Earlier this week several news outlets and blogs wrote about how Microsoft handled the removal of the Sefnit bonnet. The malware was using Tor for click fraud and bitcoin mining purposes. Microsoft took action by removing the malware from some two million systems. The removal process included the deletion of an older version of Tor used by Sefnit. Many were unhappy over Microsoft’s decision to remove Tor but there’s more to the story.
What happened and should Microsoft have taken the steps it did to remove Sefnit and Tor from the infected systems? First of all Microsoft didn’t just reach into any Windows machine that was infected. This was limited to users of their malware protection tool. These users agree to have Microsoft take control of protecting their systems and that’s exactly what happened.
Could Microsoft have removed the Sefnit malware without deleting Tor? It doesn’t sound like it. Sefnit installed an old version of Tor in order to use the network for malicious purposes. Knowing that Tor version 0.2,3,25 was susceptible and isn’t set up to auto update. For these reasons they deleted just the Tor executable file.
The Microsoft security team contacted Tor to ask if a normal user would install Tor in the directory used by Sefnit. Since that was very unlikely it helped Mcrosoft find the solution of removing the Sefnit botnet along with the Tor executable installed along with the malware
Was Microsoft in the wrong? I don’t think so. In this case they took the steps necessary to help protect users of their malware protection tool. These users agree to having their systems managed to protect them from threats like Sefnit. The action made for some interesting headlines and conversations but I think the drama was overdone.
Visit VPNSP.com for online privacy tips. The site includes hundreds of VPN services and privacy tools.