Storm Worm Evolves To Use Tor

An anonymous reader writes "Seems like the Storm botnet that was behind the last two waves of attacks is also responsible for this new kind of social-engineering based attacks, using spam to try and convince users of the necessity of using Tor for there communications. They 'kindly' provide a link to download a trojaned version of Tor. This blog entry has a link to the original post on or-talk mailing list which has some samples of the messages."

Are we late to the party?

I'm surprised that it took this long for them to try to hide their tracks through anonymizers. Perhaps they've been doing this for quite sometime, and just now are we catching on to the technique...

It just makes sense, and is obvious, and a natural progression of the technology..... Hey! Maybe I should write a patent!

Re:Are we late to the party?

It's not that it's using anonymizing techniques that's new (they've always done this by using links to files already available on public webservers, or going through proxies, or spoofing where possible). This is just that the emails have changed from "verify your credentials with Bank XXX" to "Protect your privacy, downl0ad Tor (not trojan, we promise!)"

Re:Are we late to the party?

I'm still not sure why people would actually listen to that. I mean... why would anyone just download a random program from a website without looking up said program in, say, google to see what it actually does?

Unlikely

Yeah, if people would do crazy shit like that then we'd have botnets consisting of billions of computers... oh wait.

Re:Are we late to the party?

If it's something they've never heard of before, people are more likely to download and try it out of curiosity I suppose. But I do agree that it's the same old thing where you have to not be thinking to clearly or just not understand computers to be fooled to run it.

TFA says it's already detected by antivirus as Email-Worm:W32/Zhelatin.IL. so as long as the users have some antivirus they should still be okay too.

Re:Are we late to the party?

if you look at sites like gamecopyworld.com you will find a wealth of programs that people will download for legitimate (in the consumers mind) use, to mean they can keep their game dvds in their boxes. Add 'trainers' and 'fun free games' to the list and your looking at the majority of casual downloads not directly involving pron or media.

The main problem though is closed source. If source is closed, then there is no easy way to find malicious code before it is deployed on your system. Ok, I'm speaking as a programmer, so that would be useful for me, not a non coder. Still, the point remains, binary distribution only means trouble, be it storm, a sony rootkit, or just 'phone home' code in a program.

What we need is something sort of like gentoo, where all programs are compiled locally, and the code can be inspected for malicious intent. Alas such technology, while it does exist, does not exist in a form that could be disseminated and used by people with no technological background. This is a pipe dream for the moment, I know this. Especially since I tried once to compile openoffice locally (18 hours I think). Perhaps trusted compile farms that deliver fresh binaries?

Waxing lyrical I know, but there has to be an answer somewhere.

Re:Are we late to the party?

Because the modestly intelligent person you are hoping for might think, "This says to install tor, let me open a new window and google for it. Hey, this tor thing looks pretty good!" It's the sort of reaction we encourage people to have, to do some research before installing.

Of course, they then follow the original link from the worm and they still get the trojan. So close, and yet so far... sigh.

Re:Are we late to the party?

They aren't using Tor to hide their traffic, their trying to trick users into download a Trojan saying that it is a Tor executable and they need to protect their privacy. The Storm bot net uses a system called Fast Flux to hide traffic.

Um... excuse you?

Your link didn't work.

Storm is still a trojan, not a worm

As always, it works based on user stupidity, not programmer stupidity.

Re:Storm is still a trojan, not a worm

As always, it works based on user stupidity

Oh no, the internet's doomed! :(

Ummm.

Anybody here taking this activity more seriously? For instance, is there a possibility that this is a military operation? Seems a lot more advanced than most of the usual spam/bot/virus stuff I read about. I hope they don't screw up TOR, especially since I'm living in more and more of a police state these days (US).

Re:Ummm.

Seems a lot more advanced than most of the usual spam/bot/virus stuff I read about.

You mean... More intelligently designed?

 

Spelling...

using spam to try and convince users of the necessity of using Tor for there communications.

It took me a second to understand what the author meant. Spell-checking, anyone?

Speaking on topic, I'd like to correct one of the previous posters: it's not a mere variation on the "Use XXX Bank" theme; as far as I understand, Tor has been picked among tons of other software that could be infected and supplied to users because it helps the spammers in covering their tracks, since their email is routed through Tor now.

Need editors who EDIT

Arguably, what is needed is the low-tech sort of spell-checker. Before we had automated computer programs, newspapers had people called 'copy editors' who would proofread the articles submitted by the reporters. They were looking not only for spelling, grammar, and usage problems, but they also would do fact-checking.

