[Tor2web-talk] Fwd: Trojan Detected - Please Shut Down! tor2web.org

Thu May 19 17:08:08 CEST 2016

eqrvbczir5ua2emd is a Locky payment site.

Attached is a list of all the malware hidden service names we are tracking.

On Thu, May 19, 2016 at 9:42 AM, Virgil Griffith <i at virgil.gr> wrote:

> This needs to be blocked.  Otherwise tucows will take away the tor2web.org
> domain.
>
> ---------- Forwarded message ----------
> From: *Paul Karkas* <pkarkas at tucows.com>
> Date: Thursday, 19 May 2016
> Subject: Fwd: Trojan Detected - Please Shut Down! tor2web.org
>
>
>
>  Hello;
>
>
> Please note that there is active malware on your site located at
>
>
> http://eqrvbczir5ua2emd.tor2web.org/
>
>
> This may be due to an exploit , would you kindly remove the link and let
> me know so we can put this issue to rest?
>
>
> Thank you.
>
>
> http://en.wikipedia.org/wiki/malware
>
> Since you are using Tucows whois privacy, I would kindly ask that you
>
> let me know how you will respond to this inquiry.
>
>
> Should you not respond to this email within 48 hours, or provide
>
> Tucows/Contactprivacy indication that you will respond to the inquiring
>
> party, Tucows/Contactprivacy may act to remove or reveal the
>
> proxy/privacy services on your domain, as per the terms and conditions
>
> of the ContactPrivacy service:
>
> see https://www.opensrs.com/docs/contracts/exhibita.htm
>
>
> Section 33. WHOIS PRIVACY SERVICE
>
>
> "g. Right to Suspend and Disable. We shall have the right, at our sole
>
> discretion and without liability to you or any of your Contacts, suspend
>
> or cancel your domain name and to reveal Registrant and Contact Whois
>
> Information in certain circumstances"
>
>
> Thank you.
>
>
> Paul Karkas
>
> Compliance Officer OpenSRS
>
> Tucows Inc.
>
> paul at opensrs.org
>
> 416-535-0123 ext 1625
>
> Direct line 416-538-5458
>
> 1-800-371-6992
>
>
>
> Paul Karkas
>
> Compliance Manager OpenSRS
>
> Tucows Inc.
>
> paul at opensrs.org
>
> 416-535-0123 ext 1625
>
> Direct line 416-538-5458
>
> 1-800-371-6992
>
> Fax416-531-2516
>
> fax416-531-2516
>
>
> -------- Forwarded Message --------
> Subject: Trojan Detected - Please Shut Down! - [BBVA - E2142429] -
> 38.229.70.4
> Date: 19 May 2016 14:20:02 +0300
> From: RSA Anti-fraud Command Center <afcc at rsa.com>
> To: pkarkas at tucows.com
>
> BBVA - E2142429
>
> To whom it may concern:
>
> RSA, The Security Division of EMC (“RSA”), an information security
> company, has detected and verified that a Malware (as defined below)
> program is being propagated from a server which is associated with the
> following URL:
>
> (the “Designated Site”)
>
> From our review, it is our understanding that you operate the Designated
> Site and that it is, therefore, under your control.
>
> For the purposes of this letter, “Malware” means any software applications
> or executables that perform actions unanticipated by and without the
> consent of the person running the software. Malware is distributed via many
> mechanisms including, but not limited to: email attachments; content
> injection such as cross site scripting; exploiting security vulnerabilities
> in operating systems and other software; and/or insertion into downloadable
> software. Malware is designed, among other things, to misappropriate
> personal data in order to engage in fraudulent transactions using that
> data, and/or to compromise and co-opt an end-user’s networked computer; all
> for the purpose of performing illegal or improper acts such as
> misappropriating funds; carrying out denial of service attacks; and sending
> unsolicited mass emails.
>
> For your information, we have analyzed the specific Malware and enclose a
> file, which includes:
>
>    - Malware name: *Ransom*
>    - Description:Ransomware is computer malware which holds a computer
>    system, or the data it contains, hostage against its user by demanding a
>    ransom for its restoration.
>    http://www.symantec.com/connect/node/1618951
>    - http://eqrvbczir5ua2emd.tor2web.org/
>
> This file also details the method by which it appears that the Malware is
> downloaded to a victim’s computer.
>
> In this instance, it is our belief that the specific purpose of the
> Malware is to misappropriate account credentials and identity information
> from the customers of one or more financial institutions in order to access
> their bank accounts fraudulently.
