Jump to content

Search the Community

Showing results for tags 'tor'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 11 results

  1. Am vazut ca nu e pe forum. Eu l-am folosit pe linux, e usor de folosit si ai si comanda de renew ip... Daca accesezi pe web ip-ul respectiv iti apare o pagina cu tor exit node. TorGhost is an anonymization script. TorGhost redirects all internet traffic through SOCKS5 tor proxy. DNS requests are also redirected via tor, thus preventing DNSLeak. The scripts also disables unsafe packets exiting the system. Some packets like ping request can compromise your identity. https://github.com/SusmithKrishnan/torghost
  2. Salut, Aveti careva din intamplare ISO-ul de tails, versiunea 2.2.0 ? Eu l-am sters cu ceva timp in urma si nu reusesc sa-l mai gasesc pe nicaieri. Am incercat si Tails 2.2.1 si Tails 2.3 insa pe versiunile acestea nu reusesc sa fac ssh din consola fara sa dezactivez firewall-ul si asta nu ma ajuta. Stiu ca pe versiunea 2.2.0 mergea perfect. Multam!
  3. Introduction When it comes to anonymizing activities in digital world, it can be referred to in various ways. Researchers might take it to identify various malicious activities and for back trailing, whereas hackers can anonymize their activities so as to build up a cover around their malicious activities. These anonymizing activities can really increase the work of researchers, as they can’t trust the attributes mentioned in the logs like IP address, user agent, etc. as such attributes will only give you false information. In this article series, we will learn about anonymizing activities from very basic level to an advanced level. Anonymity with TOR The Onion Router, widely known as TOR, is famous for staying anonymous on the Internet. Tor is a network of computers around the world that forward requests in an encrypted manner from the start of the request until it reaches the last machine in the network, which is known as an exit node. From the last node the TOR network, the request is decrypted and sent to the destination server. Thus exit nodes are the first nodes and last nodes in the TOR network for receiving and sending traffic from and to the original and destination server. Thus, to the destination server all traffic seems to come from the exit node in the TOR network, thus hiding the IP address of the original sender. Even the other systems in the TOR network cannot determine location either, because they are essentially forwarding traffic with no knowledge of where it actually originated. The responses to original requests will return to the system, but as far as the TOR network is concerned, a request is just another hop along the way. SOCKS server TOR works with the SOCKS protocol, so it is worth talking about SOCKS. A SOCKS server establishes a proxy TCP connection with another server on behalf of the client and then routes all the traffic back and forth between the client and the server. It works for any kind of network protocol on any port. SOCKS Version 5 adds additional support for security and UDP. The SOCKS server does not interpret the network traffic between client and server in any way, and is often used because clients are behind a firewall and are not permitted to establish TCP connections to servers outside the firewall unless they do it through the SOCKS server. Most web browsers for example can be configured to talk to a web server via a SOCKS server. Because the client must first make a connection to the SOCKS server and communicate which host it wants to connect to, the client must be “SOCKS enabled”. SOCKS uses a handshake protocol to inform the proxy software about the connection that the client is trying to make, and then acts as transparently as possible, whereas a regular proxy may interpret and rewrite headers. Comparison of SOCKS and HTTP As can be inferred from the above text about SOCKS, its function is similar to that of HTTP. But there is a significant difference between SOCKS and HTTP, as SOCKS operates at one level lower than HTTP proxying. HTTP allows forwarding TCP connections, whereas SOCKS can also forward UDP traffic and work in reverse. Let’s understand the difference with an example: SOCKS: Suppose User ‘A’ wants to connect with User ‘B’ over the Internet, but a firewall between them is restricting users to connect with each other. User ‘A’ connects to a SOCKS proxy in his network, which opens a connection through the firewall, and a communication channel between User ‘A’ and ‘B’ is achieved. HTTP: Suppose User ‘A’ wants to download a web page from web server ‘B’, but because of presence of a firewall between them, User ‘A’ is not able to do so, so User ‘A’ connects to an HTTP proxy, and in turn A’s browser communicates with the proxy in exactly the same way that it would directly with B’s server if that was possible, meaning it sends a standard HTTP request header. The HTTP proxy connects to B’s server, and then transmits back to ‘A’ any data that B’s server returns. TOR hidden services TOR is also being used to hide websites and other servers. This works by using what is called an associated onion address rather the website’s original IP address. This model is more secure than the original TOR model traffic, since hidden services do not use exit nodes. Communication is encrypted end to end. Below are some of the TOR hidden services. Search Engines: TorSearch P2P file sharing: The Pirate Bay Social Media: Facebook Commerce: Evolution, Silk Road etc. TOR weaknesses Although TOR is a strong way to anonymize activities in digital world, the TOR network has some weakness too. Below are some of the weakness that the TOR network has: The TOR network is subject to eavesdropping attack. Since the TOR model involves exit nodes and traffic from exit node to destination node is not encrypted, eavesdropping attacks are possible. One possible solution to this is to always access the HTTPS version of service. TOR exit node block: Some of the websites block traffic