Perhaps we could make the distinction clear this way: A machine that sells soft drinks is often referred to as a 'vender', while the guy selling hot dogs is more likely to be called a 'vendor'. With that in mind, I have toyed with a similar convention for other verb+er nouns:

The person who checks spelling could be a spell-checkor, and the computer program would remain the spell-checker; the human surfing the Web would be a browsor, using a browser program. Programs such as vi or emacs would be editers....

It's got as good a chance of adoption as *bibyte does.

Now, if Cmdr Taco could just get editors who actually EDIT... Oh. He's the 'editor' who ran this story? Never mind.

Who is behind the Storm Botnet?

There is an excellent article in Wired from several weeks ago from when Storm was used to DDoS the entire country of Estonia for 2 weeks. A fantastic read, but here's a particularly scary excerpt: Hackers Take Down the Most Wired Country in Europe [wired.com]

If that is the case -- if Azizov isn't trying to cloud the issue -- the implication is perhaps more troubling. It suggests that there is a group of Russian hackers who, on their own, can disrupt the routine functioning of commerce, media, and government any time they want. If so, these hackers represent a stateless power -- a sort of private militia.

While the article does contain a lot of speculation and sketchy sources (like the above quoted Azizov) the evidence does seem to be pointing in a particular direction:

I ask him why anyone would trust him. After all, he seems to have a suspiciously intimate knowledge of the Estonian attacks. "Russian IT specialists are knowledgeable and experienced enough to destroy the key servers of whole states," he says. "They're the best in the world."

The implication: Clearly you want them on your side, so why not hire them? Maybe Estonia was simply an advertising campaign.

It's starting to look an awful lot like another Cold War is coming, except this time it will be a Cyber war waged by turning your enemy's (and the rest of the world's) poorly secured computers against their critical infrastructure while the actual government absolves itself of blame. Nice.

Who are the stormbot people?

Seriously, somewhere, there ought to be a way of tracking the stormbot people back to its originators. From there, you can just send in a special forces team and just whack the guys. If one nation allows its citizens to hijacking of the assets of millions of another nation's citizens, isn't that just piracy by any other name, and if so, isn't that kind of an act of war?

Re:Who are the stormbot people?

The group running the system is taking precautions to avoid detection, such as using Fast Flux [honeynet.org] Also it is speculated that they are in a former Soviet block country, which tend to have very poor laws and few resources to go after such people.

Re:Who are the stormbot people?

Seriously, somewhere, there ought to be a way of tracking the stormbot people back to its originators.

Theoretically "yes". But in practice the answer is "no".

The people running this botnet can choose from millions of computers they want to use as anonymous bouncers/routers. And they can tripwire their nodes so that after 30 minutes of use as a bouncer, the hard disks are overwritten with 0's (although in most cases this isn't required as IP addresses wouldn't be stored anyway).

A chain of 20 hacked computers spanning the globe operating as routers is not easy to trace. You have to talk to each owner in the chain one-by-one and catch the bounced connection in realtime to reveal the IP for the next node in the chain. And the attackers can obfuscate their presence by programming their bots to simulate these proxy connections at random. Imagine having to trace through 100,000 chains, each containing 20-30 routing nodes. These chains are completely dynamic and randomly change every half an hour.

The Storm botnet is almost the "perfect hack" unless the perpetrators make some big mistakes. If the owners of this botnet installed Freenet on all the bots, we'd have an unenforceable darknet which can only be blocked (maybe! - if you're really lucky) at the ISP. Anyone could tap into this new darknet and do as much internet crime as they like without ever having to worry about getting caught.

Re:Who are the stormbot people?

"Iraq is on the upswing"

If by upswing, you mean on the verge of civil war...
I'd recommend reading bbc.co.uk instead of Fox news there buddy.

I really hope Iraq turns for the better, but right now everyone educated there is packing up and leaving so It's going to be really hard.

When your users are illiterate ...

it is easier to infiltrate there[sic] communications.

skynet?

seems kinda familiar.

Misleading headline

The Storm worm isn't using Tor.

The spam email in question tells the reader that, if they are running torrents, they should use this Tor thing to cover their tracks. The link points to the trojan. The file in question is about 150K in size, or about 20x smaller than the Windows version of Tor (2-3 MB) on the actual site [eff.org].

I posted a warning about this very email on a well-known anime site since I suspected some people there might download it in response to the e-mail.

There's also a version that poses as a YouTube video.

