[tor-relays] Fwd: US-CERT Avalanche Notification INC000010

Tue Jan 24 13:00:15 UTC 2017

Hi Monkey Pet,

On Mon, Jan 23, 2017 at 05:57:42PM -0800, Monkey Pet wrote:
> I received the following email from my ISP, the IP belongs to the tor exit
> node. I am wondering if the DHS is sending it out to all tor exit nodes?

We receive Avalanche e-mails via our ISP, too. It started in early
December. As our exit relays are in Germany, the sender is not the DHS
but its German counterpart BSI/CERT-Bund <reports at reports.cert-bund.de>.
The English part of these e-mails reads as follows:

======================================================================

Dear Sir or Madam,

this is a notification on systems on your network most likely
infected with malware.

With an internationally coordinated operation, law enforcement
agencies took down the 'Avalanche' botnet infrastructure.
The infrastructure was used by cybercriminals for controlling
various botnets. Additional information is available at:
<https://www.europol.europa.eu/newsroom>

In the course of this operation, domain names used by malware
related to those botnets for contacting command-and-control
servers operated by the criminals have been redirected to
so called 'sinkholes'. Additional information on this technique
is available at:
<https://reports.cert-bund.de/en/malware>

Any connection to a sinkhole is usually a good indicator for the
host sending the request being infected with an associated malware.
CERT-Bund receives log data from the sinkholes for notification
of the responsible network operators.

Please find below a list of logged requests to the sinkholes from
your networks. Each record includes the IP address, a timestamp
and the name of the corresponding malware family. If available,
the record also includes the source port, target IP, target port
and target hostname for each connection.

A value of 'generic' for the malware family means:
a) The affected system connected to a domain name related to the
   Avalanche botnet infrastructure which could not be mapped to
   a particular malware family yet.
or
b) The HTTP request sent by the affected system did not include
   a domain name. Thus, on the sinkhole it could not be decided
   which domain name the affected system resolved to connect to
   the respective IP address.

Most of the malware families reported here include functions for
identity theft (harvesting of usernames and passwords) and/or
online-banking fraud. Further information on the different
malware families as well as additional help is available at:
<https://www.bsi-fuer-buerger.de/EN/avalanche>

We would like to ask you to check the issues reported and to take
appropriate action to get the infected hosts cleaned up or notify
your customers accordingly.

This message is digitally signed using PGP. Information on the
signature key is available at:
<https://reports.cert-bund.de/en/>

Please note:
This is an automatically generated message.
Replying to the sender address is not possible.
In case of questions, please contact <certbund at bsi.bund.de>.

======================================================================

In our understanding, there is nothing we can do. The e-mails do not
even demand that we do anything. It is just a friendly warning that
other people's computers are infected with malware, which we knew
before.

The Tor project offers an RBL containing all current exit relays, so
we would ask the sender of these e-mails to consult that list and stop
bothering people who run Tor exit relays.

Cheers,
Christian

-- 
  Digitalcourage e.V., Marktstr. 18, D-33602 Bielefeld, Germany
  https://digitalcourage.de | https://bigbrotherawards.de
Verfassungsbeschwerde gegen Vorratsdatenspeicherung: https://digitalcourage.de/weg-mit-vds
Appell gegen den geplanten Datenschutz-Abbau: https://digitalcourage.de/rettet-den-datenschutz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20170124/6ee23a71/attachment.sig>