Microsoft took down yet another botnet, but its method for doing so many not sit well with a lot of people, as the company removed software from their computers without their knowledge.
In October 2013, Microsoft targeted a Tor-based botnet malware called "Sefnit," which used the Tor network to anonymously perform click fraud. It was a fairly sizable network, with 3 million users per day, which hijacked user computers to click on ads that would make the Sefnit users money via a commission.
For those of you who don't know, Tor, the abbreviated name for The Onion Router, is free software designed to protect online anonymity. Tor directs Internet traffic through a free, worldwide volunteer network designed to hide a user's location or usage from anyone conducting network surveillance or traffic analysis. While it's popular with hactivists and people genuinely concerned about privacy, it's also a haven for illegal activity, such as the Silk Road drug dealing website.
Microsoft went after the Tor software because it found some popular apps like Browser Protector and FileScout were bundled with a vulnerable version of Tor Browser & Sefnit components. It found infected PCs had v0.2.3.25 of Tor Browser, which did not self-update.
On October 27, 2013, Microsoft modified the antivirus signature database used by all of its security products to remove the Sefnit-added Tor client service from user PCs. The update was pushed through in the November Patch Tuesday update.
Microsoft estimates it got about 2 million copies of the malware, and there are another 2 million PCs to reach. A spokesperson for the company issued a statement that said "Microsoft Malware Protection Center (MMPC) has protections to remove the services started by the Sefnit malware, but it does not uninstall Tor, remove any Tor binaries, or prevent users from using Tor."
Now, I've busted out the pompoms for Microsoft's antivirus efforts in the past, and no way will I make an exception. But I have to say that in the case of Sefnit, this looks like a lose-lose situation. They can't leave it out there, but customers are bound to be unnerved by Microsoft removing malicious code from their system this way.
Microsoft has already faced privacy issues around Kinect and Skype. This won't help. They are doing the right thing, but it won't help their image. I think this may call for more than just a blog post on their part.