Most of these emails have URLs that use IP addresses, not domain names. Between my SpamAssassin rules and Mozilla Thunderbird's built-in anti-malware protections, messages like these are either quarantined or tagged as dangerous. I've not seen an legitimate email from any correspondent that uses URLs with IP addresses in the host part.

I opened the YouTube version in a Windows VM that had Kaspersky installed. It identified an attempted replacement of tcpip.sys and told me it should be quarantined. Unfortunately a ClamAV scan of the file did not detect anything suspicious.

I had a different email...

At Thu, 6 Sep 2007 13:46:38 +0300 I got this:

Subject: You are being watched online.

Everyone who is doing file trading is at risk. The RIAA is suing one person after another. Tor will stop them from finding you. Take back your privacy. Download it for free, right now. Download Tor [24.15.62.80]

How did they get my email address?

spam for freedom

I'm wondering if these emails were partially inspired by a Slashdot post. Assuming I'm remembering it correctly, there was a story here about possibly spamming people in China and other internet-restricted places telling them about anonymous proxies, Tor, and other tools to get around gov't censorship.

Thats what I was thinking when I first got one of these emails. I thought that someone went ahead and actually sent out the privacy-oriented spam. Tor is something that your ordinary Pogo-playing, pr0n-surfing user isn't going to know about, so why use Tor in a phishing, bot-infection scenario?

Still strikes me as odd that they would use Tor as the bait. You'd think they would have picked something more appealing to the masses.

Very Dramatic.

I love how they use words like 'evolve' to describe the actions of programs and viruses, it makes the internet seem like a primal battleground.

I propose a nationwide education campaign

Seriously, the BEST tool against botnets, virii, worms, etc. is Education. If all computer users understood basic key ideas about not downloading crap from emails, running firewall software and keeping their A/V software up-to-date there would be a huge reduction in the number of infections. The sad fact though is that only a select few people understand these basic ideas and arte actually VIGILANT about sticking to them.

My suggestion:

Setup a nationwide network of community educators. Local organizers in a particular community who get a group togeather to distribute pamflets, door-to-door visitations, etc. Sure its time consuming, takes money to print stuff. But simply sending letters in the mail or broadcasting this kind of information on the news media isn't going to hit it home. Develop small catch phrases that get the idea across and stick.

Sure, some people won't give a shit and will continue to download crap from spam messages even after being told not to. This is where I think ISPs should become vigilant about cutting access to their internet and give them help in cleaning their computer (either with patches, a live-CD, etc.).

My question is..

If the command and control and updating is done via peer to peer instead of a centralized server, why has nobody created a "Vaccine" that would spread itself back to all the infected nodes. The code can't be that hard to crack to determine how to insert new functionality into the infected hosts. Just inject a new command to spread this update to all your peers and after you succeed, close down all of the command and control vectors. Cleanup and fixing the holes originally used for infection would clearly be useful too, but unnecessary to contain the damage. Really there are tons of things you could do.

I mean this might create an "arms race" where they continue to lock down access to the botnet, but I would love to see the looks on their faces when large sections of the botnet stop responding to commands.

Seriously as "Brilliant" as these guys are I guarantee there are probably people smarter that can crack their network. I know what I am talking about is probably not legal, but it surely is ethical.

time traveller from 1987 goes 20 years in future,

gets a sneak peek at Slashdot headlines:

"hmmm, what is going on in the far off fantastical future of 2007?"

Bringing Science and Math Into Writing?

"Ah, an age old problem"

Libraries Defend Open Access

"Some sort of Fahrenheit 451 situation? has the government gone fascist? or the russians won the cold war?"

New Legislation Proposed For Nuclear Safety

"Ah! Chernobyl is still fresh in their minds! At least it seems we didn't nuke each other"

Storm Worm Evolves to Use Tor

"SWEET JESUS! DUNE IS REAL!? AND IN CAHOOTS WITH THE SCANDINAVIAN GODS? WHATR SORT OF SCIFI FANTASY FUTURE IS THIS!"

Sounds a bit daft.

This sounds a little stupid to me, as the kind of privicy aware person who'll want to use Tor, is also the kind of person who'll have Anti-Virus software and won't fall for classic malware tricks.

Could it be a bit more misleading?

Storm isn't using TOR, it claims its installer to be a TOR proxy. C'mon, malware has been claiming to be something useful for ages, why's this news?

You don't have to download the file to be infected

Actually, if you're using an unpatched browser, you might not even have to download the file they offer to be infected. The web page includes Javascript exploits for half a dozen security vulnerabilities, which will install the trojan without user interaction. I've posted an analysis [lightbluetouchpaper.org] of the malware code on my blog.