>
> *Therefore, we request that you immediately take all actions necessary to
> disable and remove this Malware from the Designated Site.*
>
> We specifically would ask that you also take the following actions: *Please
> provide us with a tar/zip file of all the content located under the
> Malware's path (including hidden files)*, so that we may analyze it to
> help prevent further attacks. If any customer data has been captured that
> is stored on your systems or equipment, please send us that data so that
> the customers to whom that data relates can be notified and take steps to
> protect their credit. Please provide a copy of any records you maintain
> that indicate the name, contact information, method of payment or similar
> information that may be useful in helping learn about the identity and
> location of the customer for whom the website has been operated.
>
> We would appreciate your email confirmation that the source of the Malware
> infection has been disabled.
>
> We understand that you may not be aware of the above described improper
> use of the Designated Site and we thank you for your cooperation in the
> prevention of fraudulent online activity. The foregoing is without
> prejudice to any and all rights and remedies of any financial institution
> impacted by the improper use of the Designated Site, which rights and
> remedies are hereby expressly reserved.
> If you need further information, please do not hesitate to contact RSA at
> the numbers below.
>
> Sincerely,
> RSA SECURITY INC.
>
> *RSA Anti-Fraud Command Center*
> Tel: +44 (0)800-032-7751 (UK)
> Tel: +1-866-408-7525 (US)
> E-mail: afcc at rsa.com
>
>
> _______________________________________________
> Tor2web-talk mailing list
> Tor2web-talk at lists.tor2web.org
> https://lists.ghserv.net/mailman/listinfo/tor2web-talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ghserv.net/pipermail/tor2web-talk/attachments/20160519/0f8b00fc/attachment.html>
-------------- next part --------------
['t2upiokua37wq2cx', '4xau3z5os5byevya', 'kb63vhjuk3wh4ex7', 'fwgrhsao3aoml7ej', 'hyu2ni73qbucih2m', 'o7zeip6us33igmgw', '23bteufi2kcqza2l', 'pf3tlgkpks7pu7yr', '3qwajq5p5pfsi3sw', '6qe7iwjh6fz7ipyj', 'beedqybvjehzlud5', 'jssestaew3e7ao3q', 'incogugncmfkib6s', 's2o757cbk5xw4pad', 'rp4roxeuhcf2vgft', '7vhbukzxypxh3xfy', 'yycqx6ay5oedto5f', 'qp4xhrnjuzq6glwx', 'hw5qrh6fxv2tnaqn', 'a5xpevkpcmfmnaew', 'h36fhvsupe4mi7mm', 'evkid7zszfcrimgo', 'ghscjen32hejrbjy', 'szlvj5va4ey3vnfd', 'bcn5w6eqglytlnnn', 'zaxseiufetlkwpeu', 'twbers4hmi6dx65f', '4elcqmis624seeo7', 'whwxanmtcntjgnwc', 'lclebb6kvohlkcml', '5qgerbbyhdz5bwca', 'f2d2v7soksbskekh', 'xvha2ctkacx2ug3b', 'vgresgrweu5vpucb', 'czc57cr2pn3zfn4b', 