if the last node is a TOR node, thus reducing the functionalities for TOR users. TOR is also vulnerable to traffic analysis attack, correlation attack, sniper attack, etc. TOR configuration TOR can be easily installed in the system and after connecting with the TOR network, user can anonymize his activities. Consider the following commands to use in Ubuntu. Install TOR as root: apt-get install tor Check for IP address of the system without TOR Install TOR bundle from TOR website Extract the content and run the .exe If you are running as root, then the system might display an error by saying that “TOR cannot be run as root”. To overcome this, open the file in a text editor and comment the following lines: After this start, the TOR bundle .exe and notice the IP address. The IP address should not be the same as your machine’s IP. So in this article, we have learnt about what is TOR, how it is different from HTTP, and how easy it is to install and configure TOR in a machine. In the next article, we will learn about some more ways of anonymizing. References http://en.wikipedia.org/wiki/Tor_%28anonymity_network%29 Source
  4. Add this line to your /etc/apt/sources.list file: deb Index of /torproject.org <DIST> main in case of cali set it wheezy nest is adding PGP pub keys : open the terminal and ctrl+v those commands : gpg --keyserver keys.gnupg.net --recv 886DDD89 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add - next: apt-get update && apt-get install tor tor-geoipdb nest: install polipo: apt-get install polipo next: edit /etc/polipo/config by that :https://trac.torproject.org/projects/tor/attachment/ticket/3172/polipo.conf next: service polipo restart finally: sqlmap -u "url" --risk 3 --level 5 --check-tor --tor --dbs
  5. Are you aware of everything that your users are accessing from your environment? While most of the time, non-work-related Internet browsing is harmless (looking at pictures of cats, online shopping, social media, etc.) there are some instances where you could be an unknowing and unwilling participant in criminal activity. That is, when users hide that activity via the Tor network, or the Dark Net. The Onion Router, better known as "Tor", an open source project, launched in 2002, is designed to allow a user to browse the Internet anonymously via a volunteer network of more than 5000 relays. It doesn't share your identifying information like your IP address and physical location with websites or service providers. A user that navigate Internet using Tor, it's quite difficult to trace its activities ensuring his online privacy. There are arguably legitimate uses for this technology, such as providing Internet access in repressively regulated countries. Tor has been a favorite target of intelligence agencies. NSA targeted the Tor users, using a zero-day vulnerability in Firefox browser, bundled with Tor, that allowed them to get the real IP address of the anonymous Tor users. Using same techniques, FBI was also able to track the Owner of 'Freedom Hosting', the biggest service provider for sites on the encrypted Tor network, hosted many child pornography sites. However, Mozilla has then fixed that Firefox flaw exploited by government law enforcement officials. Moreover, Tor is often associated with illicit activity (child pornography, selling controlled substances, identity theft, money laundering, and so on). Most admins will want to prohibit their users from using the Tor network due to its association with nefarious activity. Since the point of origin is nearly impossible to determine with conventional means, many bad actors leverage the Tor network to hide the location of Command & Control servers, machines taking ransomware payments, etc. This makes identifying these them and their malware that much harder. Users browsing the Tor network (for illicit purposes or not) from your environment can open you up to hosting malicious/illegal content, Ransomware infection, or unknowingly participating in other malicious activity. Therefore it is also known as DeepNet or Deep Web. To know more detail about the Deep Web you can read our detailed article, "What is the Deep Web? A first trip into the abyss". WHAT I CAN DO ABOUT TOR? AlienVault Unified Security ManagementTM (USM) can help. USM provides asset discovery, vulnerability assessment, threat detection (IDS), behavioral monitoring and SIEM in a single console, plus weekly threat intelligence updates developed by the AlienVault Labs threat research team. The correlation directives and IDS signatures in AlienVault Unified Security Management (USM) can detect when a system is attempting to resolve a Tor domain, and allow you to take corrective action. Plus, new & updated correlation directives developed by the experts at AlienVault Labs are pushed to USM weekly, enabling detection of emerging threats. Learn more about AlienVault USM: Download a free 30-day trial Watch a demo on-demand Play with USM in our product sandbox (no download required) Source
  6. A ban on online anonymity networks would be "technologically infeasible" and unwise, MPs have been told. Parliamentary advisers said networks such as Tor could be used for criminal ends but also in the public interest. The advice for MPs contradicted the Prime Minister David Cameron, who has said law enforcement should be handed the keys to encrypted communications. One expert said the document showed Mr Cameron's plans to be "noble", but ultimately unworkable. The Parliamentary Office of Science and Technology (Post), which issues advice to MPs, said that there was "widespread agreement that banning online anonymity systems altogether is not seen as an acceptable policy option in the UK". 