Opened 4 years ago

Closed 9 months ago

#13479 closed defect (wontfix)

Malware being served from thetorproject.org and tor-chat.org

Reported by: donncha Owned by:
Priority: Medium Milestone:
Component: Archived/operations Version:
Severity: Normal Keywords: trademark, violation, phishing, malware, archived-closed-2018-07-04
Cc: mrphs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Someone has set up a pretty believable copy of the torproject.org site which is providing links to a binary hosted on another malicious domain tor-chat.org

Links to this domain are being spread on some .onion forums and on Reddit. I'll update the ticket when I get some more information.

Child Tickets

Change History (10)

comment:1 Changed 4 years ago by donncha

Owner: set to phobos
Status: newassigned

comment:2 Changed 4 years ago by mrphs

Cc: mrphs added

comment:3 Changed 4 years ago by donncha

If looked at this site a bit more and it appears to be the same person/group who was running Torbundlebrowser.org a few months ago.

The backdoored tor-chat.org and thetorproject.org binaries both seem to be droppers for the following payload.
https://malwr.com/analysis/MGNmZTg0ZjIwYTQxNDJmMzg4NDJlODg5OTcwNjBhYzM/#

This payload looks to be the same type as the one which was hosted on Torbundlebrowser.org. jvoisin reversed and described it at http://dustri.org/b/torbundlebrowserorg.html. In this case the malware appears to be communicated back to a C&C server listening on gbqi75ukulafpnsd.onion:24576 but I haven't investigated this fully yet.

I've reported both domains to Google's malicious website database so hopefully they will be added to the block lists soon.

comment:4 Changed 4 years ago by donncha

Summary: Probable malware being served from thetorproject.orgMalware being served from thetorproject.org and tor-chat.org

comment:5 Changed 4 years ago by mrphs

Reported. Thank you donncha!

Here are some additional info for the sake of having record:

sha256sum
==========
e12a8aafa86d2bbcb6631ac3f4d22795e2bc11fa58c4da8ea13450ec0b656ffc
torbrowser-install-3.6.6_en-US.exe_fake

3b8c412a904fda82f941ae20fdacc29238eb4a2c58256f4543d524ade38e80ba
torbrowser-install-3.6.6_en-US.exe_legit

File
=========
torbrowser-install-3.6.6_en-US.exe_fake:
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

torbrowser-install-3.6.6_en-US.exe_legit:
PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS
Windows, Nullsoft Installer self-extracting archive

Stat
=========
File: `torbrowser-install-3.6.6_en-US.exe_fake'
Size: 27336704
Modify: 2014-10-08 20:45:20.000000000 +0000

File: `torbrowser-install-3.6.6_en-US.exe_legit'
Size: 27301724
Modify: 2014-09-26 01:13:27.000000000 +0000

DNS
=========
thetorproject.org.      3600    IN      A       199.59.160.184
thetorproject.org.      3600    IN      NS      ns-canada.topdns.com.
thetorproject.org.      3600    IN      NS      ns-usa.topdns.com.
thetorproject.org.      3600    IN      NS      ns-uk.topdns.com.

CIDR:           199.59.160.0/21
OriginAS:       AS32421
ASN:	        BLCC - Black Lotus Communications, US


tor-chat.org.           300     IN      A       111.90.144.114
tor-chat.org.           86400   IN      NS      ns1.ipchina163.com.
tor-chat.org.           86400   IN      NS      ns2.ipchina163.com.

CIDR:		111.90.144.0/21
OrininAS:	AS45839
ASN:		PIRADIUS-AS PIRADIUS NET AS45839, MY

(second one has the same ASN as torbundlebrowser)

comment:6 Changed 4 years ago by cypherpunks

Try, try, try as fast as you can.
You’ll never catch me, I’m black sam.
I ran from the nsa and his bitch fbi too.
You’ll never catch me, not any of you.

Then came the pigs and jakey and rogey.
Who joined in the buttsex around the square.
They were all stupid and ready to eat,
But that black sam was too quick on his feet.

Try, try, try as fast as you can.
You’ll never catch me, I’m black sam.
I ran from the nsa and his bitch fbi too.
You’ll never catch me, not any of you.

comment:8 Changed 4 years ago by isis

Component: generaloperations
Owner: phobos deleted

While I'm not entirely certain what the best course of action would be for containing the spread of this malware, I am certain that phobos' account doesn't exist anymore (#15896), so I'm deleting his ownership of this ticket. Also, recomponentising as "operations" since the (only?) course of action is probably some legal/trademark measure.

comment:9 Changed 4 years ago by isis

Status: assignednew

comment:10 Changed 16 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

comment:11 Changed 9 months ago by teor

Keywords: archived-closed-2018-07-04 added
Resolution: wontfix
Status: newclosed

Close all tickets in archived components

Note: See TracTickets for help on using tickets.