'x2h6roismjroam63', 'yhc266qdppkt7bie', 'svcz25e3m4mwlauz', 'hggbfghojyece6qd', 'elv5ydgjdcyaaux7', 'h63rbx7gkd3gygag', 'iet7v4dciocgxhdv', '33p5mqkaj22irv4z', 'h34lvzkn42mtovic', '7ziwuw5b2pbezpuy', 'gvgfgt5dibj67dsg', 'ayh2m57ruxjtwyd5', '5ibpimzptwzjgbny', 'mango7u3rivtwxy7', 'u6nq72amuvkzqgyw', 'qmu7bm3cjfbux5xg', 'humapzcmz744fe7y', 'zem6b3aofh2ysehq', 'tisoyhcp2y52ioyk', 'de2nuvwegoo32oqv', 'clkk2rppw26syjgg', 'omi62yc6jtsd2q37', 'j2pjkgrlaopysagn', '4ptyziqllh5iyhx4', '5kiuc45pat3qr6gd', 'twbers4hmi6dc65f', 'javajvlsworf3574', 'ca4hcqqkaeadcenw', 'crptcj7wd4oaafdl', '3wzn5p2yiumh7akj', '5tszrpywjwri6hmt', 'um6fsdil5ecma5kf', 'ho7rcj6wucosa5bu', 'i6rgah3ox5hyoe3v', 'qtrudrukmurps7tc', 'o3qz25zwu4or5mak', 'rj2bocejarqnpuhm', 'xlowfznrg4wf7dli', 'm2coftkce5g4gyza', 'pbhi2lvgo5y6leh3', 'bbsqfujyiblsrygu', 'zpr5huq4bgmutfnf', '44l6tamp6og2p755', 'onja764ig6vah2jo', 'pc35hiptpcwqezgs', 'emmooey2tt2joh3s', 'ukzo73z4inzpenmq', 'brk7tda32wtkxjpa', 'athenabeicoxjr2l', '65y3g34c4zk3xkh2', 'decrypttozxybarc', 'bzr3zdzaitb3cruf', 'bnsjwaf4nc2xd4c4', 'ndvgtf27xkhdvezr', 'ruqa62d2kwna64hx', '5dpgl7ulnr73k63a', 'vfpukzlx5e3w7bpv', 'uw2kdu43jtxssofz', 'zoqowm4kzz4cvvvl', 'mwyigd4n52mkbyhe', 'w3hysz3ewytv6efh', 'strj3ya55r367jqd', 'bn6ivudjjf2txwcp', 'yuwurw46taaep6ip', '3afd57c4dchzp3pe', 'eyy4qqf324ojjctw', 'chngvdetu6isyfoz', 'ggvvwt7u6b3qaicm', 'zbqxpjfvltb6d62m', 'qkcayskvimz3p3vg', 'oxbl66hlnt6ujajl', '4sfxctgp53imlvzk', 'cypherxffttr7hho', 'qj2n3eebuuwvt7ju', '6dtxgqam4crv6rr6', '66bkuneu3hkgqpqf', 'idxcgov7x3dl552g', 'tmc2ybfqzgkaeilm', 'esyw3fvlmnxekebh', 'myx7pt2xtsp3sjyg', 'qbstdn6k7iivyki2', 'hlvumvvclxy2nw7j', 'pf5dahldauhrjxfd', 'iupfnqg2uaigwoei', '4lpwzo5ptsv6a2y5', 'lctoszyqpr356kw4', 'wypwtzc2kaceyufw', 'crptbfoi5i54ubez', 'bmacyzmea723xyaz', 'cld7vqwcvn2bii67', 'l7gbml27czk3kvr5', 'jsrgmlud44wtvyfj', '45k4h4kei56wiozx', 'v2aahgcan6ed564p', 'sgqjml3dstgmarn3', 'bc3ywvif4m3lnw4o', 'paytordmbdekmizq', 'djdkduep62kz4nzx', 'y46nzcjjg3g5dzrq', 'vacdgwaw5djp5hmu', 'iq3ahijcfeont3xx', '43qzvceo6ondd6wt', 'grams7enufi7jmdl', 'wdthvb6jut2rupu4', '4tsur32luets6fhe', '2c3j26kq6w4ec667', 'tj2es2lrxelpknfp', 'xtthkg74zpt2skec', '4ocjd3ubbxq6ykw7', 'rmxlqabmvfnw4wp4', 'umrilq67j2usutcj', '7tno4hib47vlep5o', 'uwm2wosrob3gplxy', 'yjalbss7b5yfeaie', 's73q5gg7ohplg3by', 'r7twae4a7jtozjwv', 'epmhyca5ol6plmx3', 'fizxfsi3cad3kn7v', 'tw7kaqthui5ojcez', 'i3ezlvkoi7fwyood', '32kl2rwsjvqjeui7', '4bpthx5z4e7n6gnb', 'ahsqbeospcdrngfv', 'dpaqjri6tinnqleh', 'tmclybfqzgkaeilm', 'alcov44uvcwkrend', 'zvnvp2rhe3ljwf2m', 't7r67vsrpjcm5dfc', 'nne4b5ujqqedvrkh', 'ss4vay6jg27klugw', 'xlc2opjy2iniygev', 'bmu34dvfhn7zrhvq', '7sv5jprihn6qdl36', 'qacg4i3r2dnbz5aj', '7oqnsnzwwnm6zb7y', 