Despite what the article says, Storm isn't using Tor (other than trying to exploit it's reputation) and the download isn't a trojaned version of Tor – it's much too small to be that. What's more, the botnet operators appear to have dropped this strategy. While on Thursday the links in the spam went to a fake Tor download [lightbluetouchpaper.org] page, on Friday they showed a fake YouTube video [lightbluetouchpaper.org], and now they show a fake NFL game tracker [johnhsawyer.com].

This is *not* using the Tor network or software

This attack is not using our network or our software, only abusing our reputation. We sent this release to slashdot and others, days ago:

====
The Tor Project, a US non-profit organisation producing Internet
privacy software, is issuing an urgent warning about a spam email
being circulated as a fake promotion for their software.

The real Tor software provides privacy on the Internet to journalists,
bloggers and human rights activists all over the world. The spam email
promotes the virtues of the software, but then directs people to a
series of fake websites that contain malicious code that will attempt
to take over visiting machines, and the downloaded software is fake
and equally dangerous to run.

The real website is hosted at http://tor.eff.org/ [eff.org] and the Tor
software can be downloaded from there. Users are able to check that
they have received the official version by following the instructions
at: http://wiki.noreply.org/noreply/TheOnionRouter/Ver ifyingSignatures [noreply.org]

Shava Nerad, Development Director for the Tor Project said, "I am
disgusted that criminals who want to recruit more machines for their
illegal activities should trade on our reputation for providing
privacy on the Internet. Fortunately we already have systems in place
so that people can verify that they are downloading the official
software. But this is a distraction from our work that we could do
without."
====

This stuff makes us sad. But you won't even get a trojanned client, just a trojan. And the page you click through to will try to exploit holes in your browser security, so don't even click through.

Yrs,
Shava Nerad
Development Director
The Tor Project

It means that Tor is compromised

If they add a large number of trojaned Tor clients to the network, it will undermine the privacy of Tor communications and allow things like traffic analysis.

This isn't necessarily a ploy to use Tor, this may be a ploy to compromise Tor.

Any chance that storm might be the work of a government?

just what Tor needed..

botnets to slowdown Tor, thats just great. Why dont some of these botnets morph there nets INTO a tor like device. That way we would all benefit from the giant mesh-tor-nets..

Note to world: computer programs don't evolve

Human beings modify them, fix bugs, and upgrade them. Be it a computer virus, spreadsheet, or operating system.

Sometimes they intentionally break them.

But they don't spontaneously "evolve", "mutate", or any other such thing.

Christ.

Spelling these days

First I saw an article about something happening in New Zealand that was filed under Australia for some ignorant reason, and now I read in another summary their/there getting mixed up!

Kids these days...

Is Windows to blame for this situation?

Apart from user stupidity, is Windows to blame for this situation? if Windows had a better security model, would there be such problems?

Can a massive lawsuit against Microsoft work?

Not hard to catch...

I mean, their download link is torjan.exe!

How to stop it

Regex for your mail filter of choice.

https?://\d*\.\d*\.\d*\.\d*.*

Re:"there communications"?

I pity you.

You are handicapped if you really believe what you say.

Seriously.

Re:"there communications"?

OFF TOPIC

I don't know what kind of job you have but luckily I can misspell many things without anyone being an ass and pointing out my mistakes - provided my message is clear. "Their"," there", and "they're" mistakes are easily overlooked and often go unnoticed.

I think what the grammar/spelling nit-pickers fail to realize is while most of us would like to spell perfectly and use grammar correctly, we all do not have access to copy editors to revise our posts to slashdot and make corrections for errors. And if the nit-picker would truly help with a "I think you meant" or even a "I believe you misspelled ...", most of us would acknowledge our mistakes and in the future, attempt to correct our spelling and use correct grammar. Unfortunately, it appears to take a "special" someone to correct other peoples spelling and grammar and politeness does not seem to be their strong suit.

So to all those who correct grammar/spelling, please try to be polite and you may see your pet peeve of bad grammar and incorrect spelling reduced. And to all those whose grammar and spelling are corrected, even though the delivery is poor or even rude, attempting to communicate more clearly and effectively is a noble goal so ignore the delivery but not the message.

Now, back to our regularly scheduled topic - what was it again?

Re:"there communications"?

Am I the only one that's annoyed by the Crusade Too Stop Bad Speelers and Jihad Too Correct There Misused Words?

Of course you are! Everyone else obviously supports the Institute For Kids Who Can't Read Good and Want To Learn To Do Other Stuff Good Too.