Delivery-Date: Tue, 24 Jun 2014 16:27:06 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id D0FAD1E0C2A
	for <archiver@seul.org>; Tue, 24 Jun 2014 16:27:04 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id E6B242FE4C;
	Tue, 24 Jun 2014 20:27:02 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 3C0E22FE28
 for <tor-talk@lists.torproject.org>; Tue, 24 Jun 2014 20:26:17 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id G-CIAiQto1Bn for <tor-talk@lists.torproject.org>;
 Tue, 24 Jun 2014 20:26:17 +0000 (UTC)
Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com
 [IPv6:2a00:1450:400c:c05::231])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id CD0512FCF8
 for <tor-talk@lists.torproject.org>; Tue, 24 Jun 2014 20:26:16 +0000 (UTC)
Received: by mail-wi0-f177.google.com with SMTP id r20so1298194wiv.4
 for <tor-talk@lists.torproject.org>; Tue, 24 Jun 2014 13:26:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:reply-to:sender:in-reply-to:references:from:date
 :message-id:subject:to:content-type;
 bh=l6qpBa7jbD1EIxVCGXz6QudZr8jhpSI1KEeXAafv5Uk=;
 b=j3MOwMZL0A6FDbp8hA9H5eyFOLr4KAZ55WEN0/M5t9mM+7OzqjCfkC+KBWH0SyMgjw
 vFY0yyQWRhPs+hmBW6U5Ns4xcon+t/9M2z/fYstOoBnGoag0G4gLA468bqjvNmPMLwAh
 tOyAi+DMS0zuTE5xwD005+vozLbQ7Ch1IV3bUHVXzHLc+h+s6zOb9OHdwjYFCJjDmgb/
 NqWX3qhIQprIAMraOMaqwyvhIjsilm8WqG68q9wbNeUF+yTgRgI+jeZbEoQsfg46MXs1
 Anr3oWwE4BM3V30nNoDtAd2JZ44VkqnsrACLkJnkVkb2qPAfAHdy1WloP4cQOWDhAIQu
 tANA==
X-Received: by 10.194.238.231 with SMTP id vn7mr3979962wjc.99.1403641573010;
 Tue, 24 Jun 2014 13:26:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.217.150.6 with HTTP; Tue, 24 Jun 2014 13:25:42 -0700 (PDT)
In-Reply-To: <CAD2Ti2_WHyqLJP=dKcGv1XekSg5TRrTFpQoR9cfgK6YM0=6dgg@mail.gmail.com>
References: <CADJYzxKMoDb_xPbJRn6tejKLOjvKvnRa3+mjX+gPGtB_5zGHQQ@mail.gmail.com>
 <CAD2Ti2_WHyqLJP=dKcGv1XekSg5TRrTFpQoR9cfgK6YM0=6dgg@mail.gmail.com>
From: Rich Jones <rich@openwatch.net>
Date: Tue, 24 Jun 2014 13:25:42 -0700
X-Google-Sender-Auth: oPyqVS3eX-u38t0b32UsBMxRZx0
Message-ID: <CADJYzxKUNKbnc=1HkpTHcd1-VnkfpyBAnNK5_Rg2iV3+PZ3bbg@mail.gmail.com>
To: tor-talk@lists.torproject.org
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: Re: [tor-talk] Tor Phishing in the Wild // Old Sigs
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

I'm just posting this stuff here for analysis and discussion, not because I
need the tech support. But good advice if there were those out there who
fell for this scam.

More technical details from reddit:

"As we all could probably already guess, the exe on this site is
backdoored. It makes a bunch of requests to 162.251.80.25 (
cp-14.webhostbox.net) from port 3841 on your machine. After that, I am
seeing messages sent to 185.15.246.132 (nordns.com). Finally, I'm also
seeing communication to 192.240.104.151.

It looks like the exe may have been packed with the legitimate version of
the installer as well as the malware, so the enduser isn't supposed to
suspect anything."


Figures. Anyway, thought y'all would be interested. Maybe Tor Project folks
could contact the registrar or DNS operator?

R


On Tue, Jun 24, 2014 at 12:28 PM, grarpamp <grarpamp@gmail.com> wrote:

> On Tue, Jun 24, 2014 at 1:54 PM, Rich Jones <rich@openwatch.net> wrote:
> > There's (what looks like) an active Tor phishing operation located at
> > http://torbundleproject (dot) org . I believe this is related to black
> > market scammer.
> > diff the files 'torbrowser-install-3.6.1_en-US.exe' to see what's going
> on
>
> It's called a trojan.
>
> > list of the old signatures on the Tor website to compare with. Can
> anybody
>
> https://archive.torproject.org/
>
> Wipe your windows box and start over.
>
> http://www.dban.org/
> http://www.andybev.com/index.php/Nwipe
> https://www.archlinux.org/
> https://www.freebsd.org/
> https://www.debian.org/
> --
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

