Slashdot Mirror
Storm Worm Evolves To Use Tor
An anonymous reader writes "Seems like the Storm botnet that was behind the last two waves of attacks is also responsible for this new kind of social-engineering based attacks, using spam to try and convince users of the necessity of using Tor for there communications. They 'kindly' provide a link to download a trojaned version of Tor. This blog entry has a link to the original post on or-talk mailing list which has some samples of the messages."
It just makes sense, and is obvious, and a natural progression of the technology..... Hey! Maybe I should write a patent!
Dominant Meme
Comment removed based on user account deletion
As always, it works based on user stupidity, not programmer stupidity.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
if TOR goes down, it's likely another network would pop up in it's place.
"To stop the terrorists."
Speaking on topic, I'd like to correct one of the previous posters: it's not a mere variation on the "Use XXX Bank" theme; as far as I understand, Tor has been picked among tons of other software that could be infected and supplied to users because it helps the spammers in covering their tracks, since their email is routed through Tor now.
While the article does contain a lot of speculation and sketchy sources (like the above quoted Azizov) the evidence does seem to be pointing in a particular direction:
It's starting to look an awful lot like another Cold War is coming, except this time it will be a Cyber war waged by turning your enemy's (and the rest of the world's) poorly secured computers against their critical infrastructure while the actual government absolves itself of blame. Nice.
DJ kRYPT's Free MP3s!
Deleted
Yeah, if people would do crazy shit like that then we'd have botnets consisting of billions of computers... oh wait.
Comment removed based on user account deletion
Seriously, somewhere, there ought to be a way of tracking the stormbot people back to its originators. From there, you can just send in a special forces team and just whack the guys. If one nation allows its citizens to hijacking of the assets of millions of another nation's citizens, isn't that just piracy by any other name, and if so, isn't that kind of an act of war?
This is my sig.
it is easier to infiltrate there[sic] communications.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
What is surprising is that it's taken so long for the spammers to realise that by investing ih a high tech, well engineered solution they can make far more money than the low tech solutions we've seen in the past.
init 11 - for when you need that edge.
The Storm worm isn't using Tor.
The spam email in question tells the reader that, if they are running torrents, they should use this Tor thing to cover their tracks. The link points to the trojan. The file in question is about 150K in size, or about 20x smaller than the Windows version of Tor (2-3 MB) on the actual site.
I posted a warning about this very email on a well-known anime site since I suspected some people there might download it in response to the e-mail.
There's also a version that poses as a YouTube video.
Most of these emails have URLs that use IP addresses, not domain names. Between my SpamAssassin rules and Mozilla Thunderbird's built-in anti-malware protections, messages like these are either quarantined or tagged as dangerous. I've not seen an legitimate email from any correspondent that uses URLs with IP addresses in the host part.
I opened the YouTube version in a Windows VM that had Kaspersky installed. It identified an attempted replacement of tcpip.sys and told me it should be quarantined. Unfortunately a ClamAV scan of the file did not detect anything suspicious.
Comment removed based on user account deletion
If the command and control and updating is done via peer to peer instead of a centralized server, why has nobody created a "Vaccine" that would spread itself back to all the infected nodes. The code can't be that hard to crack to determine how to insert new functionality into the infected hosts. Just inject a new command to spread this update to all your peers and after you succeed, close down all of the command and control vectors. Cleanup and fixing the holes originally used for infection would clearly be useful too, but unnecessary to contain the damage. Really there are tons of things you could do.
I mean this might create an "arms race" where they continue to lock down access to the botnet, but I would love to see the looks on their faces when large sections of the botnet stop responding to commands.
Seriously as "Brilliant" as these guys are I guarantee there are probably people smarter that can crack their network. I know what I am talking about is probably not legal, but it surely is ethical.
There are several ways spammers get emails. They can do massive internet searches for emails and harvest them that way (if you post on USENET with your email addy its almost gueranteed to be spammed). They also guess a username and if it doesn't bounce back they know they've got a hit.
The Nachi worm was written to search out computers infected with the now-famous Blaster worm and patch the computer with a Microsoft patch. It replicated itself around the world, and once the patch had been implemented and the Blaster worm deleted it deleted itself. Unfortunately it created a heck of a lot of traffic on infected networks, which slowed them down considerably.
gets a sneak peek at Slashdot headlines:
"hmmm, what is going on in the far off fantastical future of 2007?"
Bringing Science and Math Into Writing?
"Ah, an age old problem"
Libraries Defend Open Access
"Some sort of Fahrenheit 451 situation? has the government gone fascist? or the russians won the cold war?"
New Legislation Proposed For Nuclear Safety
"Ah! Chernobyl is still fresh in their minds! At least it seems we didn't nuke each other"
Storm Worm Evolves to Use Tor
"SWEET JESUS! DUNE IS REAL!? AND IN CAHOOTS WITH THE SCANDINAVIAN GODS? WHATR SORT OF SCIFI FANTASY FUTURE IS THIS!"
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Yes, but you understand the fundamental difference I hope. The Nachi worm was a worm that had to FIND infected hosts. Therefore it had to look using a port scanner which when you have thousands of machines scanning thousands of IP's creates huge amout of traffic.
In this situation, the beauty is that you don't have to create a "worm" in the classical sense. Each infected client maintains a "peer" list so all you do is "fix" it's peers, it would cause a cascade failure of the botnet and use up much much less overhead than the Nachi example.
