First spotted by French security researcher Florent Daigniere and detailed in full by computer science student Julien Voisin in a blog post, the website looks virtually the same as the original Tor Network, except the copied version offers a suspicious links to download the software and a Bitcoin address.
The text and layout is almost the same, save for the updates section on the right-hand side.
Voisin said that he downloaded the alleged Tor Browser Bundle (torbrowser-install-3.6.3_en-US.exe) before reverse-engineering the malware using the ILSpy debugger. He found various encrypted payloads.
Once installed, the malware could do file transfers, upgrade the malware, grab screenshots, execute system commands, upload a file or even reboot the system. He even spoke to the botmaster.
“She/he told me that they are a small group (maybe from China) trying to catch paedophiles; by spreading the link to the fake website on pedo-boards, adding that one paedophile was already reported to cybertip (Canadian Centre for Child Protection's tipline)," he said.
"I'm not convinced, since the miscreant not only shipped a malware instead of the real TBB, but also replaced the donation page with his own BTC address."
Speaking to SCMagazineUK.com via email earlier today, Voisin said that Tor users have also been made aware of the take page on the IRC channel and added that while the download link pointed to the malware, the donate link took the user to ‘some dodgy bitcoin wallet', rather than the Tor donation webpage.
But he suggests that few will reach the site as it is not well-publicised. “Since the website's address is not that much "public", there is little chance that someone stumble upon it. But once one is one it, it's tricky to see that it's not the genuine one if you're not paying attention.”
The threat actor is likely an amateur too, he suggests. “It's code is mostly clean and well-written, but this is not the work of a state nor sophisticated professional black hat group.”
Tom Cross, director of security research at Lancope, said in an email to SCMagazineUK.com that the attack illustrates how cyber-criminals can hide botnet command and control (C&C) infrastructure behind Tor, but said that this might be difficult for security researchers, as compromising this would violate the Computer Fraud and Abuse Act
“This example illustrates three points simultaneously – the fact that websites are not always what they appear to be, the fact that criminals can hide botnet command and control infrastructure behind Tor, and the fact that botnet command and control infrastructure is sometimes insecure and is subject to being attacked by malware investigators.”
He added: “The later point is the most interesting from my perspective. If you compromised this command and control server you could determine its location even though it is running behind Tor, however, such an attack would violate the Computer Fraud and Abuse Act. Should anti-malware researchers be able to launch attacks against malware command and control systems? Under what circumstances? This is a real world example that demonstrates that these questions are not hypothetical musings.”
Lance Cottrell, founder and chief scientist of Anonymizer.com – a service which predated the Tor Project- told SC in an email that the attack was not that sophisticated.
“Torbundlebrowser.org appears to be an amateur attack. It is a fairly standard website cloning attack using a domain that would be a likely type in or a high Google search result.”
“The fact that the attacker changed the donation link to their own bitcoin suggests criminal rather than intelligence community intent - a national intelligence service would have hidden the malware better, and would have left the donation link intact to reduce the odds of detection.”
He added: “This is an example of a real and serious vulnerability in security software. If the user can be tricked into downloading and using a compromised version of the software then all future communications will be completely compromised.
“Few users take the time to check that their software is sourced from the real website, and that any cryptographic signatures are correct. This is why there is a big push towards closed “app stores” where the software can be checked and automatically authenticated.”