Delivery-Date: Tue, 24 Jun 2014 17:27:05 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 80E871E0EE3
	for <archiver@seul.org>; Tue, 24 Jun 2014 17:27:01 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id EDFF62FE57;
	Tue, 24 Jun 2014 21:26:59 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 8028F2FE5B
 for <tor-talk@lists.torproject.org>; Tue, 24 Jun 2014 21:16:21 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id ScQ-IA_sLTAm for <tor-talk@lists.torproject.org>;
 Tue, 24 Jun 2014 21:16:21 +0000 (UTC)
Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com
 [209.85.212.172])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 367FD2F781
 for <tor-talk@lists.torproject.org>; Tue, 24 Jun 2014 21:16:21 +0000 (UTC)
Received: by mail-wi0-f172.google.com with SMTP id hi2so6746199wib.5
 for <tor-talk@lists.torproject.org>; Tue, 24 Jun 2014 14:16:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:message-id:date:from:mime-version:to:subject
 :references:in-reply-to:content-type;
 bh=wkqIfAVlsiPxiRsPHZc/fqD/x3ni0gHmxJJsA4T4xng=;
 b=B1HHIp6/GtMonrHz7bbe+7rBhWtcDIBNL1DnuiWeeZFpmctrX+YIrhlqtJa2pLoYPS
 mwIOM06zXz35HvBeO8ZyzS8G+xsRTPWJsolZ/hhqt53TnQSLeU4WjUSbI8etLgOaU3rK
 /2wZpbBKsDzs+7FTdf2s2Z34Dj8TKCJzRxXTeVEeeWnszD5dxwvNC/F/FYjEXA4z8kB7
 goGYA70jBCrhsCRrUW3uqoY5wqkPcvxXhi9abnUU57PEMYuS0mOE/OiS2F6WFiKJkNZd
 uKbjp+jaXm2eorB1Pwe2EcAWnlzUbAM19SCZIgPrPxMI46s1X19CvT9P12Z1D6rSB7aR
 8IrQ==
X-Gm-Message-State: ALoCoQnkhYShvcIc2FblCh1Ju78o6ZiiZHkjoBmfSY9JJOoPG8g6tNgTyDvHoMjp0YZD1e1UlMqC
X-Received: by 10.180.20.15 with SMTP id j15mr1429123wie.60.1403644574975;
 Tue, 24 Jun 2014 14:16:14 -0700 (PDT)
Received: from 127.0.0.1 (tor20.anonymizer.ccc.de. [31.172.30.3])
 by mx.google.com with ESMTPSA id hi2sm2938625wjb.29.2014.06.24.14.16.12
 for <tor-talk@lists.torproject.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Tue, 24 Jun 2014 14:16:14 -0700 (PDT)
Message-ID: <53A9EA9A.7030007@accessnow.org>
Date: Tue, 24 Jun 2014 17:16:10 -0400
From: Michael Carbone <michael@accessnow.org>
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <CADJYzxKMoDb_xPbJRn6tejKLOjvKvnRa3+mjX+gPGtB_5zGHQQ@mail.gmail.com>
 <CAD2Ti2_WHyqLJP=dKcGv1XekSg5TRrTFpQoR9cfgK6YM0=6dgg@mail.gmail.com>
 <CADJYzxKUNKbnc=1HkpTHcd1-VnkfpyBAnNK5_Rg2iV3+PZ3bbg@mail.gmail.com>
In-Reply-To: <CADJYzxKUNKbnc=1HkpTHcd1-VnkfpyBAnNK5_Rg2iV3+PZ3bbg@mail.gmail.com>
Subject: Re: [tor-talk] Tor Phishing in the Wild // Old Sigs
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============5215126704242600852=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============5215126704242600852==
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="mVOcGP5THCcSI8dDiFrXc5J992ftUSQcq"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--mVOcGP5THCcSI8dDiFrXc5J992ftUSQcq
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Thanks for the further details Rich.

Not sure if others have contacted them yet so Access' helpline staff
reached out to PIR's abuse team about the fake domain -- phishing &
willful distribution of malware are clear violations of PIR anti-abuse
policy. We'll update when we hear anything concrete back.

