Odd tor spam - Storm Worm

Dave Jevans djevans at ironkey.com
Fri Sep 7 02:39:36 UTC 2007


Good write-up of the Tor storm worm variant at f-secure blog

http://www.f-secure.com/weblog/#00001272


For those not tracking the storm worm... this has been one of the 
most prolific worms of recent months.  It's the same thing behind the 
fake youtube emails, e-greeting card infections and the various 
"account confirmation" attacks (eg online gambling account 
confirmation) , etc.


More about storm
http://en.wikipedia.org/wiki/Storm_Worm

http://it.slashdot.org/it/07/08/26/1558245.shtml

>>>>>

hi all,
I've just received a really odd spam which try to "educate" to the use of
tor as an attack vector.
Here's the body of the mail (turn off javascript before trying to visit
that link ;-) ):

-8<-8<-8<-
Do you trade files online? Then they will come after you. Read the news on
RIAA and what they are doing to everyone they find. Tor will keep them
from finding you. Keep the internet private and down load our program for
free. <a
href="http://69.255.111.145/">Download Tor</a>
-8<-8<-8<-

A quick "strings" on their version of tor.exe shows something like
"RealShellExecuteA" and similar stuff.




More information about the tor-talk mailing list