'Technical challenges' In a briefing document on the dark net, of which Tor forms a prominent part, it added that, "even if it were, there would be technical challenges". The report, published on Monday 9 March, cited the example of the Chinese government, which attempted to block access to Tor in order to enforce bans on unauthorised websites. In reaction, it said, the body that maintains the network, simply added "bridges" that were "very difficult to block", allowing people to continue accessing Tor. img]http://news.bbcimg.co.uk/media/images/81543000/jpg/_81543892_138950144.jpg The prime minister has called for encryption to be banned to help stop terrorism Speaking in January, following attacks by gunmen in Paris and its surrounding areas, David Cameron said there should be no "means of communication" the security services could not read. He said: "In extremis, it has been possible to read someone's letter, to listen to someone's call to mobile communications. "The question remains, 'Are we going to allow a means of communications where it simply is not possible to do that?' My answer to that question is, 'No, we must not.'" He has also enlisted companies that operate internet search engines, such as Google, Microsoft and Yahoo, to help track down and block images of child abuse. Whistle-blowing However, the Post report clarified that the dark web was not indexed by such search engines, limiting the extent to which they would be able to help. Jamie Bartlett, of the think tank Demos, whose book The Dark Net was cited in the report, said that - in theory - he agreed with Mr Cameron that there should not be a place in the dark web for criminals to hide. However, he said that - in practice - the prime minister's plans were shown by the parliamentary document to be "more or less impossible to actually do". He said: "It is about police being able to force people to give up their anonymity when necessary, without taking away the ability to be anonymous online." Hidden services The Post provides reports for MPs to offer them independent, non-political advice on highly specialised and complicated issues in science and technology. It does not bind them to any position, but helps inform parliamentary debates and votes on subjects of which many MPs would otherwise have little understanding. In its report, it differentiated between use of the dark web for criminal purposes and for acts in the public interest - such as whistle-blowing. It noted that some people have argued for a network that allowed users to be anonymous, but without Tor hidden services (THS), such as the Silk Road marketplace, which have been used for criminal purposes. "However, THS also benefit non-criminal Tor users because they may add a further layer of user security," the report said. "Sites requiring strong security, like whistle-blowing platforms are offered as THS. "Also, computer experts argue that any legislative attempt to preclude THS from being available in the UK over Tor would be technologically infeasible." A spokesman for the prime minister did not respond to a request for comment. Source
  7. # tmap 0.1 # Coded by TheKingOf9x <AT> yandex . com # Fast multi-threaded port scanner which tunnels through TOR. # Depends on the PySocks library: https://github.com/Anorov/PySocks # And of course TOR: apt-get install tor # # Do not use hostnames, may leak DNS info. only use IP addresses. # # Not happy with the Privoxy + TOR (exit relay only) + nmap config. I made this. # # Usage: # python tmap.py import sys import socks import datetime import threading lock = threading.Semaphore(value = 1) #Port of TOR server TOR_PORT = 9050 #timeout. Experiment with this. TIMEOUT = 20 #Port list to scan, ammend at will ports = (21,22,23,80,443,1433,3306,8080) def main(): if len(sys.argv) < 3: print("\033[92m\n\t\t\ttmap 0.1\n\nFast multi-threaded port scanner which tunnels through TOR.\n\n\033[0m") print("Single host scan:\npython " + sys.argv[0] + " -s 192.168.0.1\n") print("/24 (Class C) range scan:\npython " + sys.argv[0] + " -r 192.168.0\n") print("List scan:\npython " + sys.argv[0] + " -l IPlist.txt\n") exit(0) scan_type = sys.argv[1] parameter = sys.argv[2] filename = datetime.datetime.now().strftime("%H:%M_%d-%m-%y.tmap") try: log = open(filename, "a") except: pass if scan_type == "-s": host_scan(parameter, log) elif scan_type == "-r": range_scan(parameter, log) elif scan_type == "-l": list_scan(parameter, log) else: exit(1) #main connect function def connect(ip, port, log): try: s = socks.socksocket() s.setproxy(socks.PROXY_TYPE_SOCKS5, 'localhost', TOR_PORT) s.settimeout(TIMEOUT) s.connect((ip, port)) output = ip + ":" + str(port) lock.acquire() # Lock/unlock to clean up screen output. print(output) try: log.write(output + "\n") except: pass except: pass finally: lock.release() def host_scan(ip, log): ip = ip.strip() for port in ports: try: t = threading.Thread(target=connect, args=(ip, port, log)) t.start() except: pass def range_scan(ip, log): ip = ip.strip() for i in range(1, 255): ip_addr = ip + "." + str(i) for port in ports: try: t = threading.Thread(target=connect, args=(ip_addr, port, log)) t.start() except: pass def list_scan(parameter, log): try: f = open(parameter, 'r') except: print("Could not open file: " + parameter) exit(1) for ip in f: ip = ip.strip() for port in ports: try: t = threading.Thread(target=connect, args=(ip, port, log)) t.start() except: pass if __name__ == '__main__': main() Download Source
