Slashdot Mirror
Storm Worm Evolves To Use Tor
An anonymous reader writes "Seems like the Storm botnet that was behind the last two waves of attacks is also responsible for this new kind of social-engineering based attacks, using spam to try and convince users of the necessity of using Tor for there communications. They 'kindly' provide a link to download a trojaned version of Tor. This blog entry has a link to the original post on or-talk mailing list which has some samples of the messages."
It just makes sense, and is obvious, and a natural progression of the technology..... Hey! Maybe I should write a patent!
Dominant Meme
Comment removed based on user account deletion
As always, it works based on user stupidity, not programmer stupidity.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
Anybody here taking this activity more seriously? For instance, is there a possibility that this is a military operation? Seems a lot more advanced than most of the usual spam/bot/virus stuff I read about. I hope they don't screw up TOR, especially since I'm living in more and more of a police state these days (US).
I hold very few opinions. I hold information based on observation and fact. If you wish to disagree, please use facts.
If some of their hijacked machines become tor nodes (either kind) this could be helpful. It would allow for more bandwidth through tor and reduce the fraction of nodes run by the NSA making traffic analysis harder.
Speaking on topic, I'd like to correct one of the previous posters: it's not a mere variation on the "Use XXX Bank" theme; as far as I understand, Tor has been picked among tons of other software that could be infected and supplied to users because it helps the spammers in covering their tracks, since their email is routed through Tor now.
While the article does contain a lot of speculation and sketchy sources (like the above quoted Azizov) the evidence does seem to be pointing in a particular direction:
It's starting to look an awful lot like another Cold War is coming, except this time it will be a Cyber war waged by turning your enemy's (and the rest of the world's) poorly secured computers against their critical infrastructure while the actual government absolves itself of blame. Nice.
DJ kRYPT's Free MP3s!
Yeah, if people would do crazy shit like that then we'd have botnets consisting of billions of computers... oh wait.
Comment removed based on user account deletion
Seriously, somewhere, there ought to be a way of tracking the stormbot people back to its originators. From there, you can just send in a special forces team and just whack the guys. If one nation allows its citizens to hijacking of the assets of millions of another nation's citizens, isn't that just piracy by any other name, and if so, isn't that kind of an act of war?
This is my sig.
it is easier to infiltrate there[sic] communications.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
seems kinda familiar.
The Storm worm isn't using Tor.
The spam email in question tells the reader that, if they are running torrents, they should use this Tor thing to cover their tracks. The link points to the trojan. The file in question is about 150K in size, or about 20x smaller than the Windows version of Tor (2-3 MB) on the actual site.
I posted a warning about this very email on a well-known anime site since I suspected some people there might download it in response to the e-mail.
There's also a version that poses as a YouTube video.
Most of these emails have URLs that use IP addresses, not domain names. Between my SpamAssassin rules and Mozilla Thunderbird's built-in anti-malware protections, messages like these are either quarantined or tagged as dangerous. I've not seen an legitimate email from any correspondent that uses URLs with IP addresses in the host part.
I opened the YouTube version in a Windows VM that had Kaspersky installed. It identified an attempted replacement of tcpip.sys and told me it should be quarantined. Unfortunately a ClamAV scan of the file did not detect anything suspicious.
Comment removed based on user account deletion
That's "their", you idiot.
I'm wondering if these emails were partially inspired by a Slashdot post. Assuming I'm remembering it correctly, there was a story here about possibly spamming people in China and other internet-restricted places telling them about anonymous proxies, Tor, and other tools to get around gov't censorship.
Thats what I was thinking when I first got one of these emails. I thought that someone went ahead and actually sent out the privacy-oriented spam. Tor is something that your ordinary Pogo-playing, pr0n-surfing user isn't going to know about, so why use Tor in a phishing, bot-infection scenario?
Still strikes me as odd that they would use Tor as the bait. You'd think they would have picked something more appealing to the masses.
...that it's akin to closing the barn door after all your livestock's gone out it.
In order for pretty much all Anti-Virus software to work, you're skimming for signatures patterns in the bytes
that leave a tell-tale for the software to "identify" it. It's always lagging by a bit, by the reality of the situation, so
it's truly a reactive solution to a problem that needs more of a proactive one.
