Botmaster tried to convince that they were catching offenders

Aug 13, 2014 15:39 GMT  ·  By

A security researcher found a fake Tor Browser Bundle that contained malware and reverse engineered his way to communicating with the botmaster for a while.

The conversation went amiably, with the botmaster expressing curiosity on how the visitor managed to find the website and congratulating him for the disassembling job. Actually, from the sample available, one would think that there’s two friends talking code, if it weren’t for keywords such as “malware.”

After being tipped by a friend about a clone of the TOR project website, Julien Voisin, a French computer science student started to reverse engineer the package that purported to deliver access to the ToR (The Onion Router) anonymous network.

The clone impersonated the original almost to the pixel, only the announcement list making a difference. An unsuspecting user landing on the fake page could easily fall into the trap unless they paid attention to the domain (torbundlebrowser.org), which was deceptively chosen, too.

At the moment it is taken offline, but the cybercriminals operating it may regroup and the page could spawn on a different domain.

Analyzing the fake website, Voisin noticed that the link for donations had been replaced with a bitcoin address, and a different package was offered for download.

He proceeded to dissect the package, observing signs of protected payloads and that the authors ran commands through Windows Command Prompt and made sure that they were not executed in a sandbox.

Digging deeper into the fake package, Voisin succeeded into contacting the command and control server, initiating conversation with the individual at the other end.

Voisin said that the botmaster tried to deceive him by telling that they were a small group (possibly from China) that was trying to catch pedophiles. To achieve this goal, they said that the link with the fake website was spread on boards known to be accessed by this type of offenders.

To make their version more believable, the botmaster said that one offender had already been reported to cybertip.

However, apart from the presence of malicious code in the package, there was also the donation page that had been modified to point to a Bitcoin address. If this was a legal activity from law enforcement, that page should not have been tampered with.

Among the capabilities of the malware discovered by Voisin there was file downloading, updating the package, taking screen grabs, uploading data, rebooting the system and restarting the malicious software.

Fake Tor website (2 Images)

Snippet from the conversation with the botmaster
Fake Tor project website
Open gallery