Slashdot Mirror

← Back to Stories (view on slashdot.org)

Storm Worm Evolves To Use Tor

Posted by CmdrTaco on from the guess-who's-back dept.

An anonymous reader writes "Seems like the Storm botnet that was behind the last two waves of attacks is also responsible for this new kind of social-engineering based attacks, using spam to try and convince users of the necessity of using Tor for there communications. They 'kindly' provide a link to download a trojaned version of Tor. This blog entry has a link to the original post on or-talk mailing list which has some samples of the messages."

9 of 182 comments (clear)

  1. Re:Are we late to the party? by Urd.Yggdrasil · · Score: 5, Informative

    They aren't using Tor to hide their traffic, their trying to trick users into download a Trojan saying that it is a Tor executable and they need to protect their privacy. The Storm bot net uses a system called Fast Flux to hide traffic.

  2. Comment removed by account_deleted · · Score: 3, Informative

    Comment removed based on user account deletion

  3. Re:Who are the stormbot people? by Urd.Yggdrasil · · Score: 5, Informative

    The group running the system is taking precautions to avoid detection, such as using Fast Flux Also it is speculated that they are in a former Soviet block country, which tend to have very poor laws and few resources to go after such people.

  4. Re:Spelling... by Anonymous Coward · · Score: 1, Informative

    "there" looks to be spelled correct to me.... I think you could use the spell checker and the previous poster could use a lesson in grammar "there" vs. "their" :)

  5. Re:Spelling... by RAMMS+EIN · · Score: 1, Informative
    ``

    using spam to try and convince users of the necessity of using Tor for there communications.


    It took me a second to understand what the author meant. Spell-checking, anyone?''

    Wouldn't help here. It's a correctly spelled word...just not the right word.
    --
    Please correct me if I got my facts wrong.
  6. Re:Spelling... by Anonymous Coward · · Score: 1, Informative

    It looks like a variation on the "Use XXX Bank" theme to me. The spam mail looks like this:

    -8<-8<-8<-
    Do you trade files online? Then they will come after you. Read the news on
    RIAA and what they are doing to everyone they find. Tor will keep them
    from finding you. Keep the internet private and down load our program for
    free. <a
    href="http://69.255.111.145/">Download Tor</a>
    -8<-8<-8<-

    The tor.exe file isn't a real tor executable, but it contains the storm trojan instead.

  7. Re:Ummm. by Silver+Sloth · · Score: 2, Informative

    For instance, is there a possibility that this is a military operation? No, this is private entrprise at its best - the high tech goes where the money is.

    What is surprising is that it's taken so long for the spammers to realise that by investing ih a high tech, well engineered solution they can make far more money than the low tech solutions we've seen in the past.
    --
    init 11 - for when you need that edge.
  8. There was such a anti-worm worm... by Bananatree3 · · Score: 2, Informative

    The Nachi worm was written to search out computers infected with the now-famous Blaster worm and patch the computer with a Microsoft patch. It replicated itself around the world, and once the patch had been implemented and the Blaster worm deleted it deleted itself. Unfortunately it created a heck of a lot of traffic on infected networks, which slowed them down considerably.

  9. This is *not* using the Tor network or software by shava · · Score: 5, Informative

    This attack is not using our network or our software, only abusing our reputation. We sent this release to slashdot and others, days ago:

    ====
    The Tor Project, a US non-profit organisation producing Internet
    privacy software, is issuing an urgent warning about a spam email
    being circulated as a fake promotion for their software.

    The real Tor software provides privacy on the Internet to journalists,
    bloggers and human rights activists all over the world. The spam email
    promotes the virtues of the software, but then directs people to a
    series of fake websites that contain malicious code that will attempt
    to take over visiting machines, and the downloaded software is fake
    and equally dangerous to run.

    The real website is hosted at http://tor.eff.org/ and the Tor
    software can be downloaded from there. Users are able to check that
    they have received the official version by following the instructions
    at: http://wiki.noreply.org/noreply/TheOnionRouter/Ver ifyingSignatures

    Shava Nerad, Development Director for the Tor Project said, "I am
    disgusted that criminals who want to recruit more machines for their
    illegal activities should trade on our reputation for providing
    privacy on the Internet. Fortunately we already have systems in place
    so that people can verify that they are downloading the official
    software. But this is a distraction from our work that we could do
    without."
    ====

    This stuff makes us sad. But you won't even get a trojanned client, just a trojan. And the page you click through to will try to exploit holes in your browser security, so don't even click through.

    Yrs,
    Shava Nerad
    Development Director
    The Tor Project