[tor-talk] "zeus" virus

scar scar at drigon.com
Thu Aug 23 20:10:32 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

hi all, i operate the "cave" router from my home DSL connection, and
from time to time it will get suspended because CenturyLink will
notice mailicious traffic from viruses routed thru the Tor network.
most of the time i can block these because my they will tell me
destination IP addresses.  but lately my service has been getting
suspended because of this "zeus" virus and the reports my ISP sends
don't have any destination ip addresses.  below is a sample report of
what they send me, you can see with with 'conficker' one there is a
dst address that i can block, but with zeus there is practically no
data.  (the IP Address column is what my IP address was at the time)
i have asked CenturyLink for more info, specifically destination ip
addresses, but this is all they give me.  so does anyone know of a way
to block this zeus thru Tor?  thanks


Date/Time Seen (GMT)   IP Address        Infection Data (*)
- --------------------   ---------------   ------------------------------
2012-08-20 00:56:32    67.1.15.107       infection => 'zeus',
addl_data => '/config.bin'
2012-07-30 15:06:13    97.115.197.107    infection => 'zeus',
addl_data => '/zs/config.bin'
2012-07-26 23:17:48    97.115.196.146    infection => 'conficker',
subtype => 'downadup', src_port => '49510', dst_port => '80',
http_host => '149.20.56.33', url => 'GET /search?q=0 HTTP/1.1',
http_agent => 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729)', dst_ip => '149.20.56.33', sourceSummary => 'Sinkhole HTTP
Drone Report'
2012-07-04 18:46:35    97.115.192.31     infection => 'zeus',
addl_data => '/update32.php'

-----BEGIN PGP SIGNATURE-----

iEYEAREIAAYFAlA2jjUACgkQXhfCJNu98qAlGgCeKnZ+ZYVHA/fD92pDz6qgBLKC
LbYAoNRHz4kxmy/meTPWW6izy89d4n93
=C1Bf
-----END PGP SIGNATURE-----



More information about the tor-talk mailing list