That's not to say that the software is not useful for detection of attacks (much like an IDS is for networking...) but that
to rely on it solely as most people in the Windows world does is really being foolhardy. It is only as good as the signature
files are, and a Zero Day or a tough to catch mutator spells the kinds of problems we're seeing right now.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
I love how they use words like 'evolve' to describe the actions of programs and viruses, it makes the internet seem like a primal battleground.
Good sigs are hard to think of, bad sigs are a waste of time, that is why I invented, this lousy rhyme.
The killings are "down" in that each section has pretty much killed everyone they didn't like in that section. Or the people that were being targeted have run away.
But warlordism is not a basis for a stable country. Which is why Iraq's "government" is completely ineffectual.
Try addressing their specific points rather than dismissing them because of a "ideology" that you ascribe to them.
Sure you are. Always the anonymous sources.
And when he fails, the next general will be the one "we should have had from the get go".
And when that one fails, the general after him will be the one.
Repeat until we, eventually, leave.
Again, give one side enough time and it will settle down because it will have killed everyone it doesn't like.
It's called "warlordism" and it does not make for a stable government.
The Kurds have been fairly peaceful ever since we established the "no fly zones" over their territory after Gulf War I. So don't go claiming that that is any improvement.
Now it is just over who controls the oil fields and who gets stuck with the worthless territory.
That is what you are advocating right now.
That is what you are touting as the "success" here.
Gotta love that kind of insightful commentary.
My suggestion:
Setup a nationwide network of community educators. Local organizers in a particular community who get a group togeather to distribute pamflets, door-to-door visitations, etc. Sure its time consuming, takes money to print stuff. But simply sending letters in the mail or broadcasting this kind of information on the news media isn't going to hit it home. Develop small catch phrases that get the idea across and stick.Sure, some people won't give a shit and will continue to download crap from spam messages even after being told not to. This is where I think ISPs should become vigilant about cutting access to their internet and give them help in cleaning their computer (either with patches, a live-CD, etc.).
Which is why any AV worth its salt is adding virtual machine heuristics. Some like Kaspersky are even integrating HIPS in their pro-active detection module.
If the command and control and updating is done via peer to peer instead of a centralized server, why has nobody created a "Vaccine" that would spread itself back to all the infected nodes. The code can't be that hard to crack to determine how to insert new functionality into the infected hosts. Just inject a new command to spread this update to all your peers and after you succeed, close down all of the command and control vectors. Cleanup and fixing the holes originally used for infection would clearly be useful too, but unnecessary to contain the damage. Really there are tons of things you could do.
I mean this might create an "arms race" where they continue to lock down access to the botnet, but I would love to see the looks on their faces when large sections of the botnet stop responding to commands.
Seriously as "Brilliant" as these guys are I guarantee there are probably people smarter that can crack their network. I know what I am talking about is probably not legal, but it surely is ethical.
There are several ways spammers get emails. They can do massive internet searches for emails and harvest them that way (if you post on USENET with your email addy its almost gueranteed to be spammed). They also guess a username and if it doesn't bounce back they know they've got a hit.
The Nachi worm was written to search out computers infected with the now-famous Blaster worm and patch the computer with a Microsoft patch. It replicated itself around the world, and once the patch had been implemented and the Blaster worm deleted it deleted itself. Unfortunately it created a heck of a lot of traffic on infected networks, which slowed them down considerably.
Railway and freight hauler CSX had to stop trains because of the Nachi worm, the Associated Press reported.
Airline Air Canada canceled flights on Tuesday because its network couldn't deal with the amount of traffic generated by the Nachi worm.
Though it cleared out the blaster worm, it created a hell of a lot of damage itself by the mere fact that it clogged networks with traffic.
gets a sneak peek at Slashdot headlines:
"hmmm, what is going on in the far off fantastical future of 2007?"
Bringing Science and Math Into Writing?
"Ah, an age old problem"
Libraries Defend Open Access
"Some sort of Fahrenheit 451 situation? has the government gone fascist? or the russians won the cold war?"
New Legislation Proposed For Nuclear Safety
"Ah! Chernobyl is still fresh in their minds! At least it seems we didn't nuke each other"
Storm Worm Evolves to Use Tor
"SWEET JESUS! DUNE IS REAL!? AND IN CAHOOTS WITH THE SCANDINAVIAN GODS? WHATR SORT OF SCIFI FANTASY FUTURE IS THIS!"
