A fake version of The Onion Router (Tor) website is distributing malware.
According to research, the website is an almost perfect copy of the original website, except for the download link, and also the donation one, replaced by a Bitcoin address. Downloading the software though includes an executable file named “torbrowser-install-3.6.3_en-US.exe”, which is a .NET executable.
After some analysis and decryption, it was revealed that the command and control protocol runs on Tor. According to Net Security, it was discovered is that the malware can be commanded to download and upload files, update itself, make screenshots, execute system commands, reboot and restart, upload directories and get drives, and launch new connections. Also the Bitcoin downloads go to the botmaster than the Tor project.
According to researcher Julien Voisin, the botmaster said that they are a small group trying to catch paedophiles by spreading the link to the fake website on message boards, adding that one paedophile was already reported to the Canadian Centre for Child Protection’s tipline, but he doubted the story, as “the miscreant not only shipped a malware instead of the real TBB, but also replaced the donation page with his own BTC address”.
Fred Touchette, manager of security research at AppRiver, said: “This is a pretty common tactic employed by scammers and malware authors. By simply copying the code from a real site, they can make a couple of changes, often changing out links for malicious ones, and victims will often remain unaware. In this case the bad guys are attempting to perhaps entice a specific crowd by mimicking the Tor download site. The real Tor, which has been in the news a lot lately, is built with internet anonymity in mind.
“Perhaps in a post-Snowden landscape cyber criminals feel as though this has become a much more popular place thereby a fertile potential target market. The site has already been suspended though, so there will be no more future infections and it’s currently hard to tell how many people fell victim to this ruse.
“As far as the trap for paedophiles bit, I don’t trust what anyone on the internet tells me, especially when they’re delivering malware.”
Lamar Bailey, head of security research and development at Tripwire, said: “The malware is pretty powerful allowing the person with command and control to upload and download files, take screenshots, and execute commands. This could be an attack being carried out by law enforcement because the link to the fake Tor is reportable being disturbed on sites and forums cater to illegal actives and content.”
