[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Phishy

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Phishy
From: Jesse Victors <jvictors@xxxxxxxxxxxxxxxx>
Date: Mon, 03 Feb 2014 15:19:45 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 03 Feb 2014 17:19:57 -0500
In-reply-to: <mailman.9437.1391465418.2610.tor-relays@xxxxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <mailman.9437.1391465418.2610.tor-relays@xxxxxxxxxxxxxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0

> FYI: Just got this to my Tor relay mail address, with a zip file
> attached extracting to a '.scr' win exe. Curiously routed via a .gov.uk
> mail relay...
>
> GB03022014.scr: PE32 executable (GUI) Intel 80386, for MS Windows
>
> MD5: dba1e52929f6ca9d1a1bf87e4ff469cf  GB2546241.zip
> MD5: fb1141494829b144b0075035022cfbb9  GB03022014.scr
>
> Samples available on request. Full mail headers attached.
I read Jurre's analysis, but I disagree. I could be mixing this up with
something else, but if I recall correctly, that screensaver Trojan Horse
trick was one method by which the government was de-anonymizing Tor
users, though I don't recall the exact name of this attack vector. Your
IP of your relay is public of course, but if you opened that a
location/identity that you wanted to stay hidden, in my opinion I would
consider that to be compromised.

Thanks for the report.

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Prev by Author: Re: [tor-relays] External connections to port 9050
Next by Author: Re: [tor-relays] Effects of Rebooting?
Previous by thread: Re: [tor-relays] Phishy
Next by thread: [tor-relays] http://torstatus.blutmagie.de/
Index(es):
- Author
- Thread