On Mon, May 15, 2017 at 09:58:26AM +0200, Cristian Consonni wrote:
Interesting. In fact, I though that downloading the whole browser seemed to be not so smart, surely there are better ways to connect programmatically to the tor network.
It is not the whole browser -- it is the "windows expert bundle": https://www.torproject.org/download/download So it is indeed stupid to treat its libraries like the cloud, but not so stupid that it's fetching the whole tor browser.
To my untrained eye, this malware seems to be both clever (self-replication) and dumb (kill switch, downloading the browser) at the same time.
Also ask yourself whether it checks the signature of the tor win32 thing that it downloads before running it. :( Good thing we're not evil.
--Roger