Storm Worm Evolves To Use Tor 182
An anonymous reader writes "Seems like the Storm botnet that was behind the last two waves of attacks is also responsible for this new kind of social-engineering based attacks, using spam to try and convince users of the necessity of using Tor for there communications. They 'kindly' provide a link to download a trojaned version of Tor. This blog entry has a link to the original post on or-talk mailing list which has some samples of the messages."
Storm is still a trojan, not a worm (Score:5, Insightful)
Re:Ummm. (Score:2, Insightful)
Spelling... (Score:4, Insightful)
Speaking on topic, I'd like to correct one of the previous posters: it's not a mere variation on the "Use XXX Bank" theme; as far as I understand, Tor has been picked among tons of other software that could be infected and supplied to users because it helps the spammers in covering their tracks, since their email is routed through Tor now.
Re:Who are the stormbot people? (Score:1, Insightful)
Send the marines, yeah! Violence is the solution! If it doesn't work, use more!
It worked before, right? I mean, we've caught Osama, Afghanistan and Iraq are all peaceful and dandy now, there is no anti-American sentiment in Vietnam or anywhere in the world. Everybody loves the USA, because of brililant minds like you!
*pins a medal on tjstork*
Misleading headline (Score:5, Insightful)
The spam email in question tells the reader that, if they are running torrents, they should use this Tor thing to cover their tracks. The link points to the trojan. The file in question is about 150K in size, or about 20x smaller than the Windows version of Tor (2-3 MB) on the actual site [eff.org].
I posted a warning about this very email on a well-known anime site since I suspected some people there might download it in response to the e-mail.
There's also a version that poses as a YouTube video.
Most of these emails have URLs that use IP addresses, not domain names. Between my SpamAssassin rules and Mozilla Thunderbird's built-in anti-malware protections, messages like these are either quarantined or tagged as dangerous. I've not seen an legitimate email from any correspondent that uses URLs with IP addresses in the host part.
I opened the YouTube version in a Windows VM that had Kaspersky installed. It identified an attempted replacement of tcpip.sys and told me it should be quarantined. Unfortunately a ClamAV scan of the file did not detect anything suspicious.
Comment removed (Score:4, Insightful)
Re:Storm is still a trojan, not a worm (Score:4, Insightful)
Oh no, the internet's doomed!
Re:Who are the stormbot people? (Score:1, Insightful)
But less so than a year ago. sectarian killings are down. Anbar is quieting up. Baghdad is, yes, basically being ethnically cleansed, and right we're really more presiding over a partition of the country than its unification.. but it is what the people of Iraq really want...
I'd recommend reading bbc.co.uk instead of Fox news there buddy.
bbc.co.uk is farther to the left than Fox is to the right. Ideologically, the BBC is absolutely an absurdly liberal institution but even their radio commentators on the BBC News Hour on NPR will tell you that the United States has an obligation to remain in Iraq.
Mostly, I'm basing my assesment on the military blogs and people that I know who are there. Petreaus is the general we should have had from the get go, but the USA has a history of going to war with incompetent generals and then switching gears to "get er done"... the civil war is the most famous example, but we sure had a few sore spots in WWII as well.
It seems like life is improving in Anbar, which was a difficult province for us. It's the shiite areas that are problematic now, but, even so, Kurdish + Sunni areas already give us a peaceful majority of Iraq, which is certainly an improvement. If you would have asked me about Iraq, pre-surge, I would have said, let's just leave and let them all kill each other. they are all muslims anyway... but, it seems like that bigotry is proving remarkably unfounded. The vast majority of Iraqis are not suicide bombing each other.
My question is.. (Score:3, Insightful)
I mean this might create an "arms race" where they continue to lock down access to the botnet, but I would love to see the looks on their faces when large sections of the botnet stop responding to commands.
