Slashdot Mirror
Storm Worm Evolves To Use Tor
An anonymous reader writes "Seems like the Storm botnet that was behind the last two waves of attacks is also responsible for this new kind of social-engineering based attacks, using spam to try and convince users of the necessity of using Tor for there communications. They 'kindly' provide a link to download a trojaned version of Tor. This blog entry has a link to the original post on or-talk mailing list which has some samples of the messages."
As always, it works based on user stupidity, not programmer stupidity.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
if TOR goes down, it's likely another network would pop up in it's place.
"To stop the terrorists."
Speaking on topic, I'd like to correct one of the previous posters: it's not a mere variation on the "Use XXX Bank" theme; as far as I understand, Tor has been picked among tons of other software that could be infected and supplied to users because it helps the spammers in covering their tracks, since their email is routed through Tor now.
The Storm worm isn't using Tor.
The spam email in question tells the reader that, if they are running torrents, they should use this Tor thing to cover their tracks. The link points to the trojan. The file in question is about 150K in size, or about 20x smaller than the Windows version of Tor (2-3 MB) on the actual site.
I posted a warning about this very email on a well-known anime site since I suspected some people there might download it in response to the e-mail.
There's also a version that poses as a YouTube video.
Most of these emails have URLs that use IP addresses, not domain names. Between my SpamAssassin rules and Mozilla Thunderbird's built-in anti-malware protections, messages like these are either quarantined or tagged as dangerous. I've not seen an legitimate email from any correspondent that uses URLs with IP addresses in the host part.
I opened the YouTube version in a Windows VM that had Kaspersky installed. It identified an attempted replacement of tcpip.sys and told me it should be quarantined. Unfortunately a ClamAV scan of the file did not detect anything suspicious.
Comment removed based on user account deletion
If the command and control and updating is done via peer to peer instead of a centralized server, why has nobody created a "Vaccine" that would spread itself back to all the infected nodes. The code can't be that hard to crack to determine how to insert new functionality into the infected hosts. Just inject a new command to spread this update to all your peers and after you succeed, close down all of the command and control vectors. Cleanup and fixing the holes originally used for infection would clearly be useful too, but unnecessary to contain the damage. Really there are tons of things you could do.
I mean this might create an "arms race" where they continue to lock down access to the botnet, but I would love to see the looks on their faces when large sections of the botnet stop responding to commands.
Seriously as "Brilliant" as these guys are I guarantee there are probably people smarter that can crack their network. I know what I am talking about is probably not legal, but it surely is ethical.
There are several ways spammers get emails. They can do massive internet searches for emails and harvest them that way (if you post on USENET with your email addy its almost gueranteed to be spammed). They also guess a username and if it doesn't bounce back they know they've got a hit.
Of course, they then follow the original link from the worm and they still get the trojan. So close, and yet so far... sigh.
John
Are you kidding? If you could trace back a tor link to gaysex.com/bathroomEncounters.mpg to Senator Larry Craig's machine, don't you think TV shows like Dateline would be offering you tens of thousands of dollars for it?
John
Only if you can also trust the compiler chain.
thisnukes4u.net
Yes, but you understand the fundamental difference I hope. The Nachi worm was a worm that had to FIND infected hosts. Therefore it had to look using a port scanner which when you have thousands of machines scanning thousands of IP's creates huge amout of traffic.
In this situation, the beauty is that you don't have to create a "worm" in the classical sense. Each infected client maintains a "peer" list so all you do is "fix" it's peers, it would cause a cascade failure of the botnet and use up much much less overhead than the Nachi example.
Just because somebody can verify the code, doesn't mean I want to spend days/weeks looking through all the code in a newly downloaded program, just to verify that it isn't doing something I don't want it to, and hope that I didn't miss anything in the millions of lines of code. Do most people who use Gentoo even bother reading more than 1% of the code? Sure it's good after the fact if you find malware that you can pin it on someone, but the best way to deal with this stuff is don't run software from untrusted sources, regardless of whether or not it's open source. I'd much rather run most of my stuff out of some sort of sandbox, at least the stuff that isn't speed critical (like RDBMSs and such) so that I can monitor what they are trying to do. Things such as going on the internet should be flagged, as well as writing to certain folders. Think of it like a firewall, only for all conceivably bad actions, not just network traffic.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
"Hackers"? "Crackers"? Could we simply say "assholes" and concentrate on something meaningful? Like, finding some solution to it before our politicians get active and replace their cluelessness with operative hectic? It's fairly certain that some kind of law will be created, most likely one that has nothing to do with the problem, doesn't adress it at all, doesn't solve a thing and cripples the net.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The killings are "down" in that each section has pretty much killed everyone they didn't like in that section. Or the people that were being targeted have run away.
That's not true, particuarly, in Anbar. What happened in Anbar was that Al Qaeda was very popular because the people saw two things: a) the USA was overwhelmingly pro-shiite at Sunni expense, and that b) Al Qaeda said they were anti-American. However, Al Qaeda tried to establish a very strict brand of Islam, and started doing things like execute Iraqi Sunnis for crimes such as smoking a cigarette. Meanwhile, the USA switched its tactics, and, through a mixture of killing Al Qaeda, greasing a few palms, and outright negotations with the very Sunnis we were fighting, established the belief that we weren't out to destroy the Sunnis, and that, we were really after AQ, and that we wanted a stable Iraq. Pushing Maliki to include Sunnis was a huge part of that.
And when he fails, the next general will be the one "we should have had from the get go".
If he fails. Signs are, he has not.
The Kurds have been fairly peaceful ever since we established the "no fly zones" over their territory after Gulf War I. So don't go claiming that that is any improvement
Boy, that's a way to whitewash things. The Kurds aren't just peaceful, they are actually starting to have an economy.
Now it is just over who controls the oil fields and who gets stuck with the worthless territory.
The fact of the matter, is that the USA is pushing the Malika government to adopt something like the Alaska model for oil revenues - where every Iraqi would just get a piece of the oil money.
Gotta love that kind of insightful commentary.
My commentary is a thousand times more insightful than yours will ever be. You should really just be reading everything I write and become my disciple. I don't hold your ignorance against you. I really just want to save you, because, as a fellow human being, I kinda like you!
This is my sig.
If they add a large number of trojaned Tor clients to the network, it will undermine the privacy of Tor communications and allow things like traffic analysis.
This isn't necessarily a ploy to use Tor, this may be a ploy to compromise Tor.
Any chance that storm might be the work of a government?
IPv6 only includes the MAC if it is configured using Stateless Autoconfiguration, and if Privacy Extensions are not turned on. If it is configured using some stateful method, like DHCPv6 or a static IPv6 address, the address could be anything. Likewise, if Privacy Extensions are turned on, then Stateless Autoconfiguration will rotate among random address that don't include the MAC, but are still unlikely to collide with other hosts' addresses.
But what good does knowing someone's MAC address do you? You can identify if they switch IP's, maybe, but then what? Botnets rely on hundreds of thousands (or, in this case, millions) of machines with different addresses and ISP's, so knowing the MAC of one would not help much. If a MAC was all you had to go on, it might help, but by the time you tracked down the MAC of one host, they'd have switched through dozens of others, and there'd be no information for you on the host you tracked down.
ttuttle is a rankmaniac
You're expecting a SENATOR to be able to use TOR?
Apart from user stupidity, is Windows to blame for this situation? if Windows had a better security model, would there be such problems?
Can a massive lawsuit against Microsoft work?