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Perhaps we could make the distinction clear this way: A machine that sells soft drinks is often referred to as a 'vender', while the guy selling hot dogs is more likely to be called a 'vendor'. With that in mind, I have toyed with a similar convention for other verb+er nouns:
It's got as good a chance of adoption as *bibyte does.Now, if Cmdr Taco could just get editors who actually EDIT... Oh. He's the 'editor' who ran this story? Never mind.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
As you point out, an antibotnet worm spreading across the 'net would be not be nearly as much traffic as portscanning as the IP addresses are already known. I agree it is possible. The complexities of taking sections of the net offline though without the botnet owners noticing and dynamically patching the rest of the 'net are incredibly difficult though. It would be an incredibly complex game of cat and mouse, but it is possible.
storm=skynet
This sounds a little stupid to me, as the kind of privicy aware person who'll want to use Tor, is also the kind of person who'll have Anti-Virus software and won't fall for classic malware tricks.
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
Storm isn't using TOR, it claims its installer to be a TOR proxy. C'mon, malware has been claiming to be something useful for ages, why's this news?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
install a trojan-infested Tor?
Actually, if you're using an unpatched browser, you might not even have to download the file they offer to be infected. The web page includes Javascript exploits for half a dozen security vulnerabilities, which will install the trojan without user interaction. I've posted an analysis of the malware code on my blog.
Despite what the article says, Storm isn't using Tor (other than trying to exploit it's reputation) and the download isn't a trojaned version of Tor – it's much too small to be that. What's more, the botnet operators appear to have dropped this strategy. While on Thursday the links in the spam went to a fake Tor download page, on Friday they showed a fake YouTube video, and now they show a fake NFL game tracker.
Steven Murdoch.
web: http://www.cl.cam.ac.uk/users/sjm217/
Your link didn't work.
This attack is not using our network or our software, only abusing our reputation. We sent this release to slashdot and others, days ago:
r ifyingSignatures
====
The Tor Project, a US non-profit organisation producing Internet
privacy software, is issuing an urgent warning about a spam email
being circulated as a fake promotion for their software.
The real Tor software provides privacy on the Internet to journalists,
bloggers and human rights activists all over the world. The spam email
promotes the virtues of the software, but then directs people to a
series of fake websites that contain malicious code that will attempt
to take over visiting machines, and the downloaded software is fake
and equally dangerous to run.
The real website is hosted at http://tor.eff.org/ and the Tor
software can be downloaded from there. Users are able to check that
they have received the official version by following the instructions
at: http://wiki.noreply.org/noreply/TheOnionRouter/Ve
Shava Nerad, Development Director for the Tor Project said, "I am
disgusted that criminals who want to recruit more machines for their
illegal activities should trade on our reputation for providing
privacy on the Internet. Fortunately we already have systems in place
so that people can verify that they are downloading the official
software. But this is a distraction from our work that we could do
without."
====
This stuff makes us sad. But you won't even get a trojanned client, just a trojan. And the page you click through to will try to exploit holes in your browser security, so don't even click through.
Yrs,
Shava Nerad
Development Director
The Tor Project
This might have been going on for a while: I've noticed an increase in usenet spam with subjects relating to anonymity in several usenet newsgroups.
It seems to have been going on for several weeks in some newsgroups, but around the first of this month it's started to turn up in groups that were "clean" before, and the number of spams per group seems to be higher than before (much higher, in some groups).
I haven't followed any of the links, but the variety of URLs seems to indicate a multitude of throw-away servers - i.e. a botnet, or at least a lot of throw-away domain names (I just took a look at some more messages, and haven't found two that 'advertized' the same URL).
It could be the same gang.
First off, the BBC's bias is legendary and self admitted.
w s/news.html?in_article_id=411846&in_page_id=1770
http://www.dailymail.co.uk/pages/live/articles/ne
They admit they are biased liberals because they feel that their view of society is intrisincally better. It doesn't mean that you can't just not listen to them, any more than you would tune out Fox. It just means that you need to know what their agenda is, and not take what they say without a grain of salt.
Sure you are. Always the anonymous sources.
As opposed to you, merely making things up, to suit your political agenda.
This is my sig.