Seriously as "Brilliant" as these guys are I guarantee there are probably people smarter that can crack their network. I know what I am talking about is probably not legal, but it surely is ethical.
several ways (Score:3, Insightful)
Re:Are we late to the party? (Score:5, Insightful)
Of course, they then follow the original link from the worm and they still get the trojan. So close, and yet so far... sigh.
Re:Are we late to the party? (Score:3, Insightful)
Are you kidding? If you could trace back a tor link to gaysex.com/bathroomEncounters.mpg to Senator Larry Craig's machine, don't you think TV shows like Dateline would be offering you tens of thousands of dollars for it?
Re:Are we late to the party? (Score:3, Insightful)
Re:from the above article. (Score:2, Insightful)
In this situation, the beauty is that you don't have to create a "worm" in the classical sense. Each infected client maintains a "peer" list so all you do is "fix" it's peers, it would cause a cascade failure of the botnet and use up much much less overhead than the Nachi example.
Re:Are we late to the party? (Score:3, Insightful)
Re:Who is behind the Storm Botnet? (Score:3, Insightful)
Re:Look at the timeline. (Score:2, Insightful)
That's not true, particuarly, in Anbar. What happened in Anbar was that Al Qaeda was very popular because the people saw two things: a) the USA was overwhelmingly pro-shiite at Sunni expense, and that b) Al Qaeda said they were anti-American. However, Al Qaeda tried to establish a very strict brand of Islam, and started doing things like execute Iraqi Sunnis for crimes such as smoking a cigarette. Meanwhile, the USA switched its tactics, and, through a mixture of killing Al Qaeda, greasing a few palms, and outright negotations with the very Sunnis we were fighting, established the belief that we weren't out to destroy the Sunnis, and that, we were really after AQ, and that we wanted a stable Iraq. Pushing Maliki to include Sunnis was a huge part of that.
And when he fails, the next general will be the one "we should have had from the get go".
If he fails. Signs are, he has not.
The Kurds have been fairly peaceful ever since we established the "no fly zones" over their territory after Gulf War I. So don't go claiming that that is any improvement
Boy, that's a way to whitewash things. The Kurds aren't just peaceful, they are actually starting to have an economy.
Now it is just over who controls the oil fields and who gets stuck with the worthless territory.
The fact of the matter, is that the USA is pushing the Malika government to adopt something like the Alaska model for oil revenues - where every Iraqi would just get a piece of the oil money.
Gotta love that kind of insightful commentary.
My commentary is a thousand times more insightful than yours will ever be. You should really just be reading everything I write and become my disciple. I don't hold your ignorance against you. I really just want to save you, because, as a fellow human being, I kinda like you!
It means that Tor is compromised (Score:2, Insightful)
If they add a large number of trojaned Tor clients to the network, it will undermine the privacy of Tor communications and allow things like traffic analysis.
This isn't necessarily a ploy to use Tor, this may be a ploy to compromise Tor.
Any chance that storm might be the work of a government?
Re:So would IPv6 actually fix this? (Score:3, Insightful)
IPv6 only includes the MAC if it is configured using Stateless Autoconfiguration, and if Privacy Extensions are not turned on. If it is configured using some stateful method, like DHCPv6 or a static IPv6 address, the address could be anything. Likewise, if Privacy Extensions are turned on, then Stateless Autoconfiguration will rotate among random address that don't include the MAC, but are still unlikely to collide with other hosts' addresses.
But what good does knowing someone's MAC address do you? You can identify if they switch IP's, maybe, but then what? Botnets rely on hundreds of thousands (or, in this case, millions) of machines with different addresses and ISP's, so knowing the MAC of one would not help much. If a MAC was all you had to go on, it might help, but by the time you tracked down the MAC of one host, they'd have switched through dozens of others, and there'd be no information for you on the host you tracked down.
Re:Are we late to the party? (Score:3, Insightful)
Is Windows to blame for this situation? (Score:3, Insightful)
Can a massive lawsuit against Microsoft work?