  8. Tor — a privacy oriented encrypted anonymizing service, has announced the launch of its next version of Tor Browser Bundle, i.e. Tor version 4.0.4, mostly supposed to improve the built-in utilities, privacy and security of online users on the Internet. Tor Browser helps users to browse the Internet in a complete anonymous way. The powerful Tor Browser Bundle, an anonymous web browser developed by the Tor Project, received some updates in its software. Tor Browser Bundle is basically an Internet browser based on Mozilla Firefox configured to protect the users’ anonymity via Tor and Vidalia. The anonymity suite also includes 3 Firefox extensions: Torbutton, NoScript and HTTPS-Everywhere. NEW FEATURES The latest version, Tor Browser Bundle 4.0.4, has been recently released, with a few number of new features: Updated to Firefox to 31.5.0esr with important security updates. Update OpenSSL to 1.0.1 Update NoScript to 2.6.9.15 Update HTTPS-Everywhere to 4.0.3 BUG FIXES Meanwhile, the new Tor version 4.0.4 also include some bugfixes: Bug 14203: Prevent meek from displaying an extra update notification Bug 14849: Remove new NoScript menu option to make permissions permanent Bug 14851: Set NoScript pref to disable permanent permissions "A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory," states the Tor project team. Tor is generally thought to be a place where users come online to hide their activities and remain anonymous. Tor is an encrypted anonymizing network considered to be one of the most privacy oriented service and is mostly used by activists, journalists to circumvent online censorship and surveillance efforts by various countries. However, late last year we have seen large scale cyber attack on Tor network that quietly seized some of its network specialized servers called Directory Authorities (DA), the servers that help Tor clients to find Tor relays in the anonymous network service. On the other end of the side, last month 12 high-capacity Tor Middle relays was launched by the Polaris — a new initiative by Mozilla, the Tor Project and the Center of Democracy and Technology — in order to help build more privacy controls into technology. The addition of high-capacity Tor middle relays to the Tor network helps reduce finite number of Tor connections occurring at the same time. -> Sursa <-
  9. Introduction Botnets are still considered one of the most dangerous cyber threats. These malicious networks of compromised machines are used by cyber criminals and state-sponsored hackers for numerous activities, including DDoS attacks, spam campaigns, and financial scams. The principal problem for a botmaster is to make a botnet resilient against operations run by law enforcement. For operators it is essential to hide Command and Control servers and network traffic to avoid takeover of the malicious infrastructure. The Tor network offers a privileged environment for botmasters that could exploit the popular anonymizing network to hide the C&C servers. Tor botnets During the Defcon Conference in 2010, security engineer Dennis Brown discussed Tor-based botnets, highlighting pro and cons of the choice to hide C&C servers in the Tor network. The principal advantages of Tor-based botnets are: Availability of Authenticated Hidden Services Availability of Private Tor Networks Possibility of Exit Node Flooding Security researchers use traffic analysis to detect botnet activities and to localize the C&C servers. Typically they do this by using Intrusion Detection Systems and network analyzers. Once they’ve detected a botnet, the researchers and law enforcement have different options to eradicate it: Obscuration of the IP addresses assigned to the C&C server Cleaning of server hosting botnet and of the compromised hosts Domain name revoke Hosting provider de-peered The botnet traffic is routed to the C&C server through the Tor network that encrypts it, making its analysis more difficult. Brown proposed the following two botnet models that exploit the Tor network: “Tor2Web proxy based model” “Proxy-aware malware over Tor network” Tor2Web proxy based model” The routing mechanism relies on the Tor2Web proxy to redirect .onion web traffic. The bot has to connect to the hidden service passing through the Tor2Web proxy pointing to an onion address that identifies the C&C server that remains hidden. The principal problem related to this approach is that it is easy to filter Tor2Web traffic, and a similar configuration could suffer from considerable latencies due to the Tor network that could make a botnet built with this approach unresponsive. “Proxy-aware Malware over Tor network” This approach is based on making use of proxy-aware malware. Due to the absence of the Tor2Web service, the bot agents have to run Tor clients on the infected hosts. The main difference with respect to the first solution is in the requirements for the bot agents and their configuration. Bots need to have SOCKS5 support to reach .onion addresses through the Tor network by loading Tor on the victims’ systems. This second approach is more secure because traffic isn’t routed through a proxy and it is entirely within the Tor network due the direct connection between Bots and C&C servers. This configuration avoids traffic interception from exit nodes that are not involved in the architecture. This approach is more complex from a Bot perspective due to the complexity in managing the SOCKS5 interface and in botnet synchronization. This kind of botnet could be easily detected by the presence of Tor traffic on a network. Strengths and weaknesses of Tor botnets Among the strengths: Botnet traffic masquerades as legitimate Tor traffic Encryption prevents most Intrusion Detection Systems from finding botnet traffic P2P architecture makes botnets more resilient to take down Difficulty for the localization of the command and control servers (C&C) Hidden Services provide a Tor-specific .onion pseudo top-level domain, which is not exposed to possible sinkholing. The operator can easily move around the C&C servers just by re-using the generated private key for the Hidden Service. Among the weaknesses: Complexity of botnet management Risk of botnet fragmentation Latency in the communication Tor botnets: real cases The Skynet botnet One of the first examples of a Tor based botnet is the Skynet botnet that was discovered in December 2012 by experts at G-Data and Rapid7. The bot was a strain of the popular Zeus trojan, which included a Tor client for Windows and a bitcoin mining tool. The researchers at G-Data also reported that Skynet used hidden IRC services with Tor to control the malicious architecture. The Skynet botnet can fulfill different tasks such as mining bitcoin or providing bot agents to involve in illegal activities such as DDoS attacks or spam