So if the Storm botnet installed Tor on all of their machines would they effectively have the plurality to compromise the anonymity of the Tor network?
I've read that IPv6, because it includes the MAC, could theoretically help this. But is that true? Could the MAC be spoofed? Or, could an ISP include coupling hardware that validates the MAC and the packet sent are the same? Theoretically, you could require that in network hardware manufacturing, so that a NIC Card would not be allowed to transmit a packet with an address that wasn't from it. But would that be enough?
Even if you weren't ideologically predisposed to sending in the SEALs to whack people for sending out spyware, you could at least block the source traffic and then gradually clean up the already infested machines or rob them of command and control without firing a shot.
I just get enraged by all of these attacks as, honestly, giving money to security people is a sort of a trampling of my job and freedom. The internet is reduced to, our "white warlords" versus their "black warlords", and I think this arrangement is total crap. I can't stand the world where we can't send EXE's as attachments and even images are suspect because I remember how cool the internet was when you could.
This is my sig.
Oh come on! You aren't a real programmer. Everyone knows the binary is the source code. My uncle eddy doesn't even need those fancy disassemblers or debuggers. He edits memory by looking at LEDs and flipping dip switches. Now that is a real programmer.
If they add a large number of trojaned Tor clients to the network, it will undermine the privacy of Tor communications and allow things like traffic analysis.
This isn't necessarily a ploy to use Tor, this may be a ploy to compromise Tor.
Any chance that storm might be the work of a government?
botnets to slowdown Tor, thats just great. Why dont some of these botnets morph there nets INTO a tor like device. That way we would all benefit from the giant mesh-tor-nets..
Kill your TV
Human beings modify them, fix bugs, and upgrade them. Be it a computer virus, spreadsheet, or operating system.
Sometimes they intentionally break them.
But they don't spontaneously "evolve", "mutate", or any other such thing.
Christ.
I am very small, utmostly microscopic.
Kids these days...
---
It's the perfect description of how the attacks are responding to changes in their operating environment, and developing gradually into more complex forms. And you're more correct than you give yourself credit for: the Internet is in fact a primal battleground, between criminals intent on exploiting weaknesses wherever they can find them, and security professionals and honest users trying to play catch-up. The Storm botnet is a frightening new development, and I must say that, as a former military man, I immediately thought of a number of ways that such a powerful grid could be used for covert or direct action against potential or real adversaries. And no, I won't say what I came up with; you can imagine scenarios for yourselves, but the Russia-Estonia cyberwar was only a minor foretaste.
There are many, many people in military service whom I consider much more intelligent than me, and much more amoral as well. I can guarantee that the military and intelligence communities worldwide thought about this years ago, and I'd be willing to bet your personal freedom that military botnets have existed for a long time unknown to most, lurking like unseen leviathans in deep, dark water, and doing things not worth thinking about if you want to sleep at night. More terrifying to me is the thought of a mercenary botnet offering its services to rogue states or terrorist organizations, and focusing its power against its enemies. This is an incredibly cost-effective way to wage supremely damaging warfare.
Gmail does notallow you to send executable files. I don't think it allows you to receive them either though I'm not certain about that. Legitimate sends of executables by email are probably a very small portion of email so wouldn't it make sense for most email providers to block it at the server? It wouldn't even affect those of us who want to mail ourselves a copy of putty or something as you can just put it in a password protected rar file and mail that. (That's what I do if I ever need to send myself a prog on gmail. either that or truecrypt)
Apart from user stupidity, is Windows to blame for this situation? if Windows had a better security model, would there be such problems?
Can a massive lawsuit against Microsoft work?
I mean, their download link is torjan.exe!
This sig left intentionally blank.
I don't think such a lawsuit against Microsoft would work, granted the legions of lawyers at their dispoal. Also the fact that the user is infact at fault, though unknowingly for letting it in.
A zero-day worm infection, which have happened before, in my opinion may be successful. In that case there is no patch for the hole, and if Microsoft knows about it they may be at risk if they don't immediately patch it. However I am not a lawyer, and trying to fight such a battle in court against Microsoft would surely cost hudreds of thousands to millions of dollars given the legal resources they have.
