[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] WannaCry fallout FYI

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] WannaCry fallout FYI
From: Cristian Consonni <cristian@xxxxxxxxx>
Date: Mon, 15 May 2017 09:58:26 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 15 May 2017 03:58:46 -0400
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=balist.es; s=201602; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:To:Subject; bh=0i+WgZJCUqyGPL7ul6xVleXpTrDReN5jcL6dlJe0PtM=; b=rLVinQ44vpZ7VcltHTU3JpLz7sztiFfHwjleDAsdcxh+dxIuaF1aik2y+8ncbnWoP/JRUhYyACI7fscgcyC8b4bFAGNEImH3UKo/+pgXqbRx32DUAZEB5BuGgtje0Rf2a4Ub/ooDaOxK9O67G6UVLTpdIbcq/v0Arus4eKfw23Y=;
In-reply-to: <20170515073808.GN14369@moria.seul.org>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <ACF5A948-2B0B-4EDD-847C-1240AC71BB17@brazoslink.net> <713C90EE-5EFF-48A7-9B15-02D39F286DB4@to-surf-and-protect.net> <99a3c234-b073-8733-852e-524648c47aa1@riseup.net> <77f47be5-0e1c-8aa7-7472-885490bb9c90@balist.es> <20170515073808.GN14369@moria.seul.org>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0

On 15/05/2017 09:38, Roger Dingledine wrote:
> On Mon, May 15, 2017 at 09:17:33AM +0200, Cristian Consonni wrote:
>>> | https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
>>
>> Was the increased number of downloads from the malware visibile from the
>> logs?
> 
> I looked, and there were a few hundred downloads per day. It didn't
> look like a huge number. Maybe people misread the code, or maybe there
> aren't actually that many infections and all the "threat intelligence"
> companies want to keep talking about it anyway, or who knows.

Interesting. In fact, I though that downloading the whole browser seemed
to be not so smart, surely there are better ways to connect
programmatically to the tor network.

To my untrained eye, this malware seems to be both clever
(self-replication) and dumb (kill switch, downloading the browser) at
the same time.

> But the low number of downloads, plus the fact that folks said they'd
> disabled the ransomware component (by registering the domain it checked),
> plus the fact that I hadn't investigated the worm code to figure out if
> it did anything surprising when the URL is disabled, made me decide to
> leave it alone.

Very reasonable.

Thanks for the info.

Cristian
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] WannaCry fallout FYI
  - From: Roger Dingledine

References:
- [tor-relays] WannaCry fallout FYI
  - From: Jon Gardner
- Re: [tor-relays] WannaCry fallout FYI
  - From: niftybunny
- Re: [tor-relays] WannaCry fallout FYI
  - From: Mirimir
- Re: [tor-relays] WannaCry fallout FYI
  - From: Cristian Consonni
- Re: [tor-relays] WannaCry fallout FYI
  - From: Roger Dingledine

Prev by Author: [tor-relays] Upgrading a relay and changing IP address
Next by Author: Re: [tor-relays] Who is running the two biggest Exits in the network?
Previous by thread: Re: [tor-relays] WannaCry fallout FYI
Next by thread: Re: [tor-relays] WannaCry fallout FYI
Index(es):
- Author
- Thread