I don't know if folks will have any luck with the DNS operator & host,
but they are IT Itch (https://ititch.com). I think PIR will likely be
more responsive.

Michael

Rich Jones:
> I'm just posting this stuff here for analysis and discussion, not becau=
se I
> need the tech support. But good advice if there were those out there wh=
o
> fell for this scam.
>=20
> More technical details from reddit:
>=20
> "As we all could probably already guess, the exe on this site is
> backdoored. It makes a bunch of requests to 162.251.80.25 (
> cp-14.webhostbox.net) from port 3841 on your machine. After that, I am
> seeing messages sent to 185.15.246.132 (nordns.com). Finally, I'm also
> seeing communication to 192.240.104.151.
>=20
> It looks like the exe may have been packed with the legitimate version =
of
> the installer as well as the malware, so the enduser isn't supposed to
> suspect anything."
>=20
>=20
> Figures. Anyway, thought y'all would be interested. Maybe Tor Project f=
olks
> could contact the registrar or DNS operator?
>=20
> R
>=20
>=20
> On Tue, Jun 24, 2014 at 12:28 PM, grarpamp <grarpamp@gmail.com> wrote:
>=20
>> On Tue, Jun 24, 2014 at 1:54 PM, Rich Jones <rich@openwatch.net> wrote=
:
>>> There's (what looks like) an active Tor phishing operation located at=

>>> http://torbundleproject (dot) org . I believe this is related to blac=
k
>>> market scammer.
>>> diff the files 'torbrowser-install-3.6.1_en-US.exe' to see what's goi=
ng
>> on
>>
>> It's called a trojan.
>>
>>> list of the old signatures on the Tor website to compare with. Can
>> anybody
>>
>> https://archive.torproject.org/
>>
>> Wipe your windows box and start over.
>>
>> http://www.dban.org/
>> http://www.andybev.com/index.php/Nwipe
>> https://www.archlinux.org/
>> https://www.freebsd.org/
>> https://www.debian.org/

--=20
Michael Carbone
Tech & Policy Manager
Access | https://www.accessnow.org

GPG: 0x81B7A13E
Fingerprint: 25EC 1D0F 2D44 C4F4 5BEF EF83 C471 AD94 81B7 A13E



--mVOcGP5THCcSI8dDiFrXc5J992ftUSQcq
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJTqeqaAAoJEDH9usG3Jz33GgYQAI35ZSKdTgq42EPRx6r2DKwG
nUsNTENpMGyg6yoV/bVpxEYr/O39+Y2BfG5EMog2a6MaPZJ9X+kUIQoHU/mr8RNv
fFjfZ1MQmw/1CYSzLWRSGE91MbcyASwdJY/gtZ++6G1P/1Yx1pYI4vAOVJQ5JA8m
GaiGiqfixsqIMlnqwH7EFb6V0ObxHK7O/SYJFnz/GG/jU3MKouV5GUlCoUkaL9f8
BK5J9EF6o7+XrF0B7zKFU0kyExN86Z6yZTxI2V84cRbKcX5xcmPph6TvOQDXBMCR
E12wv37+Z3Zv6yNzk6le4mUPHKYGYCHCdUyGwcYD5PmX9UHm6r2TabxC5Ac/mLTS
Pk/njE1VzmDSFxCcNvup8vcTrbs14dlL9Jw5eJA5WNCfeu3wcSokUrKLdZQJi00T
MzA5iXcjszdwbKtw67J1XZ7c8+7JsZB9WV8fnGCGdT3rMb3qDeNAhmKhu2A1PWUU
Utf6dbALTsB9Ez3IXRc3WnUADhppeDAfuY9jf2f0wV5ZxSXDFFC5HQzBCpScrw8a
qLnyXs88PDTcGYnEQJOuBpz9Vhq2KOXNtY2MpOtjWSms6hrcNInPoXjygR5LIniZ
kG/qIatHCRLtSP8GxhqvU55ELw6eC5KkUpz7NoGN4ri7K6lpndPOTcRXxW+2ON4i
uyZg+0bTxO9Js8drGR35
=iESL
-----END PGP SIGNATURE-----

--mVOcGP5THCcSI8dDiFrXc5J992ftUSQcq--

--===============5215126704242600852==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============5215126704242600852==--

