BadOnions : Bad TOR exit nodes attempts to login with sniffed password


A security researcher spent a month to find bad TOR exit nodes by setting up a honeypot kind of website which has a fake login page - To find the nodes that sniffs the traffic and attempts to steal the password.

Tor protects its users by bouncing their communications around a distributed network of relays runs by volunteers all around the world.

Chloe wrote in a blog, “A few weeks ago I got the idea of testing how much sniffing is going on in the Tor network by setting up a phishing site where I login with unique password and then store them. I do this with every exit node there is and then see if a password has been used twice, if that's the case I know which node that was sniffing the traffic.”

According to the researcher, he bought a domain with a tempting name (such as bitcoinbuy) and then created a sub-domain(admin.) by using vhost and set up a simple login.

He used a simple login script that allowed any password ending wiht "sbtc".  He created a random password ending with "sbtc" (eg:d25799f05fsbtc) and used it via tor nodes.

The script also saves the login attempts and successful logins in a file with user agent, IP and time - This will help him to find the bad nodes.

“The results are not so surprising, but what is most surprising about this is that 2 nodes with the 'guard' flag had logged in twice. Also, none of these nodes has been flagged even though I reported them to Tor.” Researcher said in his blog.
He released the result of the test; He tested more than 130k Exit nodes within 32 days. He found that there were 12 failed-login attempts, 16 successful logins that had not come from the researcher.

Astoria - Researchers develop a new Tor client which aims to beat NSA


With an aim to beat powerful intelligence: like NSA, researchers have developed Astoria, a new Tor client which is said to be capable of protecting user’s privacy, even from such powerful intelligence agencies.

A cyber security researcher team from America and Israel come up with a new Tor client which is designed to make spying more difficult for the world's most capable intelligence agencies.

According to the research paper, people have used Tor, a popular anonymity system for users who wish to access the Internet anonymously or circumvent censorship, to prevent their activity from being tracked as Internet anonymity becoming difficult to establish.

However, Tor is not as safe as it was supposed to be, from the powerful intelligence agencies.

As a result the researchers have developed Astoria, which particularly focuses on defeating autonomous systems that has set up to intrude into Tor’s anonymity.

“In our experiments, we find that 58% of all circuits created by Tor are vulnerable to attacks by timing correlation and colluding sibling ASes. We find that in some regions (notably, China) there exist a number of cases where it is not possible for Tor to construct a circuit that is safe from these correlation attacks,” said in the research paper.

It added, “To mitigate the threat of such attacks, we build Astoria, an AS-aware Tor client. Astoria uses leverages recent developments in network measurement to perform pathprediction and intelligent relay selection. It not only reduces the number of vulnerable circuits to 5.8%, but also considers how circuits should be created when there are no safe possibilities. It performs load balancing across the Tor network, so as to not overload low capacity relays. Moreover, it provides reasonable performance even in its most secure configuration.”

The Astoria is aimed to do a list of things:
• Deal with asymmetric attackers.
• Deal with the possibility of colluding attackers.
• Consider the worst case possibility.
• Minimize performance impact.

Banking Trojan Vawtrak

Banking Trojan Vawtrak (aka Neverquest or Snifula) which additionally uses the Pony module to steal wide range of log-in credentials has been proliferating rapidly over the last few months

 USA, Germany, UK, Czech Republic are the  top  affected countries this year.

While Trojans like this are not new, what makes it remarkable is the  the multi-layered concealing processes and wide range of functions it can execute.

The Vawtrak Trojkan spreads via drive-by download – in the form of spam email attachments or links to compromised sites or  through malware downloaders such as Zemot or Chaintor or through exploit kits like Angler.

Tracking the Trojan  Vawtrak, AVG has revealed a detailed analysis of its installation and functionality.

Installation
The trojan was delivered through a spam email from Amazon which contained link to a zip archive stored on a compromised Wordpress site. The delivered file which actually was a executable tried to simultaneously look as  a pdf and a screen saver. It then installed itself into the system and ensured persistence by enabling auto-execution  Windows start-up. Without causing visible changes in the system, it then dropped the DLL into the program folder and deleted its original version.

This shorter second DLL decrypts its payload, which looks like  a normal Windows exe file but is a compressed file. The decompressed file replaces the second DLL and extracts the final module in a compressed format which further contains another two DLL files. The appropriate DLL then executes Vawtrak's main functionality.

Functionality
Once executed, Vawtrak disables antivirus protection of almost all known anti-viruses, steals multiple passwords from browsers (even obscure browsers such as K-Meleon or Flock) or applications, steals browser history, modifies browser settings, logs keystrokes, takes screenshots or records user actions on desktop, enables remote access to victim's system.

Further it communicates with remote Control & Command servers, executing commands from a remote server, sending stolen information, downloading new versions of itself and web-injection frameworks.
One fascinating feature is that it can connect to the update servers  hosted on the Tor hidden Web services via a Tor2web proxy without installing any special software such as Tor browser. Moreover, the communication with the remote server is done over SSL, which adds further encryption. Due to the use of steganography, the user remains totally ignorant of the working and updation of the Trojan.

Vawtrak is not as advanced as some others but its actions are too aggressive and they may cause stability or performance issues in the infected machines.

Staying vigilant about online phishing and scams is the most efficient way of avoiding Vawtrak but as it may still find its way, even without a user's direct interaction. So having an efficient and updated antivirus solution is of utmost importance.

