BREAKING: HALF OF TOR SITES COMPROMISED, INCLUDING TORMAIL

The founder of Freedom Hosting has been arrested in Ireland and is awaiting extradition to USA.

In a crackdown that FBI claims to be about hunting down pedophiles, half of the onion sites in the TOR network has been compromised, including the e-mail counterpart of TOR deep web, TORmail.

http://www.independent.ie/irish-news/courts/fbi-bids-to-extradite-largest-childporn-dealer-on-planet-29469402.html

This is undoubtedly a big blow to the TOR community, Crypto Anarchists, and more generally, to Internet anonymity. All of this happening during DEFCON.

If you happen to use and account name and or password combinations that you have re used in the TOR deep web, change them NOW.

Eric Eoin Marques who was arrested runs a company called Host Ultra Limited.

http://www.solocheck.ie/Irish-Company/Host-Ultra-Limited-399806
http://www.hostultra.com/

He has an account at WebHosting Talk forums.

http://www.webhostingtalk.com/showthread.php?t=157698

A few days ago there were mass outages of Tor hidden services that predominantly effected Freedom Hosting websites.

http://postimg.org/image/ltj1j1j6v/

“Down for Maintenance
Sorry, This server is currently offline for maintenance. Please try again in a few hours.”

If you saw this while browsing Tor you went to an onion hosted by Freedom Hosting. The javascript exploit was injected into your browser if you had javascript enabled.

What the exploit does:

The JavaScript zero-day exploit that creates a unique cookie and sends a request to a random server that basically fingerprints your browser in some way, which is probably then correlated somewhere else since the cookie doesn’t get deleted. Presumably it reports the victim’s IP back to the FBI.

An iframe is injected into FH-hosted sites:

TOR/FREEDOM HOST COMPORMISED
By: a guest on Aug 3rd, 2013
http://pastebin.com/pmGEj9bV

Which leads to this obfuscated code:

Javascript Mozilla Pastebin
Posted by Anonymous on Sun 4th Aug 02:52
http://pastebin.mozilla.org/2776374

FH STILL COMPROMISED
By: a guest on Aug 3rd, 2013
http://pastebin.com/K61QZpzb

FBI Hidden Service in connection with the JavaScript exploit:
7ydnpplko5lbgfx5

Who’s affected Time scales:

Anyone who accessed an FH site in the past two days with JavaScript enabled. Eric Eoin Marques was arrested on Sunday so that’s the earliest possible date.

“In this paper we expose flaws both in the design and implementation of Tor’s hidden services that allow an attacker to measure the popularity of arbitrary hidden services, take down hidden services and deanonymize hidden services
Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization”

http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf

The FBI Ran a Child Porn Site for Two Whole Weeks
http://gizmodo.com/why-the-fbi-ran-a-child-porn-site-for-two-whole-weeks-510247728

On any other day one would say these sick perverts got what they deserved. Unfortunately the Feds are stepping far beyond just pedophiles in this latest issue.

The js inserted at Freedom Hosting? Nothing really, just an iframe inject script with a UUID embedded server-side.

The iframe then delivers an exploit kit that appears to be a JavaScript 0day leading to…something. It only attempts to exploit Firefox (17 and up) on Windows NT. There’s definitely some heap spraying and some possible shell code. The suspect shell code block contains some strings that look to formulate an HTTP request, but I haven’t been able to collect the final payload yet. The shell code also contains the UUID with which the exploit was delivered. Any UUID will work to get this part of the exploit.

I’m still pulling this little bundle of malware apart. So far, I’ve got that the attack is split across three separate files, each loaded into an iframe. Calls are made between the frames to further obfuscate the control flow. The ‘content_2.html’ and ‘content_3.html’ files are only served up if the request “looks like” Firefox and has a correct Referer header. The ‘content_2.html’ is loaded from the main exploit iframe and in turn loads ‘content_3.html’.

Short version. Preliminary analysis: This little thing probably CAN reach out without going through Tor. It appears to be exploiting the JavaScript runtime in Firefox to download something.

UPDATE: The exploit only affects Firefox 17 and involves several JS heap-sprays. Note that the current Extended Support Release is Firefox 17, so this may also affect some large organizations using Firefox ESR.

http://pastebin.mozilla.org/2777139

The script will only attempt the exploit on Firefox 17, so I’m no longer worried about it being some new 0day. Enough of the “Critical” MFSAs are for various sorts of memory corruption that I don’t have the time to find out if this is actually a new exploit or something seen before.

Logical outcomes from this?

1. FBI/NSA just shut down the #1 biggest hosting site and #1 most wanted person on Tor

2. Silkroad is next on their list, being the #2 most wanted (#1 was Child Porn, #2 is drugs)

3. Bitcoin and all crypto currenecies set to absolutely CRASH as a result since the feds can not completely control this currency as they please.

I don’t always call the Feds agenda transparent, but when i do, I say they can be trying harder.

source: http://www.twitlonger.com/show/n_1rlo0uu

26 thoughts on “BREAKING: HALF OF TOR SITES COMPROMISED, INCLUDING TORMAIL

  1. The tor network is already compromised by XKeyScore. If NSA logs all internet traffic via backdoors on routers, then nothing on tor is protected.