campaigns. Figure 1 – Tor botnet Mevade botnet Going forward in time, we find the Mevade botnet (a.k.a Sefnit, LazyAlienBiker). In September 2013 it caused a spike in the number of Tor users, which reached 5 million active users. Figure 2 – Tor metrics: Mevade spikes Tor users Authors of Mevade’s Tor variant appear to use the Russian language. The purpose of the botnet was the installation of adware and toolbars onto the victim’s systems, mine Bitcoin and steal sensitive information from the infected PC. Experts at TrendMicro revealed that the Mavade malware had also a “backdoor component and communicates over SSH to remote hosts” that made the agent ideal for data theft. The Atrax crimekit In November 2013, researchers from Danish security firm CSIS discovered a new crimekit, dubbed Atrax, which was sold in the underground market. One of the main features implemented by its authors is the ability to exploit Tor networks to communicate with Command & Control servers. The Atrax crimekit was cheap – it was offered for $250, and among the other features implemented by its authors, there were: Virtual currency mining (Bitcoin mining and Litecoin mining) Browser data extraction Availability of a module to run DDoS attacks that offers complete support for both Full IPv6 and IPv4 and implements principal attack techniques including UDP Flood, TCP Flood, TCP Connect Flood, HTTP Slowloris, and many other methods. Data stealing, including Bitcoin wallets (such as Armory, Bitcoin-Qt, Electrum and Multibit). Figure 3 – Atrax crimekit The Atrax crimekit has a modular structure. The malware includes a series of add-ons that implement the functionalities described. A plugin which implements a data stealer was sold for $110, the form grabber runs for $300, and an experimental add-on for coin mining was sold for $140. It’s interesting to note that the Atrax crimekit was sold with free updates, bug fixes and support. Below a list of standard features present in the Atrax crimekit: Kill Update Download (over Tor), Execute (Commandline-Parameter allowed) Download (over Tor), Execute (Commandline-Parameter allowed) in memory Install Plugin Installation List (A list with all installed applications) 64-bit ZeuS banking trojan using Tor network In December 2013, security researchers at Kaspersky Lab detected a new strain of the popular Zeus trojan. The new variant was designed to operate on 64-bit, and authors enhanced the malicious code with the support of communication through the Tor network. This version of the popular banking trojan also used a web injection mechanism to steal banking credentials from the victim’s browser. It was also able to steal digital certificates and implement a keystrokes feature. The authors implemented a communication mechanism with the C&C server over the Tor network, a feature that makes it more difficult for law enforcement and security firms to track botnets. The 64-bit version of the Zeus banking trojan executes a Tor component, starting the svchost application in suspended mode and then injecting the Tor code into that process, running it in a stealth mode. The malicious traffic was routed through TCP port 9050 and the stolen data were sent to the onion domain with address egzh3ktnywjwabxb [.] onion. “Tor.exe is launched indirectly — ZeuS starts the system svchost.exe application in suspended mode, then injects the tor.exe code into this suspended svchost.exe process, tunes the code to run properly and resumes execution of the suspended svchost,” Tarakanov explains. “As a result, instead of the system svchost.exe, the process actually starts executing tor.exe.” states the blog post published on SecureList. Figure 4 -The Tor utility under the cover of the svchost.exe process creates an HTTP proxy server Another peculiarity of the malware is that it instantiates a hidden service that creates a configuration file for any victims, which includes a unique private key for the service and an exclusive domain. The feature allows the botmaster to control the architecture via Tor. “The botnet operator will be aware of the generated onion domain related to every infected machine as the malware informs the CnC about its tor domain name. So, when an infected machine is online the botnet operator can reach it connecting to its unique onion domain via the Tor network. One purpose of this approach is the remote control of the infected host. For example, one of these ports specifically listens to in the VNC function of ZeuS, obviously meaning that ZeuS provides remote desktop control to the operator via this port,” continues the post. This version of the Zeus trojan was able to trigger its execution after one program within a list of 100 predefined applications is started. ChewBacca financial malware In early 2014 the researchers at RSA discovered a variant of the banking Trojan ChewBacca that was used to steal credit card data from infected POS systems. Also in this case, the botnet was controlled by servers hidden in the Tor network. According to the experts at RSA, the botnet based on the ChewBacca POS variant was used against customers in at least 11 countries (including US, Russia, Canada and Australia) since October 25, 2013. The malware was able to steal credit card data with “keylogger” capabilities or dumping the memory content of POS systems in search for credit card details. The bot is able to collect track 1 and track 2 data of payment card during purchases. “Chewbacca code was compiled with Free Pascal 2.7.1., once executed windows based system, it drops as spoolsv.exe in the startup folder and also drops a copy of Tor 0.2.3.25.” “After execution, the function “P$CHEWBACCA$_$TMYAPPLICATION_$__$$_INSTALL” is called, which drops itself as “spoolsv.exe” into the “Startup folder” (e.g. C:Documents and SettingsAll UsersStart MenuProgramsStartup) and requests the public IP of the victim via a publicly accessible service at http://ekiga.net/ip (which is not related to the malware). Tor is dropped as “tor.exe” to the user-s Temp and runs with a default listing on “localhost:9050?.” Figure 5 – ChewBacca console The Bifrose malware In August 2014, researchers from TrendMicro detected a new variant of the Bifrose malware leveraging on the Tor network. The new variant of the Bifrose backdoor was used in a targeted attack against a device manufacturer. Bifrose has been around for many years, and it is quite easy to acquire in the underground. The malware has a data stealing ability, but it is mostly popular for its keylogging routines. The variant detected by the malware experts at TrendMicro (detected as BKDR_BIFROSE.ZTBG-A – hash 5e2844b20715d0806bfa28bd0ebcba6cbb637ea1) leverages the Tor network to hide communications between the infected machines and the C&C server. “What makes this variant more elusive is its ability of Tor to communicate with its command-and-control [C&C] server,” reports a blog post published by TrendMicro. The Bifrose malware was widely used by cyber criminals. In 2010 a threat actor targeted human resource (HR) personnel of different government offices, including the African Union and the NATO. The Bifrose variant used in the targeted attack on the device manufacturer was able to perform the following operations, as explained in the blog post: Download a file Upload a file Get file details (file size, last modified time) Create a folder Delete a folder Open a file using ShellExecute Execute a command line Rename a file Enumerate all windows and their process IDs Close a window Move a window to the foreground OnionDuke: APT Attacks exploited the Tor Network In November 2014, the experts from F-Secure discovered a link between the crew operating a rogue Tor node used to spread OnionDuke malware and MiniDuke APT. Just a month before, the security researcher Josh Pitts of Leviathan Security Group identified a Russian Tor exit node that was patching the binaries downloaded by the users with malware. The expert reported it to officials of the Tor Project, who flagged the Tor exit node as bad and shut down it. Further investigations on the case revealed that the threat actors that managed the node were serving malware through the explained scheme for more than a year. Figure 7 – OnionDuke infection The bad actors used the Tor exit node to serve a backdoor, dubbed OnionDuke, to the victim’s machine with a man-in-the middle attack in the downloading phase. Security experts at F-Secure discovered that the rogue exit node was tied to the MiniDuke criminal crew. MiniDuke is the name of a sophisticated cyber espionage campaign discovered in 2013 by experts at Kaspersky Lab and Hungary’s Laboratory of Cryptography and System Security (CrySyS). The MiniDuke APT infected dozens of machines at government agencies across Europe. Exploiting a security flaw in Adobe software, the malicious payload is dropped once the victim opens the malicious PDF file. The malware was used by attackers to steal sensitive data from government and high profile entities. The researchers speculated that the level of sophistication and the nature of the chosen targets suggest that the attacks are part of a state-sponsored espionage campaign. According to the experts, “OnionDuke,” the malware spread through the bogus exit node, is a malware different from the ones used in the past by the threat actors behind the MiniDuke crew. It must be noted that all five domains contacted by OnionDuke aren’t dedicated malicious servers. Instead, they are legitimate websites compromised by threat actors. The experts identified different samples of the malware and multiple other components of the OnionDuke malware family, which were designed to execute specific tasks like data stealing. The analysis of the various samples allowed the researchers at F-Secure to discover the link with the MiniDuke gang. The owner of the Command & Control (C&C) server used to control a sample of the OnionDuke backdoor (W32/OnionDuke.A) is the same that was involved in the MiniDuke agent. This circumstance suggests that although OnionDuke and MiniDuke are two separate strains of malware, the threat actors behind them shared the control infrastructure. “One component, however, is an interesting exception. This DLL file (SHA1 d433f281cf56015941a1c2cb87066ca62ea1db37, detected asBackdoor:W32/OnionDuke.A) contains among its configuration data a different hardcoded C&C domain, overpict.com and also evidence suggesting that this component may abuse Twitter as an additional C&C channel. What makes the overpict.com domain interesting, is it was originally registered in 2011 with the alias of ‘John Kasai’. Within a two-week window, ‘John Kasai’ also registered the following domains: airtravelabroad.com, beijingnewsblog.net, grouptumbler.com, leveldelta.com, nasdaqblog.net, natureinhome.com, nestedmail.com, nostressjob.com, nytunion.com, oilnewsblog.com, sixsquare.net and ustradecomp.com. This is significant because the domains leveldelta.com and grouptumbler.com have previously been identified as C&C domains used by MiniDuke,” reports F-Secure in the blog post. CryptoWall Ransomware is resurrected with new features In early 2015, the researchers at Cisco’s Talos group published an analysis of a new variant of Cryptowall ransomware that implements a series of new features, including the exploitation of the Tor anonymity network to hide its command-and-control infrastructure. The new variant of CryptoWall was improved by cyber criminals that applied the necessary modifications to its code to make it resilient to the operation of law enforcement. Cisco’s Talos Security Intelligence and Research Group reported that the new strain of the CryptoWall ramsonware is able to distinguish between 32- and 64-bit architectures and to execute different versions for each and OS, including the newest versions of Mac OS X. “The latest Cryptowall 2.0, utilizes TOR to obfuscate the command and control channel. The dropper utilizes multiple exploits to gain initial access and