Potentially Malicious Tor Browser Update

[Layton Mysteries]

The most recently version of the Tor Browser, 12.5.6, is being flagged as infected with what appears to be a mining trojan (Trojan:Win32/Malgent!MTB) by Windows Defender. It is unknown if this is a false positive, however, even if you allow the file to run without quarantine, the Tor Browser fails to establish a circuit. This makes the latest update of the Tor Browser useless on Windows. So far there has been no comments from the Tor Project.

In the meantime, I would personally recommend not updating Tor Browser. If you have updated the browser and can now not get it to function, the alpha build appears to work perfectly fine.
I do not know enough about this to say if it is infected with some malware or not, but still think it is important to let people know this is happening because the update makes Tor Browser useless. I have read speculation that this could be a false positive related to Tor introducing a proof of work DoS mitigation protocol.
Relevant Discussions: r/techsupport, r/TOR, Tor Project Blog

 

[ditto]

In the meantime, I would personally recommend not updating Tor Browser.

There's a very serious libvpx vulnerability in 12.5.5 so until MS gets their shit together it's probably best to avoid Tor on Windows.

 

[cybertoaster]

Given the glowies involvement you have to wonder if this wasn't a "happy accident".

 

[crowabunga]

>Update TOR browser to mitigate severe .webp vulnerability

>Be given malware

GG, thanks for getting us on the clearnet Null, I can go without TOR for a bit.

 

[Alaric the Visigoth]

Should I have to worry if I have Brave?

 

[Eternal Struggler]

GG, thanks for getting us on the clearnet Null, I can go without TOR for a bit.

Real kiwis would know about kiwifarms.st and, formerly, kiwifarms.pl

 

[crowabunga]

Real kiwis would know about kiwifarms.st and, formerly, kiwifarms.pl

You fool, you absolute neanderthal, I've been posting from the .st domain this entire time!

...No, to be fair, it's reasonable to interpret it as you did: to my understanding, KF's technically been back on the clearnet ever since it got the .today (and later) domains and TOR stopped being a requirement, but with the most recent development being the restoration of the "common" domain suffix I can see how I invited misunderstanding.

 

[std::string]

(Trojan:Win32/Malgent!MTB) by Windows Defender. It is unknown if this is a false positive, however, even if you allow the file to run without quarantine, the Tor Browser fails to establish a circuit.

Uh, it works perfectly fine if you get it out of quarantine.

 

[Slav Power]

IMO this looks like a false positive. Windows Defender likes to have weird false positives like that, sometimes even contradicting itself on your PC and on Virustotal. I tried opening Tor Browser just now, and it's still on 12.5.5, and it deleted tor.exe. It didn't delete the older .exe from 2022 that I use for the Tor service for proxy.

So what probably happened is that Microsoft fucked up their heuristic update, it's deleting tor.exe, which is the actual program that does the routing, and people are making a big fuss about it because "my antivirus screamed it's a virus so now I'm scared".

Here's the result for the .exe that was in my Tor Browser instance. 3 out of 72 heuristic engines found something, with two of them being some no-name bullshit. And for funsies, here's a result for the same version of tor.exe but compiled for 32-bit Windows. Zero detections despite being the same """compromised""" version as some schizos insinuate, because antivirus detections are patchy like that. You can compile the exact same code for two different architectures and you'll get two different virus detection results.

You can get the expert bundle from here and test it for yourself.

Basically, antiviruses are not the be-all-end-all of finding malicious shit and people are overreacting because a false positive is happening to a very privacy oriented piece of software.

Look up the term "false positive" to learn more about this before losing your mind over things you're imagining due to lack of knowledge.

 

[Eternal Struggler]

You fool, you absolute neanderthal, I've been posting from the .st domain this entire time!

I was the fake kiwi the whole time bro

 

[Layton Mysteries]

Should I have to worry if I have Brave?

It doesn't seem to affect the latest version of brave for me at least, which would make sense if it is a false positive anti-virus issue. Also from what I can find online it looks like the update on the 27th patched the libvpx vulnerability for Brave, so you should be good to go.

Look up the term "false positive" to learn more about this before losing your mind over things you're imagining due to lack of knowledge.

Thanks for clarifying. I'm not very tech savvy with virus stuff, so I wasn't sure. Still is strange that it will not connect to the Tor Network (for me at least) even after removing the quarantine.

