Half of all Tor sites compromised, Freedom Hosting founder arrested.
BREAKING: HALF OF TOR SITES COMPROMISED, INCLUDING TORMAIL
The founder of Freedom Hosting has been arrested in Ireland and is awaiting extradition to USA.
In a crackdown that FBI claims to be about hunting down pedophiles, half of the onion sites in the TOR network has been compromised, including the e-mail counterpart of TOR deep web, TORmail.
http://www.independent.ie/irish-news/courts/fbi-bids-to-extradite-largest-childporn-dealer-on-planet-29469402.html
This is undoubtedly a big blow to the TOR community, Crypto Anarchists, and more generally, to Internet anonymity. All of this happening during DEFCON.
If you happen to use and account name and or password combinations that you have re used in the TOR deep web, change them NOW.
Eric Eoin Marques who was arrested runs a company called Host Ultra Limited.
http://www.solocheck.ie/Irish-Company/Host-Ultra-Limited-399806
http://www.hostultra.com/
He has an account at WebHosting Talk forums.
http://www.webhostingtalk.com/showthread.php?t=157698
A few days ago there were mass outages of Tor hidden services that predominantly effected Freedom Hosting websites.
http://postimg.org/image/ltj1j1j6v/
"Down for Maintenance
Sorry, This server is currently offline for maintenance. Please try again in a few hours."
If you saw this while browsing Tor you went to an onion hosted by Freedom Hosting. The javascript exploit was injected into your browser if you had javascript enabled.
What the exploit does:
The JavaScript zero-day exploit that creates a unique cookie and sends a request to a random server that basically fingerprints your browser in some way, which is probably then correlated somewhere else since the cookie doesn't get deleted. Presumably it reports the victim's IP back to the FBI.
An iframe is injected into FH-hosted sites:
TOR/FREEDOM HOST COMPORMISED
By: a guest on Aug 3rd, 2013
http://pastebin.com/pmGEj9bV
Which leads to this obfuscated code:
Javascript Mozilla Pastebin
Posted by Anonymous on Sun 4th Aug 02:52
http://pastebin.mozilla.org/2776374
FH STILL COMPROMISED
By: a guest on Aug 3rd, 2013
http://pastebin.com/K61QZpzb
FBI Hidden Service in connection with the JavaScript exploit:
7ydnpplko5lbgfx5
Who's affected Time scales:
Anyone who accessed an FH site in the past two days with JavaScript enabled. Eric Eoin Marques was arrested on Sunday so that's the earliest possible date.
"In this paper we expose flaws both in the design and implementation of Tor’s hidden services that allow an attacker to measure the popularity of arbitrary hidden services, take down hidden services and deanonymize hidden services
Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization"
http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf
The FBI Ran a Child Porn Site for Two Whole Weeks
http://gizmodo.com/why-the-fbi-ran-a-child-porn-site-for-two-whole-weeks-510247728
http://postimg.org/image/o4qaep8pz/
On any other day one would say these sick perverts got what they deserved. Unfortunately the Feds are stepping far beyond just pedophiles in this latest issue.
The js inserted at Freedom Hosting? Nothing really, just an iframe inject script with a UUID embedded server-side.
The iframe then delivers an exploit kit that appears to be a JavaScript 0day leading to...something. It only attempts to exploit Firefox (17 and up) on Windows NT. There's definitely some heap spraying and some possible shell code. The suspect shell code block contains some strings that look to formulate an HTTP request, but I haven't been able to collect the final payload yet. The shell code also contains the UUID with which the exploit was delivered. Any UUID will work to get this part of the exploit.
I'm still pulling this little bundle of malware apart. So far, I've got that the attack is split across three separate files, each loaded into an iframe. Calls are made between the frames to further obfuscate the control flow. The 'content_2.html' and 'content_3.html' files are only served up if the request "looks like" Firefox and has a correct Referer header. The 'content_2.html' is loaded from the main exploit iframe and in turn loads 'content_3.html'.
Short version. Preliminary analysis: This little thing probably CAN reach out without going through Tor. It appears to be exploiting the JavaScript runtime in Firefox to download something.
UPDATE: The exploit only affects Firefox 17 and involves several JS heap-sprays. Note that the current Extended Support Release is Firefox 17, so this may also affect some large organizations using Firefox ESR.
http://pastebin.mozilla.org/2777139
The script will only attempt the exploit on Firefox 17, so I'm no longer worried about it being some new 0day. Enough of the "Critical" MFSAs are for various sorts of memory corruption that I don't have the time to find out if this is actually a new exploit or something seen before.
http://postimg.org/image/mb66vvjsh/
Logical outcomes from this?
