[tor-relays] Phishy

Jesse Victors jvictors at jessevictors.com
Mon Feb 3 22:19:45 UTC 2014


> FYI: Just got this to my Tor relay mail address, with a zip file
> attached extracting to a '.scr' win exe. Curiously routed via a .gov.uk
> mail relay...
>
> GB03022014.scr: PE32 executable (GUI) Intel 80386, for MS Windows
>
> MD5: dba1e52929f6ca9d1a1bf87e4ff469cf  GB2546241.zip
> MD5: fb1141494829b144b0075035022cfbb9  GB03022014.scr
>
> Samples available on request. Full mail headers attached.
I read Jurre's analysis, but I disagree. I could be mixing this up with
something else, but if I recall correctly, that screensaver Trojan Horse
trick was one method by which the government was de-anonymizing Tor
users, though I don't recall the exact name of this attack vector. Your
IP of your relay is public of course, but if you opened that a
location/identity that you wanted to stay hidden, in my opinion I would
consider that to be compromised.

Thanks for the report.



More information about the tor-relays mailing list