Update: Microsoft did not remotely uninstall Tor software from computers to halt botnet


Microsoft remotely uninstalled Tor software from computers to halt botnet

When a virus strikes, the first line of defense is antivirus software. But when a botnet is running wild, things aren’t quite as simple. In the middle of last year, millions of computers around the world were infected with Sefnit malware. Communicating over the anonymizing Tor software automatically downloaded and installed by the malware, Microsoft had a battle against a huge botnet on its hands.

The company took an interesting, and ultimately very effective, line of attack against the botnet. In addition to remotely removing the malware itself from as many computers as possible, Microsoft also wiped out copies of Tor in a bid to stop the malware from communicating and spreading.

It was possible to identify which machines had Tor installed by the malware — rather than those whose owners had purposely installed it — by detecting which folder it had been installed to. Tor can be installed anywhere, of course, but most people stick to the default folder, or use one of a few common variants. When installed by malware, Tor was installed in a strange location.

In this instance it was very helpful that Microsoft could detect the presence of a particular piece of software and remove it from computers without the owners being aware of anything that was taking place.

How do you feel about this capable of Microsoft? It is worrying or reassuring that the company is able to remove software from your computer? Looked at in terms of malware, few people would have a problem with having their system protected for them, but Tor also has plenty of legitimate uses — it is fair to have software uninstalled without consent?


Since posting this article, we have spoken with Microsoft who want to make clear that Tor was not in fact removed from any computers — the original source was incorrect. A Microsoft spokesperson said: “Microsoft Malware Protection Center has protections to remove the services started by the Sefnit malware, but it does not uninstall Tor, remove any Tor binaries, or prevent users from using Tor.”