1. FBI/NSA just shut down the #1 biggest hosting site and #1 most wanted person on Tor
2. Silkroad is next on their list, being the #2 most wanted (#1 was Child Porn, #2 is drugs)
3. Bitcoin and all crypto currenecies set to absolutely CRASH as a result since the feds can not completely control this currency as they please.
I don't always call the Feds agenda transparent, but when i do, I say they can be trying harder.
TwitLonger — When you talk too much for Twitter
Re: Half of all Tor sites compromised, Freedom Hosting founder arrested.
I thought it was illegal to use exploits.
Re: Half of all Tor sites compromised, Freedom Hosting founder arrested.
I'm glad they raided it to get rid of those sick things though, see it like that :P
Re: Half of all Tor sites compromised, Freedom Hosting founder arrested.
I feel bad for Jonty right now, someone should tell him to run DBAN... quick.
Re: Half of all Tor sites compromised, Freedom Hosting founder arrested.
Quote:
Originally Posted by
Solaire
I thought it was illegal to use exploits.
The goverment makes their own rules.
Re: Half of all Tor sites compromised, Freedom Hosting founder arrested.
Dark days for internet anonymity :(:
Re: Half of all Tor sites compromised, Freedom Hosting founder arrested.
Quote:
Originally Posted by
Alfons
Dark days for internet anonymity :(:
This :(
Re: Half of all Tor sites compromised, Freedom Hosting founder arrested.
Quote:
Originally Posted by
Alfons
Dark days for internet anonymity :(:
at this rate: Welcome to the future!
Re: Half of all Tor sites compromised, Freedom Hosting founder arrested.
sad to hear, ofc a lot of bad things were going on there. But still a lot of good things too.
Re: Half of all Tor sites compromised, Freedom Hosting founder arrested.
I do have to say that I'm glad that they probably caught so many pedophiles, but I'm astonished by the fact that the feds actually used a zero-day exploit to achieve their goals. The pedophile raid is probably only the beginning though. They needed a valid reason to perform the raid and gain access to the network. From here on out their goal is probably to get taps on the entire TOR network.
Best stay away from TOR since it'll turn into an FBI/NSA honeypot.I think it's safe to say that anyone accessing the network will/might be marked as a potential threat by the NSA if we look at recent events. "You're accessing the TOR network ? You must have something to hide!".
Re: Half of all Tor sites compromised, Freedom Hosting founder arrested.
Quote:
Originally Posted by
Alfons
While I do have to say that I'm glad that they probably caught so many pedophiles, I'm astonished by the fact that the feds actually used a zero-day exploit to achieve their goals. The pedophile raid is probably only the beginning though. They needed a valid reason to perform the raid and gain access to the network. From here on out their goal is probably to get taps on the entire TOR network.
Best stay away from TOR since it'll turn into an FBI honeypot.I think it's safe to say that anyone accessing the network will/might be marked as a potential threat by the NSA if we look at recent events. "You're accessing the TOR network ? You must have something to hide!".
You say that as if it’s not already one giant FBI honeypot. I’m sure it’s common knowledge that both the NSA and FBI supply exit-nodes.
Re: Half of all Tor sites compromised, Freedom Hosting founder arrested.
I tried Tor once, never again. Too much fucked up shit on there.
Re: Half of all Tor sites compromised, Freedom Hosting founder arrested.
Quote:
Originally Posted by
Delici0us
You say that as if it’s not already one giant FBI honeypot. I’m sure it’s common knowledge that both the NSA and FBI supply exit-nodes.
While I do agree, I'd say that these events are all the more reason to steer clear from it.
Re: Half of all Tor sites compromised, Freedom Hosting founder arrested.
Quote:
Originally Posted by
Alfons
While I do agree, I'd say that these events are all the more reason to steer clear from it.
True enough. When you look at Tor (darkweb, not the network itself) there are only two things the “darkweb” is known for, an abundance of child porn and the Silk Road. What else is it used for? Some 13 year old kid trying to scam people saying he’s a hitman. My personal opinion is it’s a waste of time and useless.
Re: Half of all Tor sites compromised, Freedom Hosting founder arrested.
Quote:
Originally Posted by
Delici0us
True enough. When you look at Tor (darkweb, not the network itself) there are only two things the “darkweb” is known for, an abundance of child porn and the Silk Road. What else is it used for? Some 13 year old kid trying to scam people saying he’s a hitman. My personal opinion is it’s a waste of time and useless.
Can't argue with the feds/nsa wanting to roll up all the child pornography sites and silkroad, shit's illegal as hell. The stuff people can buy on silkroad is insane.
It's just sad that because of that they'll have even more control over the network itself, which defeats the entire purpose of TOR.
