Not much actual information, but it's nifty that bitcoin-mining malware is maybe using Tor hidden services for command and control. -------- Forwarded Message -------- From: Zebro kojos <zebro.kojos@gmail.com> Reply-to: tor-talk@lists.torproject.org To: tor-talk@lists.torproject.org Subject: Re: [tor-talk] vwfws4obovm2cydl.onion ?? Date: Sat, 23 Jun 2012 16:26:32 +0300 So from what it seems, the malware included a bitcoin miner that perhaps is to report found blocks / sub-hashes (? is that a term; i.e. if it works in a mining pool) to a server, perhaps this site in question. On Sat, Jun 23, 2012 at 4:06 PM, David H. Lipman <DLipman@verizon.net>wrote:

From: "grarpamp" <grarpamp@gmail.com>

Anbody have any information on; vwfws4obovm2cydl.onion ?

...

...

You must have obtained the address from somewhere. So what did the ad copy or context associated with it say?

1. It was harvested from malware which dropped a file; hostname.tmp which contained the name; vwfws4obovm2cydl.onion

2. It contained a script file named; poclbm120222.cl // -ck modified kernel taken from Phoenix taken from poclbm, with aspects of // phatk and others. // Modified version copyright 2011-2012 Con Kolivas

// This file is taken and modified from the public-domain poclbm project, and // we have therefore decided to keep it public-domain in Phoenix.

3. It contained the file; private_key.tmp which contains certificate keys

4. It contained the DLLs; pthreadGC2.dll, libpdcurses.dll, libcurl-4.dll

-- Dave Multi-AV Scanning Tool - http://multi-av.thespykiller.**co.uk<http://multi-av.thespykiller.co.uk>

http://www.pctipp.ch/**downloads/dl/35905.asp<http://www.pctipp.ch/downloads/ dl/35905.asp>

______________________________**_________________ tor-talk mailing list tor-talk@lists.torproject.org

https://lists.torproject.org/**cgi-bin/mailman/listinfo/tor-**talk<https://li sts.torproject.org/cgi-bin/mailman/listinfo/tor-talk>

_______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- Sent from Ubuntu [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]