Ben Laurie blathering

Tor Goes Mainstream!

I got a spam today

Do you trade files online? Then they will come after you. If the RIAA
finds you they will come after you. Tor eliminates the trail that leads
to you. Get this software now and stay safe: http://xx.yy.zz.ww/

This leads to a fake Tor page inviting you to download … who knows what? Something bad I haven’t bothered to analyse yet.

But the interesting point is this: if Tor is worth targetting for your Trojans, then Tor has entered popular culture. Which rocks.


  1. It looks like the “something bad” is a downloader for the Storm botnet.

    Comment by Nick Mathewson — 6 Sep 2007 @ 18:49

  2. The only good news about this being Storm is that this gang moves on pretty fast, they were sending out the “you have received an ecard” spam in early August, then a week or so back it was “thank you for joining” with a login and password…

    So it will be something else next week 🙁

    Comment by Richard Clayton — 7 Sep 2007 @ 0:38

  3. Not necessarily. This same “spam” template has been used countless times before to push other “helpful” malware. In this instance, spammers happened to use a brand/name that is recognizable to geeks/nerds/et alii. But would you make the same argument regarding entrance into popular culture about “Download Anonymizer OMGZBBQSAUCE ver2.0” since that was pushed in another spam message?

    Comment by Anonymous Coward — 7 Sep 2007 @ 2:29

  4. […] Ben Laurie has funny comments here [ Link ]; f-secure has a writeup here [ Link ]. […]

    Pingback by Second Life Loser » Blog Archive » Beware wolf dressed in Tor’s clothing: new rash of malware — 7 Sep 2007 @ 10:43

  5. […] Ben Laurie, amongst others, has pointed out that this attack shows that Tor must have a good reputation for it to be considered worthwhile to impersonate. So while dealing with this incident has been tedious, it could be considered a milestone in Tor’s progress. It has also generated some publicity on a few blogs. Tor has long promoted procedures for verifying the authenticity of downloads, and this attack justifies the need for such diligence. […]

    Pingback by Light Blue Touchpaper » Analysis of the Storm Javascript exploits — 7 Sep 2007 @ 23:43

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress