computers will, from time to time, pick up Tor exits as false
| positives, whenever they happen to be emitting traffic that
| originates from such computers. By design, we have no way to pass
| your report along to the true source of the traffic. We can assure
| you that the actual computer at [EXIT'S IP ADDRESS] is not infected
| with any malware and is kept up to date with security fixes.
| However, you should expect it to continue to appear in your scans as
| a false positive.

More information about the tor-relays mailing list