----- Forwarded message from mirimir <mirimir@riseup.net> ----- Date: Mon, 09 Sep 2013 07:13:33 +0000 From: mirimir <mirimir@riseup.net> To: tor-talk@lists.torproject.org Subject: Re: [tor-talk] Many more Tor users in the past week? User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8 Reply-To: tor-talk@lists.torproject.org This <http://blog.trendmicro.com/trendlabs-security-intelligence/the-mysterious-mevade-malware/> explains the Israel anomaly, I think.
The Mysterious Mevade Malware Published on September 5th, 2013 Written by: Feike Hacquebord (Senior Threat Researcher)
...
Yesterday, Fox-IT published evidence for this plausible explanation. The Mevade malware family downloaded a Tor component, possibly as a backup mechanism for its C&C communications. (We will release a second blog post describing in more detail the behavior of the Mevade variants we have encountered.)
Feedback provided by the Smart Protection Network shows that the Mevade malware was, indeed, downloading a Tor module in the last weeks of August and early September. Tor can be used by bad actors to hide their C&C servers, and taking down a Tor hidden service is virtually impossible.
The actors themselves, however, have been a bit less careful about hiding their identities. They operate from Kharkov, Ukraine and Israel and have been active since at least 2010. One of the main actors is known as “Scorpion”. Another actor uses the nickname “Dekadent”. Together, they are part of a well organized and probably well financed cybercrime gang.
... -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5