[tor-talk] Tor and BitCoin miner trojans - perfect pair

[David H. Lipman]

From: "Jon" <torance.ca at gmail.com>

> On Fri, Apr 26, 2013 at 2:15 PM, David H. Lipman 
> <DLipman at verizon.net>wrote:
>
>> TorVersion Tor 0.2.3.25 (git-17c24b3118224d65)
>> LastWritten 2012-01-24 09:17:26
>>
>> zs5uletlmms6euux.onion
>>
>> -----BEGIN RSA PRIVATE KEY-----
>> MIICXQIBAAKBgQChhKL+kMqphdtGQoFluAhvZOxhoguZaMcoakTV0oolnkM0UbaE
>> fU6oeaHJduOIkrsXFfiZuH/m16t6qM3OX01TjbPBjUWzTGeRvTtmX5yymZ3omLV4
>> A1q5M2PZEn1gggk9c0TTMzup79WV0Kri0Jvn2B2NwkhpBcr5SFAjFu+VHQIDAQAB
>> AoGBAIqfYqDnNfiuuJYhiBr8CslILhRRVnEw2xUVt8RoMUa+AOHLa8FkJnk0AyX8
>> kqXpgQb8RWPxVFyUJ0lbzV7crmi1ZfDmbCUJqIaiGkqLVGcFr5z4NezElhlzb5ll
>> rHCm2RR/I1yqJoXQ9CGWwdrlXvTHsMAXWvMqBiIBiQoutJshAkEA0Dq+ieSle3WC
>> vHPxut/3F7s1hqhZB0ZkJkj0dkvE0+s40zcj4okcyGEGa7grADXD0+Hu/Q311+n3
>> 27VE/7j5+QJBAMaSjE2aNlsiv2bMTe+bdLXtaQ/O06X6PmM3aHKtVKVWw0V1m1ZF
>> ozwxB3t4gt38RofzgnE7ny6L76JvALybHUUCQCaocU1aZJqKE253PA6Mm+wM9n/8
>> ayLdn6Q38SKxKGaLie40k3XwLKbK1I1VEK6mTKfejybt25FtP3XLrnanWckCQQCb
>> oqUA9cuApr1prtuu3yMcrFVaJHtSbc6UKQteRmg/pr8qI8F6Xt5QAQWiSpQXtPD7
>> AWrNoTNkYh2SLHphWRoZAkAmaQ38mRMncxQzKAg62j3oBS1T4E0THFiPPq0bsLFa
>> Eaw/Yr9b0wMVPCQm1spbWZXM2xvoRSYVE+6c7QcnHj6U
>> -----END RSA PRIVATE KEY-----
>>
>> Between Tor being used in malware and being used to abuse Usenet, Tor's
>> onion core is
>> rotting.
>>
>> I wonder what OTHER malware I am missing that is using the Tor network to
>> obfuscate the
>> malicious activity.
>>
>> --
>> Dave
>> Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
>> http://www.pctipp.ch/downloads/dl/35905.asp
>>
> I am not sure where you got that date of 1/24/12 for the release of Tor
> 0.2.3.25 at:
>
> TorVersion Tor 0.2.3.25 (git-17c24b3118224d65)
> LastWritten 2012-01-24 09:17:26
>
> however, Roger released Tor 0.2.3.25 on 11/19/12 and posted it on 11/20/12
>
> Jon

It was in the files created by the BitCoin miner trojan.

Specifically it was contained in;
C:\Documents and Settings\Administrator\Application Data\tor\state.tmp

Complete contents:

# Tor state file last generated on 2012-01-24 10:17:26 local time
# Other times below are in GMT
# You *do not* need to edit this file.

TorVersion Tor 0.2.3.25 (git-17c24b3118224d65)
LastWritten 2012-01-24 09:17:26


-- 
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp