Re: Odd tor spam - Storm Worm

["Paul Ferguson" <fergdawg@xxxxxxxxxxx>]

Hi Dave. :-)

My favorite quote of the day:

"But the interesting point is this: if Tor is worth targeting
for your Trojans, then Tor has entered popular culture. Which
rocks."

http://www.links.org/?p=251

Cheers,

- ferg



-- Dave Jevans <djevans@xxxxxxxxxxx> wrote:

Good write-up of the Tor storm worm variant at f-secure blog

http://www.f-secure.com/weblog/#00001272


For those not tracking the storm worm... this has been one of the 
most prolific worms of recent months.  It's the same thing behind the 
fake youtube emails, e-greeting card infections and the various 
"account confirmation" attacks (eg online gambling account 
confirmation) , etc.


More about storm
http://en.wikipedia.org/wiki/Storm_Worm

http://it.slashdot.org/it/07/08/26/1558245.shtml

>>>>>

hi all,
I've just received a really odd spam which try to "educate" to the use of
tor as an attack vector.
Here's the body of the mail (turn off javascript before trying to visit
that link ;-) ):

-8<-8<-8<-
Do you trade files online? Then they will come after you. Read the news on
RIAA and what they are doing to everyone they find. Tor will keep them
from finding you. Keep the internet private and down load our program for
free. <a
href="http://69.255.111.145/";>Download Tor</a>
-8<-8<-8<-

A quick "strings" on their version of tor.exe shows something like
"RealShellExecuteA" and similar stuff.