Some exit relays are considered as bad exits. They might listen in your traffic, change your traffic etc. Tor does not choose them (as long as you don't explicitly allow it).
How would TOR know that some exit nodes are "bad" and have ways to monitor or manipulate the traffic routed through them?
A few resources about how they did it:
Bad relay work and:
Do you actively look for bad relays?
Yes. For our automated issue detection see exitmap and sybilhunter.
Other monitors include tortunnel, SoaT, torscanner, and DetecTor.
And if they have such knowledge, why are those nodes not removed and blacklisted?
As on
Criteria for rejecting bad relays, in short, there is a difference between misconfigured exit relays and malicious relays, the former will not be directly removed from the network since it rather can be used as a guard(entry) or middle relay, and the latter, it will immediately be removed.