[tor-talk] "zeus" virus

borderguard at riseup.net borderguard at riseup.net
Fri Aug 24 16:03:14 UTC 2012

CenturyLink's ToS prohibits the use of services such as TOR exit nodes on
residential connections. You may want to focus of running a relay instead
of a exit node. They can (and will) disconnect you permanently for repeat
violations. It's because the ISP can detect the signature of the traffic
the virus Zeus leaves and shut down the connection. Since it's a FBI
flagged virus that was mutated starting around may 2011 and because
CenturyLink has had issues where about 300 emails were suspended for SPAM
violations in the past month, they will not allow infected machines on
their network.


Additionally, it might not be you, but someone who's machine is infected,
or using your node as a exit point for the Command and control server
hiding behind it.
> Message: 1
> Date: Thu, 23 Aug 2012 14:16:03 -0700
> From: scar <scar at drigon.com>
> To: tor-talk at lists.torproject.org
> Subject: Re: [tor-talk] "zeus" virus
> Message-ID: <k166ij$6jg$1 at ger.gmane.org>
> Content-Type: text/plain; charset=UTF-8
> David H. Lipman @ 08/23/2012 01:40 PM:
>> Whatever the case, malicious bot activity is being detected and thus you
>> should stop using Tor and you should make sure you computer(s) are
>> clean.
> well, no, i'm not gonna do that. ;) the server is running linux and not
> infected.
> when i started running this tor exit router i received copyright
> complaints from the MPAA and my service was shut down, and i fixed my
> torrc to block the p2p ports.  then it started getting shut down for
> viruses, and i've continued to update my torrc.  now it only happens 2-3
> times a month and CenturyLink always promptly reactivates my service.
> this is just a case of 'a few bad apples' and i have the (cheap)
> bandwidth to spare, so no plans to stop using Tor just yet.
> frankly, i don't get how this zeus trojan can operate without
> destination addresses. in fact it seems to me it would be utterly
> useless as a trojan if there weren't destination addresses.  then again
> i've been out of the loop as technology has progressed.  if that is
> really the case, i'm wondering if there is a way to add a firewall rule
> that will block traffic that is looking for "config.bin" and
> "update32.php", and whether that would really block this malicious
> traffic....

More information about the tor-talk mailing list