For full analysis of the Trojan, read the complete report by AVG.

US Charges three more in Silk Road Online black market case


US authorities have charged three more people in connection with the operation of Silk Road, the online black market for illicit goods such as drugs, illegal guns and more.

24-year-old a Virginia resident 'Andrew Michael Jones', 25-year-old Irish 'Gary Davis', 40-year-old 'Peter Phillip Nash' from Australia, were charged in a federal indictment unsealed today in New york.

The three men are charged with money laundering, conspiracy to engage in narcotics trafficking and computer hacking, according Reuters.

Jones & Davis is reportedly worked as site admin of Silk Road while Nash worked as primary moderator on their website discussion forums.

The charges followed the arrest in October of Ross Ulbricht, who is allegedly known as "Dread Pirate Roberts" and reportedly the founder of Silk Road. Ulbricht gave the employees a salary ranging from $50,000 to $75,000 a year.

Deep web underground marketplace "Sheep Marketplace" hacked or it is scam!

 
Sheep Marketplace, an underground anonymous marketplace selling drugs and others on the "Deep web", has shut down after large amount of bitcoins allegedly stolen from their website.

The website became popular after feds shut down the similar website "Silk Road" in october.

The site admin claimed that the 5,400 Bitcoins worth $5 million stolen by a vendor dubbed "EBOOK101" who exploited a bug in their site.  However, other reports that more than 96,000 Bitcoins worth $40 million stolen.

However, many say the Sheep market is actually a scam. There is also a website called "sheepmarketscam" that provides facts about Sheepmarket being a scam.

The market claimed to provide refund the remaining bitcoins to the users.  However, none of them is appeared to be received anything so far.

Sheep Marketplace is reportedly linking to new unknown marketplace called "TorMarket". 

Silk Road taken down by FBI

Notorious online marketplace "Silk Road" has been taken down by the FBI and the owner "Ross Ulbricht" a.k.a (Dread Pirate Roberts) has been arrested . Proving that "Perfect security is impossible"

He has been charged with  conspiracy to traffic narcotics, conspiracy to hack computers, and conspiracy to launder money.

The website now shows a "This Hidden Site Has Been Seized" message





Silk Road was the drug dealing website in the world .It used the "TOR hidden network" to hide itself and its users.It seems Ross Ulbricht was caught due to his own mistakes and NOT due to a vulnerability in the TOR network.


This site had been a major point used lawmakers and politicians to try to curtail the growth of the TOR
 network.And now the recent actions by the FBI against many hidden sites in the TOR network is indeed a very big setback for it.

All the transactions in silkroad were done using Bitcoins and since the news of Ross Ulbricht's arrest bitcoin value has dropped quite a bit (Due to paranoid selling). But this is just the currency stabilizing itself, when it stabilizes BTC value will rise again. And the removal of association from such illigal market places might actually be a good thing for bitcoins.

Ross Ulbricht's LinkedIn Profile:http://www.linkedin.com/in/rossulbricht
Full Arrest Warrant: http://www1.icsi.berkeley.edu/~nweaver/UlbrichtCriminalComplaint.pdf
Full Details on how he was caught: https://medium.com/p/d48995e8eb5a



Note: I Will update as the story develops . You can tweet me at @SuriyaME   if you have something to add to this article. 

Almost Half of Tor sites compromised by FBI [Exclusive details]

As many of you might know the US has been pushing for the extradition of Eric Eoin Marques who an FBI agent has called as "the largest facilitator of child porn on the planet."

But most of you might not know that he is also the owner of "freedom hosting" the largest hosting provider for .onion sites within the TOR network . This means that all the sites hosted by "freedom hosting" are at the hands of the FBI. As you can see from the above linked article freedom hosting has been accused of hosting child pornography for a very long time.

I also have a fair idea on how the FBI did the "impossible", tracing a person who is using Tor.And they further might have found details on all the people visiting sites hosted by freedom hosting. First have a look at what a person posted on pastebin on Aug 3rd http://pastebin.com/pmGEj9bV he says he found this code in the main page of "freedom host" this further links to this exploit http://pastebin.mozilla.org/2776374 .





This is my analysis of the exploit ( I have not looked into it deeply as I am busy with my exams)
1. It is a 0 day for the Firefox version that comes as default with the "TOR Browser Bundle"
2. The code says "version >=17 && version <18" checks if the browser is the right version that the exploit works on .

It also has an another check
var i = navigator.userAgent.indexOf("Windows NT");
        if (i != -1)
                return true;
        return false;




3.It also manages to gather the Real IP of the user and possibly execute a malicious payload that might give the attacker full access to the system.
4. This exploits works because the people at TOR project had made it such that Javascript is loaded by the built in browser by default (this was not the case before and people who had their "no script" plugin with proper setting "disallowed" are safe)
5.Please note that is NOT a zero day for the TOR network but rather an exploit for the Firefox version that most TOR users are running.

Tor's official reply: https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting


Though the action's done by the FBI to take down child pornography in the TOR network is appreciated by all of us, many of the legitimate sites hosted by freedom hosting are also down .They should make sure that what they do does not kill the freedom and anonymity that the TOR network stands for.


Edit 1: Here are a few other deeper analysis I found --> http://pastebin.mozilla.org/2777139 , http://tsyrklevich.net/tbb_payload.txt

PS: If you have anything more that you would like to be added to this article or any corrections you can contact me on Twitter https://twitter.com/SuriyaMe