[tor-bugs] #13479 [general]: Probable malware being served from thetorproject.org
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Oct 19 22:57:39 UTC 2014
#13479: Probable malware being served from thetorproject.org
-------------------------+-------------------------------------------------
Reporter: donncha | Owner: phobos
Type: defect | Status: assigned
Priority: normal | Milestone:
Component: general | Version:
Resolution: | Keywords: trademark violation, phishing,
Actual Points: | malware
Points: | Parent ID:
-------------------------+-------------------------------------------------
Comment (by donncha):
If looked at this site a bit more and it appears to be the same
person/group who was running Torbundlebrowser.org a few months ago.
The backdoored tor-chat.org and thetorproject.org binaries both seem to be
droppers for the following payload.
https://malwr.com/analysis/MGNmZTg0ZjIwYTQxNDJmMzg4NDJlODg5OTcwNjBhYzM/#
This payload looks to be the same type as the one which was hosted on
Torbundlebrowser.org. jvoisin reversed and described it at
http://dustri.org/b/torbundlebrowserorg.html. In this case the malware
appears to be communicated back to a C&C server listening on
gbqi75ukulafpnsd.onion:24576 but I haven't investigated this fully yet.
I've reported both domains to Google's malicious website database so
hopefully they will be added to the block lists soon.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13479#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list