Storm Worm Evolves To Use Tor

An anonymous reader writes "Seems like the Storm botnet that was behind the last two waves of attacks is also responsible for this new kind of social-engineering based attacks, using spam to try and convince users of the necessity of using Tor for there communications. They 'kindly' provide a link to download a trojaned version of Tor. This blog entry has a link to the original post on or-talk mailing list which has some samples of the messages."

Storm is still a trojan, not a worm

[A+beautiful+mind]

As always, it works based on user stupidity, not programmer stupidity.

Re:Storm is still a trojan, not a worm

[Spy+der+Mann]

As always, it works based on user stupidity

Oh no, the internet's doomed! :(

Spelling...

[rumith]

using spam to try and convince users of the necessity of using Tor for there communications. It took me a second to understand what the author meant. Spell-checking, anyone?

Speaking on topic, I'd like to correct one of the previous posters: it's not a mere variation on the "Use XXX Bank" theme; as far as I understand, Tor has been picked among tons of other software that could be infected and supplied to users because it helps the spammers in covering their tracks, since their email is routed through Tor now.

Misleading headline

[yuna49]

The Storm worm isn't using Tor.

The spam email in question tells the reader that, if they are running torrents, they should use this Tor thing to cover their tracks. The link points to the trojan. The file in question is about 150K in size, or about 20x smaller than the Windows version of Tor (2-3 MB) on the actual site.

I posted a warning about this very email on a well-known anime site since I suspected some people there might download it in response to the e-mail.

There's also a version that poses as a YouTube video.

Most of these emails have URLs that use IP addresses, not domain names. Between my SpamAssassin rules and Mozilla Thunderbird's built-in anti-malware protections, messages like these are either quarantined or tagged as dangerous. I've not seen an legitimate email from any correspondent that uses URLs with IP addresses in the host part.

I opened the YouTube version in a Windows VM that had Kaspersky installed. It identified an attempted replacement of tcpip.sys and told me it should be quarantined. Unfortunately a ClamAV scan of the file did not detect anything suspicious.

Comment removed

[account_deleted]

Comment removed based on user account deletion

My question is..

[XenophileJKO]

If the command and control and updating is done via peer to peer instead of a centralized server, why has nobody created a "Vaccine" that would spread itself back to all the infected nodes. The code can't be that hard to crack to determine how to insert new functionality into the infected hosts. Just inject a new command to spread this update to all your peers and after you succeed, close down all of the command and control vectors. Cleanup and fixing the holes originally used for infection would clearly be useful too, but unnecessary to contain the damage. Really there are tons of things you could do.

I mean this might create an "arms race" where they continue to lock down access to the botnet, but I would love to see the looks on their faces when large sections of the botnet stop responding to commands.

Seriously as "Brilliant" as these guys are I guarantee there are probably people smarter that can crack their network. I know what I am talking about is probably not legal, but it surely is ethical.

Re:Are we late to the party?

[plover]

Because the modestly intelligent person you are hoping for might think, "This says to install tor, let me open a new window and google for it. Hey, this tor thing looks pretty good!" It's the sort of reaction we encourage people to have, to do some research before installing.

Of course, they then follow the original link from the worm and they still get the trojan. So close, and yet so far... sigh.