Slashdot Mirror
Storm Worm Evolves To Use Tor
An anonymous reader writes "Seems like the Storm botnet that was behind the last two waves of attacks is also responsible for this new kind of social-engineering based attacks, using spam to try and convince users of the necessity of using Tor for there communications. They 'kindly' provide a link to download a trojaned version of Tor. This blog entry has a link to the original post on or-talk mailing list which has some samples of the messages."
The Storm worm isn't using Tor.
The spam email in question tells the reader that, if they are running torrents, they should use this Tor thing to cover their tracks. The link points to the trojan. The file in question is about 150K in size, or about 20x smaller than the Windows version of Tor (2-3 MB) on the actual site.
I posted a warning about this very email on a well-known anime site since I suspected some people there might download it in response to the e-mail.
There's also a version that poses as a YouTube video.
Most of these emails have URLs that use IP addresses, not domain names. Between my SpamAssassin rules and Mozilla Thunderbird's built-in anti-malware protections, messages like these are either quarantined or tagged as dangerous. I've not seen an legitimate email from any correspondent that uses URLs with IP addresses in the host part.
I opened the YouTube version in a Windows VM that had Kaspersky installed. It identified an attempted replacement of tcpip.sys and told me it should be quarantined. Unfortunately a ClamAV scan of the file did not detect anything suspicious.
Of course, they then follow the original link from the worm and they still get the trojan. So close, and yet so far... sigh.
John