I'm sure that the people of the Republic of Estonia would wholeheartedly agree with you that it's just "a fucking computer network". That is, until their entire electronic infrastructure locked up tight for two whole weeks and as far as the rest of the world was concerned, Estonia simply vanished from the Internet. And they couldn't do a goddamned thing about it. A nuclear weapon is just a hunk of enriched uranium and triggering explosives mixed with a bunch of electronics in a metal casing. It's the intent of the owner we have to worry about, not the weapon itself.
Obviously you're just another mouth-breathing cretin hiding out in his mother's basement wanking to Internet porn, but you can't possibly be so fucking stupid as to think that things that can seriously hurt you don't exist just because you don't believe in them. Have you been following the activities of the Storm botnet, or are you just farting from the neck? Storm is a whole new ballgame moron, and clearly you belong to the head-in-the-sand variety of dolt, the type who thinks that it'll just go away if we don't talk about it, and that anyone who raises the more disturbing possibilities is spreading "movie drama crap".
And yes, I do know what the fuck I'm talking about; I still have friends deep in the U.S. Army IT command infrastructure whose very jobs involve countering exactly such threats, and envisioning potential threat scenarios that would make your atrophied scrotum wrinkle. And it damned sure ain't "movie drama crap", as you so charmingly put it. Now go back to jacking off on your Brittney posters; adults are trying to have a discussion here.
I apologize for using such strong remarks. Feelings for me run higher about the world than I want to realize.
For me, I think we shouldn't have done it, not in 1991, and not in 2003. The whole Iraq situation since 1991, from the original decision to let Saddam off the hook to the ridiculous sanctions which only starved the Iraqi people, to the invasion and its aftermath has been a continuous American disaster and at this point I'm more than done with the idea of the USA as the policeman of the world.
It's simply not worth it.
I want to "win" in Iraq, so that we can save national pride, but after that, I want -out- of every military alliance the USA is in. Jack up the size of the Navy and the Air Force, and then pull the troops out of Asia, Europe, the Middle East or wherever they may be. The system of alliances the USA finds itself in is absurd. We'll go and fight to help every country of the world in its wars, but, somehow, except for the UK, no country of the world does anything significant to help the USA fight -it's- wars.
Furthermore, let's accept that the left wing premise is correct, that you cannot impose democracy at the barrel of a gun, then, the entire notion of Americans providing stability to Europe or Asia is a sham. The people of the world can choose what they want to do, and they don't need American soldiers to act as trip wires. If South Korea wants to disarm in hopes North Korea will suddenly be nice, its not up to the USA to pick up the slack. Same with Europe. If Russia wants to start bullying Europe, it's not an American problem.
I'm really sick of sitting and hearing about all these "American problems" in other parts of the world, but when I look around, I see plenty of American problems at home. Our national infrastructure is falling apart, we have huge energy issues, and instead, we blow billion s each year to give the rest of the world warm and fuzzies about their security while at home our own people don't even feel secure about their jobs, let alone future.
I keep hearing how the rest of the world now hates the USA.. Fine. I don't really know that I like the rest of the world either, but we can remain trading partners and keep the free trade, as it does benefit both. Through trade, maybe we'll be friends again. But, let's not put American soldiers and American taxpayer dollars on the line to provide a security blanket for the world that hates us. That's just stupid. Putin, Chavez, the heads of Iran and North Korea and sometimes China, the petty dictators of lore in the former Soviet Republics, not one of those evil guys is an American problem. They are dicks, so what. But, let's focus on making money at home first.
This is my sig.
Comment removed based on user account deletion
They're not using Tor, and you know it. They're using a trojan that disguises as Tor. (They're probably using Tor internally, but that's clearly not what this is about.)
Doesn't Microsoft have some responsibility in stopping their OS from being used in a criminal botnet? Can't they, or anyone else for that matter, create a counter-worm (or virii or whatever) which spreads over the net much like other worms or virii, enters Windows-systems through some unpatched security hole, scans for and deletes the worm, and while it's at it, patches the security hole it came through? Is there anything that keeps this approach from being effective? Obviously windows update and AV software requires too much involvement from the user to be an effective protection for everyone.
If nothing else it might be entertaining to follow the results from the colossal worm-vs-anti-worm battle that would ensue.
Why haven't you married me?
Regex for your mail filter of choice.
https?://\d*\.\d*\.\d*\.\d*.*