 

[Slav Power]

It doesn't seem to affect the latest version of brave for me at least, which would make sense if it is a false positive anti-virus issue. Also from what I can find online it looks like the update on the 27th patched the libvpx vulnerability for Brave, so you should be good to go.

Thanks for clarifying. I'm not very tech savvy with virus stuff, so I wasn't sure. Still is strange that it will not connect to the Tor Network (for me at least) even after removing the quarantine.

Windows Defender is fucky like that with the quarantine restoring, so sometimes it just eats whatever it quarantined for good. You can try adding back the .exe manually from the expert bundle and adding an exclusion in Windows Defender beforehand. Drop it in Browser\TorBrowser\Tor\, restart the Tor Browser a few times and it should be good to go.

But yeah, if anyone is unironically insinuating that this is deliberate "glowie" meddling needs to lay off the Internet and go outside, or try and learn a thing or two about how the machine they are using instead of reading more blackpills before tanking out the pitchforks and torches.

False positives happen, and they can happen on a completely clean .exe that's years old, that was never considered malicious, but is now, because there was a change in the heuristics database that suddenly makes it see viruses where there aren't any. And the results can vary purely on the executable's architecture. It can be the exact same code that's not malicious, but it will see something malicious in the x86_64 compilation, but won't see anything in the x86 or ARM compilation.

In a way the antivirus considering tor.exe as a virus is more schizo than people who freak out over this.

Just an extra tidbit to calm people's schizophrenia: Malgent is essenitally a short for "Malware Generic Trojan", so it's not even a detection of a specific threat, just a general umbrella detection of something that might be potentially dangerous. But since VirusTotal shows only three antiviruses see a threat, it's basically a false positive.

I'll expect that this single case of a false positive will cause enough of a stink that either Microsoft or Tor Project will have to make a statement on what happned.
Did Microsoft fuck up with their heuristics again?
Did Tor Project fuck up because they didn't sign the .exe or they did some other weird thing?
Is Tor as a whole now literally completely compromised and everyone's computers are being accessed by federal agents? Glowniggers feds buzzwords be scared of the government it's out to get you for shitposting online?

Or maybe a single generic fuckup that happens with this shit started a mass hysteria about nothing? We'll see, this should get resolved in 1-2 days max.

 

[888Flux]

It's a false positive. You can see the Virustotal results from other security vendors here:

https://www.virustotal.com/gui/file/3807d96998a15aed25ec9a95c3183385c6c73f6dde811ef2452c30f5f7df2810/detection

The TOR browser on Windows use to run into false positives all the time. If you download the 32 bit version from the Tor website here https://www.torproject.org/download/ you will be able to bypass the issue. The Tor Browser project is one of the most audited open source projects out there so it is highly unlikely that a threat actor was able to hijack the project to include malware in it.

 

[Admiral Throbnelius]

Making an exemption with Windows Defender worked as a solution for me, without using the other versions of the executable. I figured it was a false positive when I first saw it too.

 

[General Emílio Médici]

Sounds like a Windows skill issue.

While I take the opportunity to shit on people still using windows in the Year of Our Lord 2023 this is spooky and worrying. I suspect foul play, but given this is MS incompetence is perfectly valid as well.

 

[888Flux]

Making an exemption with Windows Defender worked as a solution for me, without using the other versions of the executable. I figured it was a false positive when I first saw it too.

>inb4 it's not a false positive and the Bogdanoff Bogdabot rootkit is taking over your PC
ACTIVATE CRAB-17 STAGE IV

 

[doodoocaca]

000 DCC SEND "STARTKEYLOGGER"

Edit: I'm glad people remember that lmao

 

[whogoesthere]

Bloody boomers on computers, it's always air raid sirens and meltdowns.

 

[AltisticRight]

This is probably a false positive.
You can get the 32-bit version here: https://www.torproject.org/download/languages/
Nothing from Windows Defender.

Probably has something to do with their PoW anti-DDoS update? No idea.

 

[vanta pilled]

Given the glowies involvement you have to wonder if this wasn't a "happy accident".

Installed backdoor/trojan/malware without your knowledge or agreement? Let's not blow this out of proportion, we can just chalk this up as a "consent accident".