Perhaps we could make the distinction clear this way: A machine that sells soft drinks is often referred to as a 'vender', while the guy selling hot dogs is more likely to be called a 'vendor'. With that in mind, I have toyed with a similar convention for other verb+er nouns:
It's got as good a chance of adoption as *bibyte does.Now, if Cmdr Taco could just get editors who actually EDIT... Oh. He's the 'editor' who ran this story? Never mind.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
Actually, if you're using an unpatched browser, you might not even have to download the file they offer to be infected. The web page includes Javascript exploits for half a dozen security vulnerabilities, which will install the trojan without user interaction. I've posted an analysis of the malware code on my blog.
Despite what the article says, Storm isn't using Tor (other than trying to exploit it's reputation) and the download isn't a trojaned version of Tor – it's much too small to be that. What's more, the botnet operators appear to have dropped this strategy. While on Thursday the links in the spam went to a fake Tor download page, on Friday they showed a fake YouTube video, and now they show a fake NFL game tracker.
Steven Murdoch.
web: http://www.cl.cam.ac.uk/users/sjm217/
Your link didn't work.
This attack is not using our network or our software, only abusing our reputation. We sent this release to slashdot and others, days ago:
r ifyingSignatures
====
The Tor Project, a US non-profit organisation producing Internet
privacy software, is issuing an urgent warning about a spam email
being circulated as a fake promotion for their software.
The real Tor software provides privacy on the Internet to journalists,
bloggers and human rights activists all over the world. The spam email
promotes the virtues of the software, but then directs people to a
series of fake websites that contain malicious code that will attempt
to take over visiting machines, and the downloaded software is fake
and equally dangerous to run.
The real website is hosted at http://tor.eff.org/ and the Tor
software can be downloaded from there. Users are able to check that
they have received the official version by following the instructions
at: http://wiki.noreply.org/noreply/TheOnionRouter/Ve
Shava Nerad, Development Director for the Tor Project said, "I am
disgusted that criminals who want to recruit more machines for their
illegal activities should trade on our reputation for providing
privacy on the Internet. Fortunately we already have systems in place
so that people can verify that they are downloading the official
software. But this is a distraction from our work that we could do
without."
====
This stuff makes us sad. But you won't even get a trojanned client, just a trojan. And the page you click through to will try to exploit holes in your browser security, so don't even click through.
Yrs,
Shava Nerad
Development Director
The Tor Project
The killings are "down" in that each section has pretty much killed everyone they didn't like in that section. Or the people that were being targeted have run away.
That's not true, particuarly, in Anbar. What happened in Anbar was that Al Qaeda was very popular because the people saw two things: a) the USA was overwhelmingly pro-shiite at Sunni expense, and that b) Al Qaeda said they were anti-American. However, Al Qaeda tried to establish a very strict brand of Islam, and started doing things like execute Iraqi Sunnis for crimes such as smoking a cigarette. Meanwhile, the USA switched its tactics, and, through a mixture of killing Al Qaeda, greasing a few palms, and outright negotations with the very Sunnis we were fighting, established the belief that we weren't out to destroy the Sunnis, and that, we were really after AQ, and that we wanted a stable Iraq. Pushing Maliki to include Sunnis was a huge part of that.
And when he fails, the next general will be the one "we should have had from the get go".
If he fails. Signs are, he has not.
The Kurds have been fairly peaceful ever since we established the "no fly zones" over their territory after Gulf War I. So don't go claiming that that is any improvement
Boy, that's a way to whitewash things. The Kurds aren't just peaceful, they are actually starting to have an economy.
Now it is just over who controls the oil fields and who gets stuck with the worthless territory.
The fact of the matter, is that the USA is pushing the Malika government to adopt something like the Alaska model for oil revenues - where every Iraqi would just get a piece of the oil money.
Gotta love that kind of insightful commentary.
My commentary is a thousand times more insightful than yours will ever be. You should really just be reading everything I write and become my disciple. I don't hold your ignorance against you. I really just want to save you, because, as a fellow human being, I kinda like you!
This is my sig.
I've read that IPv6, because it includes the MAC, could theoretically help this. But is that true? Could the MAC be spoofed? Or, could an ISP include coupling hardware that validates the MAC and the packet sent are the same? Theoretically, you could require that in network hardware manufacturing, so that a NIC Card would not be allowed to transmit a packet with an address that wasn't from it. But would that be enough?
Even if you weren't ideologically predisposed to sending in the SEALs to whack people for sending out spyware, you could at least block the source traffic and then gradually clean up the already infested machines or rob them of command and control without firing a shot.
I just get enraged by all of these attacks as, honestly, giving money to security people is a sort of a trampling of my job and freedom. The internet is reduced to, our "white warlords" versus their "black warlords", and I think this arrangement is total crap. I can't stand the world where we can't send EXE's as attachments and even images are suspect because I remember how cool the internet was when you could.
This is my sig.
Oh come on! You aren't a real programmer. Everyone knows the binary is the source code. My uncle eddy doesn't even need those fancy disassemblers or debuggers. He edits memory by looking at LEDs and flipping dip switches. Now that is a real programmer.
If they add a large number of trojaned Tor clients to the network, it will undermine the privacy of Tor communications and allow things like traffic analysis.
This isn't necessarily a ploy to use Tor, this may be a ploy to compromise Tor.
Any chance that storm might be the work of a government?
Human beings modify them, fix bugs, and upgrade them. Be it a computer virus, spreadsheet, or operating system.
Sometimes they intentionally break them.
But they don't spontaneously "evolve", "mutate", or any other such thing.
Christ.
I am very small, utmostly microscopic.
Apart from user stupidity, is Windows to blame for this situation? if Windows had a better security model, would there be such problems?
Can a massive lawsuit against Microsoft work?