'des7siw5vfkznjhi', 'cww4mgb635hjpkti', 'u6sep2pltvemcg5r', 'jwdmkcoqa4qh6wej', 'q4vyrzddq25a4jhf', 'ta66nfopjkdkieuv', 'z3mm6cupmtw5b2xx', '25z5g623wpqpdwis', 'encryptor3awk6px', '2k7vcwbzor5ybfto', 'juf5pjk4sl7uojh4', 'h4uqttt4ub2hehkl', 'h5zuvyasqszw5s7q', 'fxxfgxqijkkbo7ss', 'toxicola7qwv37qj', 'tkjthigtqlvohs7z', '4nauizsaaopuj3qj', '4ggxntohlejkutst', '24fkxhnr3cdtvwmy', 'lmgxmluuqwrbdvkb', 'restoredz4xpmuqr', 'j2qwyburl2f4nwsp', 'kkd47eh4hdjshb5t', '5lyw72uhvt2xvgjm', 'zt6bycgnjvatzzvi', 'tzsvejrzduo52siy', 'wls3uapur3zjm5gm', '6i3cb6owitcouepv', 'lnc57humvaxpqfv3', 'na5waivbwt32f4ih', 'cctbulqlcve6e36o', 'kplpqns3yqfdqw45', 'evgg4iqc23vvoxhx', 'vgqisyuzmsa7cenq', 'kqd2eml2kjib53oe', 'bc7cxr6v3arxkffn', 'vozbpt7qiv2nbony', 'b3pepirxq7l2aybj', 'r2bv3u64ytfi2ssf', 'ohmva4gbywokzqso', '2kf7l7vpvvttzxuv', '3fdzgtam4qk625n6', 'tevyc2dds5oxutwe', 'tkj3higtqlvohs7z', 'u6y2j2ggtyplvzfm', 'qcuikaiye577q3p2', 'o2y3ee3fj6usmvn6', 'eqrvbczir5ua2emd', '3v6e2oe5y5ruimpe', 'stgg5jv6mqiibmax', 'krrewiaog3u4npcg', 'iezqmd4s2fflmh7n', 'fiwf4kwysm4dpw5l', 'rrcspgfghsjnklts', '7n4p5o6vlkdiqiee', '6lpeyskl4iiy2ksh', 'ycvcjbhgkmsiyhdd', 'iabni66w5xvwawbe', '34r6hq26q2h4jkzj', 'tlunjscxn5n76iyz', '47gzcamilht76ubo', 'nejdtkok7oz5kjoc', 'v6qyh5dnrn324jzs', 'gzc7lj4rvmkg25dm', 'bs7aygotd2rnjl4o', 'nmki4534a4sdtndk', 'crzy4iatvc7oxpbj', 'kurrmpfx6kgmsopm', '6ubux6ppafr24izl', 'zsn5qtrgfpu4tmpg', 'rzss2zfue73dfvmj', 't54cjs4qc2r4bn63', '52o7rub5gsybritg', 'otsaa35gxbcwvrqs', '2j6ye677oebe37id', 'bpq4dub4rlivvswu', 'fhqt44i7du2oyd35', 'kaofzop5phcg2irj', 'voooxrrw2wxnoyew', '5sse6j4kdaeh3yus', 'vf4xdqg4mp3hnw5g', '75nzutdjjtnpgscz', 'kpai7ycr7jxqkilp', 'jrb2v76dktumckcp', 'vr6g2curb2kcidou', 'wv55abv6bde65ek6', 'erhitnwfvpgajfbu', 'i3e5y4ml7ru76n5e', 'decryptoraveidf7', '4nzchpngrtdhn27u', 'ymleyd4xs3it55m7', 'lpholfnvwbukqwye', '333e45lpjqrebknr', 'vrvis6ndra5jeggj', 'dpckd2ftmf7lelsa', '3bjpwsf3fjcwtnwx', 'eqlc75eumpb77ced', '3kxwjihmkgibht2s', 'xuf5gcycmms2k2vd', 'btcgenyj6ho35io2', 'k7mkm44ddqm6eh2s', 'is6xsotjdy4qtgur', 'w7yue5dc5amppggs', '3qbyaoohkcqkzrz6', '3st7uyjfocyourll', 'smu743glzfrxsqcl', 'bpxw7rfs7t6f52u6', 'paytoc4gtpn5czl2', 'zxjfcvfvhqfqsrpz', 'xwxwninkssujglja', 'dugjdv7z3h5x4nrp', 'gnkltbsaeq35rejl', 'j2kiphmeb4m4ek66', 'ihma6dpeczozwz2q', 'k7tlx3ghr3m4n2tu', 'q5xofefox3mejgok', '613cb6owitcouepv', 'udm744mfh5wbwxye', 'mmc65z4xsgbcbazl', '24u4jf7s4regu6hn', 'mjof2bfjbfrucsou', 'vswefkqsipoeuq5o', 'xzjvzkgjxebzreap', 'xdndo2okt43cjx44', '7fa6gldxg64t5wnt', 'xhgiq7xle4s27pwg', 'cerberhhyed5frqa', 'e4vcpcfrnqh6sfz6', 'yez2o5lwqkmlv5lc', 'kc6b4fksimypsogl', 'rkcgwcsfwhvuvgli', '74724z223r535723', 'crptarv4hcu24ijv', 'llgerw4plyyff446', 'oclsi4szqlnpsxh2']