incorporates anti-vm and anti-emulation checks to hamper identification via sandboxes. The dropper and downloaded Cryptowall binary actually incorporate multiple levels of encryption. One of the most interesting aspects of this malware sample, however, is its capability to run 64 bit code directly from its 32 bit dropper,” states the report. The attack chain starts with a phishing mail that includes the CryptoWall variant in a “.zip” attachment. The compressed archive included an exploit that relies a Microsoft privilege escalation vulnerability (CVE-2013-3660) to compromise the target machine. “CryptoWall 2.0 can be delivered through multiple attack vectors, including email attachments, malicious pdf files and even various exploit kits. In the sample that we analyzed, the dropper utilized CVE-2013-3660, ‘Win32k.sysElevation of Privilege Vulnerability’ to achieve the initial privilege escalation on X86 based machines. This exploit works on 32 bit OSs starting beginning with Vista. The dropper even includes a 64-bit DLL that is able to trigger the exploit in all the vulnerable AMD64 Windows Systems.” This new variant of CryptoWall also implements an anti-VM and anti-emulation check pass that prevents the execution in a virtualized environment for malware analysis. CryptoWall implements a multistep decryption. In the first phase, it decrypts just a first portion of code to check if it is running in a virtualized environment. If it passes the check, it then continues to decrypt. According to the Cisco researchers, the feature could be exploited to prevent the execution of the malware by adding fake entries in the file system that indicate a virtual machine is running. Once it has infected the machine, the sample connects to the Tor Servers with an encrypted SSL connection on port 443 or 9090. The C&C servers discovered by the researchers were using the following Tor URLs: crptarv4hcu24ijv.onion crptbfoi5i54ubez.onion crptcj7wd4oaafdl.onion “Using hardcoded IP address in the PE, the malware connects to the TOR Server with an encrypted SSL connection on port 443 or 9090. After successfully connecting, it starts to generate the Cryptowall domain names using a customized Domain Generation Algorithm (DGA). The algorithm is located at offset + 0x2E9FC.” Citroni ransomware Recently a security researcher analyzed a new ransomware dubbed Critroni, which is being sold in different underground forums. Critroni (aka CTB-Locker) is the name of a new ransomware that has been recently included in the Angler exploit kit. A detailed analysis of the ransomware was posted on “Malware.dontneedcoffee.com” by the French security researcher Kafeine. Critroni implements many functionalities, including the ability to exploit the Tor network to host its command and control. “Placing a server in onion-domain (TOR), close to domain abuse can not be practically impossible to trace the owner and shut down the server. Connection to the server only after encryption of all files. Early Detection is not possible on the traffic, it is impossible to block the work of the locker. Blocking TOR prevents only payment the user, not the program. Analogs are connected to the server until the crypt and can block,” states the ad for the malware. The experts explained that the success of the Critroni ransomware was advantaged by the takedown of the GameOver Zeus managed by law enforcement last year. The botnet in fact was used by cyber criminals to serve CryptoLocker ransomware. Around the same time in mid-June, security researchers began seeing advertisements for the Critroni ransomware on underground forums. The malware was sold for around $3,000. The Critroni agent was initially spread exclusively in Russia; later its presence was detected in many other countries worldwide. Many criminal groups are using Citroni for their extortion activities. They used to serve the ransomware as part of the Angler exploit kit, which serves a spambot on victims’ machines. The spambot module is used by malware authors to drop a couple of other payloads. One of them is Citroni. Critroni encrypts a variety of files on the targeted machine and then displays a dialogue box that demands a payment in Bitcoins in order to decrypt the files. Figure 8 – Citroni ransomware Victims have to pay the ransom within 72 hours. If they haven’t any Bitcoins, the ransomware provides detailed instructions on how to acquire them. I2P botnet: real cases Not only Tor network – CryptoWall 3.0 uses I2P network The Tor network isn’t the only anonymizing network exploited by malware authors to hide their malicious infrastructure. In early 2015 a new version of the infamous CryptoWall ransomware was spotted by Microsoft, just a week after the Cisco’s Talos Security Intelligence and Research Group announced the discovery of a new strain of the same malware that exploits the Tor network. The new variant of CryptoWall ransomware, like others, is distributed via malicious email and through malvertising campaigns. This variant was dubbed by the researchers CryptoWall 3.0 or Win32/Crowti, and it isn’t so different from previous instances. However, the experts noted that the names of the files containing the ransom demand have been changed to “HELP_DECRYPT.” This variant customizes files for each infected machine and provides victims a personalized link to a page that contains includes instructions. The instruction page is still reached through the Tor network. The victims of the CryptoWall 3.0 are given 7 days to pay $500 in Bitcoins if they want to decrypt their documents, but if they don’t pay in 7 days, the ransom increases to $1,000. On January 12, Microsoft identified 288 unique CryptoWall ver. 3.0 infections. “The graph below shows the spike after two days of no activity from 288 unique machines affected by this malware,” reads the post published Microsoft. Figure 9 – Cryptowall ver. 3.0 infections The French researcher Kafeine who analyzed CryptoWall 3.0 reported that the communications to