[Tor2web-talk] Fwd: Trojan Detected - Please Shut Down! tor2web.org

Charlie Reddington charlier at cymru.com
Thu May 19 19:38:11 CEST 2016 

Done.

On 5/19/16 10:45 AM, Virgil Griffith wrote:
> This needs to be blocked.  Otherwise tucows will take away the tor2web.org
> domain.
> 
> ---------- Forwarded message ----------
> From: *Paul Karkas* <pkarkas at tucows.com>
> Date: Thursday, 19 May 2016
> Subject: Fwd: Trojan Detected - Please Shut Down! tor2web.org
> 
> 
> 
>  Hello;
> 
> 
> Please note that there is active malware on your site located at
> 
> 
> http://eqrvbczir5ua2emd.tor2web.org/
> 
> 
> This may be due to an exploit , would you kindly remove the link and let me
> know so we can put this issue to rest?
> 
> 
> Thank you.
> 
> 
> http://en.wikipedia.org/wiki/malware
> 
> Since you are using Tucows whois privacy, I would kindly ask that you
> 
> let me know how you will respond to this inquiry.
> 
> 
> Should you not respond to this email within 48 hours, or provide
> 
> Tucows/Contactprivacy indication that you will respond to the inquiring
> 
> party, Tucows/Contactprivacy may act to remove or reveal the
> 
> proxy/privacy services on your domain, as per the terms and conditions
> 
> of the ContactPrivacy service:
> 
> see https://www.opensrs.com/docs/contracts/exhibita.htm
> 
> 
> Section 33. WHOIS PRIVACY SERVICE
> 
> 
> "g. Right to Suspend and Disable. We shall have the right, at our sole
> 
> discretion and without liability to you or any of your Contacts, suspend
> 
> or cancel your domain name and to reveal Registrant and Contact Whois
> 
> Information in certain circumstances"
> 
> 
> Thank you.
> 
> 
> Paul Karkas
> 
> Compliance Officer OpenSRS
> 
> Tucows Inc.
> 
> paul at opensrs.org <javascript:_e(%7B%7D,'cvml','paul at opensrs.org');>
> 
> 416-535-0123 ext 1625
> 
> Direct line 416-538-5458
> 
> 1-800-371-6992
> 
> 
> 
> Paul Karkas
> 
> Compliance Manager OpenSRS
> 
> Tucows Inc.
> 
> paul at opensrs.org <javascript:_e(%7B%7D,'cvml','paul at opensrs.org');>
> 
> 416-535-0123 ext 1625
> 
> Direct line 416-538-5458
> 
> 1-800-371-6992
> 
> Fax416-531-2516
> 
> fax416-531-2516
> 
> 
> -------- Forwarded Message --------
> Subject: Trojan Detected - Please Shut Down! - [BBVA - E2142429] -
> 38.229.70.4
> Date: 19 May 2016 14:20:02 +0300
> From: RSA Anti-fraud Command Center <afcc at rsa.com>
> <javascript:_e(%7B%7D,'cvml','afcc at rsa.com');>
> To: pkarkas at tucows.com <javascript:_e(%7B%7D,'cvml','pkarkas at tucows.com');>
> 
> BBVA - E2142429
> 
> To whom it may concern:
> 
> RSA, The Security Division of EMC (“RSA”), an information security company,
> has detected and verified that a Malware (as defined below) program is
> being propagated from a server which is associated with the following URL:
> 
> (the “Designated Site”)
> 
> From our review, it is our understanding that you operate the Designated
> Site and that it is, therefore, under your control.
> 
> For the purposes of this letter, “Malware” means any software applications
> or executables that perform actions unanticipated by and without the
> consent of the person running the software. Malware is distributed via many
> mechanisms including, but not limited to: email attachments; content
> injection such as cross site scripting; exploiting security vulnerabilities
> in operating systems and other software; and/or insertion into downloadable
> software. Malware is designed, among other things, to misappropriate
> personal data in order to engage in fraudulent transactions using that
> data, and/or to compromise and co-opt an end-user’s networked computer; all
> for the purpose of performing illegal or improper acts such as
> misappropriating funds; carrying out denial of service attacks; and sending
> unsolicited mass emails.
> 
> For your information, we have analyzed the specific Malware and enclose a
> file, which includes:
> 
>    - Malware name: *Ransom*
>    - Description:Ransomware is computer malware which holds a computer
>    system, or the data it contains, hostage against its user by demanding a
>    ransom for its restoration.
>    http://www.symantec.com/connect/node/1618951
>    - http://eqrvbczir5ua2emd.tor2web.org/
> 
> This file also details the method by which it appears that the Malware is
> downloaded to a victim’s computer.
> 
> In this instance, it is our belief that the specific purpose of the Malware
> is to misappropriate account credentials and identity information from the
> customers of one or more financial institutions in order to access their
> bank accounts fraudulently.
> 
> *Therefore, we request that you immediately take all actions necessary to
> disable and remove this Malware from the Designated Site.*
> 
> We specifically would ask that you also take the following actions: *Please
> provide us with a tar/zip file of all the content located under the
> Malware's path (including hidden files)*, so that we may analyze it to help
> prevent further attacks. If any customer data has been captured that is
> stored on your systems or equipment, please send us that data so that the
> customers to whom that data relates can be notified and take steps to
> protect their credit. Please provide a copy of any records you maintain
> that indicate the name, contact information, method of payment or similar
> information that may be useful in helping learn about the identity and
> location of the customer for whom the website has been operated.
> 
> We would appreciate your email confirmation that the source of the Malware
> infection has been disabled.
> 
> We understand that you may not be aware of the above described improper use
> of the Designated Site and we thank you for your cooperation in the
> prevention of fraudulent online activity. The foregoing is without
> prejudice to any and all rights and remedies of any financial institution
> impacted by the improper use of the Designated Site, which rights and
> remedies are hereby expressly reserved.
> If you need further information, please do not hesitate to contact RSA at
> the numbers below.
> 
> Sincerely,
> RSA SECURITY INC.
> 
> *RSA Anti-Fraud Command Center*
> Tel: +44 (0)800-032-7751 (UK)
> Tel: +1-866-408-7525 (US)
> E-mail: afcc at rsa.com <javascript:_e(%7B%7D,'cvml','afcc at rsa.com');>
> 
> 
> 
> _______________________________________________
> Tor2web-talk mailing list
> Tor2web-talk at lists.tor2web.org
> https://lists.ghserv.net/mailman/listinfo/tor2web-talk
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ghserv.net/pipermail/tor2web-talk/attachments/20160519/f52515c7/attachment-0001.sig>

More information about the Tor2web-talk mailing list