On 15/05/2017 09:38, Roger Dingledine wrote:
On Mon, May 15, 2017 at 09:17:33AM +0200, Cristian Consonni wrote:
| https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
Was the increased number of downloads from the malware visibile from the logs?
I looked, and there were a few hundred downloads per day. It didn't look like a huge number. Maybe people misread the code, or maybe there aren't actually that many infections and all the "threat intelligence" companies want to keep talking about it anyway, or who knows.
Interesting. In fact, I though that downloading the whole browser seemed to be not so smart, surely there are better ways to connect programmatically to the tor network.
To my untrained eye, this malware seems to be both clever (self-replication) and dumb (kill switch, downloading the browser) at the same time.
But the low number of downloads, plus the fact that folks said they'd disabled the ransomware component (by registering the domain it checked), plus the fact that I hadn't investigated the worm code to figure out if it did anything surprising when the URL is disabled, made me decide to leave it alone.
Very reasonable.
Thanks for the info.
Cristian