C&C served are encoded with the RC4 cipher. Another feature implemented in the latest variant of the malware is the support of I2P (Invisible Internet Project) for C&C communications. “It seems communication with the C&C are Rc4 encoded (key seems to bealphanum sorted path of the POST ) and using i2p protocol,” said Kafeine. I2P is another anonymizing network used to hide the location of the control servers and make the botnet resilient the C&C to the law enforcement. Also recently, a new version of the popular black market Silk Road, Silk Road Reloaded, migrated on I2P, probably because at this moment there is the conviction that it is more secure than Tor. It happens now … new Dyre banking trojan variant A few days ago, the experts at TrendMicro spotted a new variant of the DYRE /Dyreza banking malware with new propagation and evasion techniques. The malware is spread through malicious emails containing the Upatre downloader disguised as a fax or the details of a package delivery, but once it is executed, the download drops the new Dyre variant, which in turn downloads the WORM_MAILSPAM.XDP worm. The propagation technique implemented by the cyber criminals is very effective. The worm exploits the Microsoft Outlook email client present on the victim’s machine to spread spam emails with the Upatre downloader attached to them. The emails aren’t sent to the victim’s contacts, instead they are sent to email addresses passed by the C&C server. Once the emails are sent by the worm, it deletes itself. This variant of Dyre uses hard-coded addresses for its IP addresses. The malware authors also implemented backup mechanisms for command and control infrastructure that rely on a URL provided by the malware’s domain generation algorithm (DGA) or a hard-coded address of a C&C server hidden on the Invisible Internet Project (I2P) network. Figure 10 – Dyre I2P In this case, the I2P network is used as a supplementary way to control the botnet, a choice to make it more resilient to attacks. Conclusion Security experts believe that malware authors will continue to exploit anonymizing networks like Tor and I2P. Analyzing the timeline of malware detections made by principal security firms, cyber criminals have been increasing the adoption of such networks since 2012. Figure 11 – Malware in the Deep Web (Security Affairs) Malware authors will exploit the Deep Web basically as a backup mechanism for their botnet and to make them more resistant to various kinds of attacks operated by law enforcement. References Skynet, the potential use of Tor as a bulletproof botnet - Security Affairs | Security Affairs OnionDuke: APT Attacks exploited the Tor Network | Security Affairs New crimekit Atrax exploits Tor, mines Bitcoin and much more | Security Affairs Detected 64-bit ZeuS banking trojan using Tor network | Security Affairs http://securityaffairs.co/wordpress/27885/cyber-crime/bifrose-uses-tor.html http://blogs.cisco.com/security/talos/cryptowall-2 http://malware.dontneedcoffee.com/2014/07/ctb-locker.html http://securityaffairs.co/wordpress/26763/cyber-crime/critroni-ransomware-use-tor.html http://securityaffairs.co/wordpress/31993/cyber-crime/cryptowall-ransomware-2-0.html http://securityaffairs.co/wordpress/21795/malware/tor-based-chewbacca-infect-pos.html https://community.rapid7.com/community/infosec/blog/2012/12/06/skynet-a-tor-powered-botnet-straight-from-reddit https://www.defcon.org/images/defcon-18/dc-18-presentations/D.Brown/DEFCON-18-Brown-TorCnC.pdf https://blog.gdatasoftware.com/blog/article/botnet-command-server-hidden-in-tor.html http://securityaffairs.co/wordpress/13747/cyber-crime/http-botnets-the-dark-side-of-an-standard-protocol.html http://contagiodump.blogspot.it/2014/11/onionduke-samples.html?m=1 http://securelist.com/blog/events/58184/the-inevitable-move-64-bit-zeus-enhanced-with-tor/ http://securityaffairs.co/wordpress/17601/cyber-crime/botnet-behind-tor-traffic-surge.html [ulr=http://resources.infosecinstitute.com/hunting-malware-deep-web/]Source
  10. Tor-ramdisk is a uClibc-based micro Linux distribution whose sole purpose is to securely host a Tor server purely in RAM. For those not familiar with Tor, it is a system which allows the user to construct encrypted virtual tunnels which are randomly relayed between Tor servers (nodes) until the connection finally exits to its destination on the internet. The encryption and random relaying resist traffic analysis in that a malicious sniffer cannot easily discover where the traffic is coming from or what data it contains. While not perfect in its efforts to provide users with anonymity, Tor does help protect against unscrupulous companies, individuals or agencies from "watching us". For more information, see the Tor official site. The usefulness of a RAM only environment for Tor became apparent to me when Janssen was arrested by the German police towards the end of July, 2007. (You can read the full story in a CNET article.) While the police did not seize the computer for whatever reasons, they certainly could have. More typically, it would have been taken for forensic analysis of the data on the drives. Of course, if the computer housing the Tor server has no drives, there can be no question that it is purely a network relaying device and that one should look elsewhere for the "goods". Other advantages became clear: It is useful to operators that want all traces of the server to disappear on powerdown. This includes the private SSL keys which can be housed externally. The environment can be hardened in a manner specific to the limited needs of Tor. It has the usual speed advantages of diskless systems and can run on older hardware. The only known disadvantage is that it cannot host Tor hidden services which would require other services (e.g. http), and their resources (e.g. hard drive space), in addition to the Tor server itself. However, as a middle or exit node, it is ideal. Download Read more: Tor-ramdisk | opensource.dyc.edu
×
×
  • Create New...