Shutterstock

Microsoft has since been in touch with Wired.co.uk to clarify that when it removed Sefnit from computers it did not also remove Tor. Instead, it stopped Tor from automatically running, if and only if it had been added by Sefnit.

"Microsoft Malware Protection Centre has protections to remove the services started by the Sefnit malware, but it does not uninstall Tor, remove any Tor binaries, or prevent users from using Tor," a spokesperson told Wired.co.uk. It has attributed the misunderstanding to comments made by security researcher Jacob Applebaum.


Microsoft has admitted to remotely preventing anonymous web browsing tool Tor from running on many of its users' systems in an attempt to destroy the botnet Sefnit.

The revelation of its "cleanup efforts" were made in a blog post on 9 January that was later spotted by the Daily Dot.

Read next How HoloLens 2 stacks up against its rival mixed reality headsets How HoloLens 2 stacks up against its rival mixed reality headsets

It relates to a piece of malware that went quiet in 2011 before appearing again in June 2013 at the hands of Ukrainian and and Israeli hackers identified as Scorpion and Dekadent. Microsoft antivirus researcher Geoff McDonald revealed in a September 2013 post that all signs pointed to the click-fraud botnet in fact operating since 2010 by using Tor to keep its activities hidden.

McDonald found Sefnit was part of the same family as malware Mevade, which had recently been uncovered for its Tor use. "Within a few weeks, starting mid-August, the number of directly connecting Tor users increased by almost 600 percent -- from about 500,000 users per day to more than 3,000,000," wrote McDonald. A jump in users had been noticed as by security forum posters in September, who concluded the activity was either down to a jump in pirating, or a botnet. Either way, it was a loud warning sign to security analysts that something was up, with even Tor stumped as to where the usage was coming from.


Having finally identified the responsible malware, McDonald described how it worked as follows: "The Sefnit click fraud component is now structured as a proxy service based on the open-source 3proxy project. The botnet of Sefnit-hosted proxies are used to relay HTTP traffic to pretend to click on advertisements.

In this way, the new version of Sefnit exhibits no clear visible user symptoms to bring attention to the botnet." According to

Daily Dot, Scorpion and Dekadent were actually using it to enable four million computers to mine bitcoins for them. But whatever the case, it was an old version of Tor that was enabling it, as uploaded by Sefnit.


In his January post, McDonald softened the blow by referring to Tor as a "good application" before explaining why it presents such a problem. Apparently those millions of infected systems were running Tor v0.2.3.25, an old version that does not update automatically. "While no high-severity security bulletins have been issued affecting Tor v0.2.3.25, Tor has a history of high-severity vulnerabilities," he wrote, singling out multiple buffer overflows and a heap corruption issue. "Some of these vulnerabilities can be exploited for the remote execution of arbitrary code without authentication -- essentially giving an attacker access to take over the machine remotely," continued McDonald. "This Tor service is a security risk to the machines even after Sefnit has been removed, since it is probable that a serious security vulnerability will be identified in the future. In summary, this means that a malicious actor may be able to infect millions of machines with any malware at some point in the future."

Tor's executive director Andrew Lewman told the Daily Dot, "It sounds scary until you realise users opt-in for the most part and agree to have their OS kept 'secure' by Microsoft." In real terms, that doesn't mean much to a user though, who may not have read the terms and conditions to the letter but relies on Tor to protect themselves from government intrusion or surveillance in some cases.

Tor is routinely used by political activists operating in nations where their actions could be deemed criminal. However, in October the Guardian revealed that both the NSA and GCHQ had been attempting to break into the Tor network, to no avail. In a document entitled "Tor Stinks", analysts wrote, "We will never be able to de-anonymise all Tor users all the time... With manual analysis we can de-anonymise a very small fraction of Tor users".