But now we have Tox–and it’s free.
While sifting though our stream of “dark web” data, McAfee Labs found Tox on May 19. It was updated on May 21 with a new FAQ and an updated design. But the core did not change.
- Tox is free. You just have to register on the site.
- Tox is dependent on TOR and Bitcoin. That allows for some degree of anonymity.
- The malware works as advertised.
- Out of the gate, the standard of antimalware evasion is fairly high, meaning the malware’s targets would need additional controls in place (HIPS, whitelisting, sandboxing) to catch or prevent this.
- Enter the ransom amount. (The site takes 20% of the ransom.)
- Enter your “cause.”
- Submit the captcha.
This process creates an executable of about 2MB that is disguised as a .scr file. Then the Tox “customers” distribute and install as they see fit. The Tox site (on the TOR network) will track the installs and profit. To withdraw funds, you need only supply a receiving Bitcoin address.
Upon execution, the malware encrypts the victims’ data and prompts them for the ransom, including the Bitcoin address for sending payment.
Although easy to use and functional, the malware appears to lack complexity and efficiency within the code.
The developer has left several identifying strings within the code. Examples:
The malware first downloads Curl and the TOR client:
After execution, Tox will start TOR in SOCKS5 proxy mode with the following command-line parameters:
-socks5-hostname 127.0.0.1:9050 –data \
We don’t expect Tox to be the last malware to embrace this model. We also anticipate more skilled development and variations in encryption and evasion techniques.
Source and credits: