Opened 9 years ago

Closed 7 years ago

#2516 closed task (wontfix)

Examine TurnRight's packages for malware

Reported by: rransom Owned by: ioerror
Priority: High Milestone:
Component: Company Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


A Chinese blogger who calls himself/herself/itself 'TurnRight' has produced two packages containing Tor, which he/she/it has named 'EasyTor' and 'TorPack'. They are definitely not safe to use (the latest releases of both contain versions of Tor before that are now believed to be remotely exploitable), they definitely infringe The Tor Project's trademark, and at least TorPack infringes The Tor Project's copyright as well (I did not find the Tor license in it with a fairly thorough search).

We should have these packages examined for malware, as the Chinese government and its accomplices have previously distributed repackaged versions of popular software that include malware and used targeted malware to attack groups which China opposes.

Child Tickets

Change History (6)

comment:1 Changed 9 years ago by rransom

I retrieved both packages through Tor today; their SHA-256 hashes are:

6bc84acc63b0888075c3cc8cf3cc8f0e90509e17ddfb349d80e939dedd1fa0e9  EasyTor.v0.2.1.25-0.2.7.exe

comment:2 Changed 9 years ago by ioerror

Can you attach the software here?

comment:3 in reply to:  2 Changed 9 years ago by rransom

Replying to ioerror:

Can you attach the software here?

No. EasyTor is about 9 MB; TorPack is about 10 MB.

comment:4 Changed 9 years ago by rransom

TurnRight's blog is at Currently, his TorPack and EasyTor post are on the first page of that blog, but the direct links to those posts are and To download one of those packages, click on the link in the post, click on the name of the file, and then click on the big icon. You do not need to accept cookies in order to download the file.

comment:5 Changed 9 years ago by mikeperry

Have we tried uploading them to I would recommend against using their URL form, because if TurnRight sees a virustotal IP in his logs, he might change something...

We may also have to extract his zips first..

Of course, he could have already done this and tailored his malware to have no hits, but worth a shot as a first thing to try.

comment:6 Changed 7 years ago by rransom

Resolution: wontfix
Status: newclosed
Note: See TracTickets for help on using tickets.