    Tor has nown weekness in if someone has many tor nodes they can track entry relay and exit node traffic. If NSA monitors routers they can do the same thing.

    • Look at this hidden service:
      the lowest fee for sellers (2,5%):
      2ezzk6klfctmhjkn.onion
      It’s pretty new, since I didnt see any product or seller there yet.

    • Nothing is in your computer. The script executed, saved nothing, sent a request, and cleaned up.

  2. Internet base on DARPA. So why do we not leave the net for good and made the alternative net. Use the combo between the best of SSH, VPN that also can bouncing like the TOR network along with open source. All the id were bouncy and not fixed. Use also free and alternate of flash, javascript, etc. Build the strong encryption fence. Last but not the least, while still time why not we built a strong and portable satellite of our own. Use them nearby the strastosphere and with the abundant of perpetual ether powered machine.I’m talking not about the meshnet but something exactly like that. The Feds is easily looking toward us the internet users since they had their architecture from the first place. Why not we all contribute to make something new. The alternet that as flexible as the current internet but they also as secure as the freenet.

    • It does not matter what you create..When they control the laws, they can declare whatever you create illegal and break down your door.

    • Yea i think thats a great idea, we create a new internet with mirror sites from the real internet, only this will be created on a base that does not enable tracking, its like integrated 100% privacy within the router so that there is just no way of tracking back people (or something like that^^), then sell the device on internet for reasonable price, but then the FBI and governement will do their little crisis because we created something they can’t control so obviously when the little baby governement can’t play within our sand castle they destroy it so they will just destroy our satelite, they think everything belongs to them, the planet the atmosphere, the air, the humans, even the virtual stuff like internet, i mean who the fuck do they think they are to control everything and anything that doesn’t really belong to anybody. I would rather die than loose the rest of my freedom and privacy thats left

  3. Its not me, so I dont care what they do and Ill do nothing to stop them for doing what they do to other people.

  4. are you kidding me? your just like the polish/other countries with jew populations during WW2 that didn’t care what happened to them as long as it wasn’t you… and then in the future you were the ones working in sweat shop camps….. with very little food…. you think people would learn from the past….. if we don’t all stand up for each other then divided we will fall!!!

    • Lets just stand and fight by eachother considering all of us just part of the same planet, we are human beings and we are being ruled by untrustworthy governements, who MAKE the laws, who BREAK the laws and we don’t know yet all their “TOP SECRET” (dangerous) files we should beware of. So if we have UNITY we have POWER!! (Why do you think governement always creating conflicts and manipulating their people with hate?)

    • Polish people were helping jews and many of them died like the jews in german camps you dump motherfucker! Polish secret service sent to allies in the west info about what is happening in the camp in Oswiencim but the GB and USA did NOTHING. They could bomb the facility down, or just bomb the train station nearby where hunderds or thousends people were transported every month to be killed like animals but DID NOTHING! Now you are sitting in your warm chair and writing this bulshit… Just like they did those days in the past. Burn in hell!!!

        • Chris, you’re right….The US should have bombed those train stations, because you know, there were thousands of innocents sitting at them. While they were at it, they should have bombed the concentration camps too. That would have put a stop to all the killing. See, you people need to make up your minds, you hate the USA now because they act as world police. You hated them then because they didn’t. Get off your drugs and actually think about the stupid shit coming out of your mouth for once. And maybe, just maybe, read a few history books from multiple sources. You might learn something you weren’t told by retard on a bench.
          On another note, I agree with Mr. Anon.

          • I asked my grandfather about 20 years ago… he and his brother were at Oswiencim (Auschwitz) and only he survived. He said hundreds managed to get messages out or even escape but no help ever came. Problem is not when US is being World Police, because that’s always welcome from any moral authority… the problem is when that country uses that excuse to further their own profitable agenda – which has been an unfortunate occurrence all too often in past few decades.

            If you read too many books written by one side you will have a biased opinion… there are still people alive from those days and who died already have written accounts, that’s where you will find the closest facts. It’s also important to read the german officers accounts too. No Government approved text will ever provide you full truth.

            To use another example, the Irish Famine is grossly misrepresented in history… in my opinion it was a Holocaust in it’s own right.

            Finally, I too agree with Mr Anon. :)

  5. Hi folks…
    First thing: I’m a total noob. I recently started learning things as basic as to how to hide my IP address. (I can hear the laughter from here!) right now, I’m simply using a free proxy and inserting that into my Proxy network preferences on my Mac. But I’m not convinced that I’m actually hidden. Any pointers? an how do I make sure I’m not wading into some honeypot/tarpit?
    Anyway, I’ve been scouring the net for as much info as I can but I’m not sure what and what isn’t accurate, as there’s so much info by so many (questionable) sources.
    Here’s my question: Can anyone point me in the direction of how to begin learning some basics ,like, how to best hide my IP address? How do I create an email address that can’t be kinked to my actual one? Also, how do I best locate the best forums?
    Any help/suggestions will be greatly appreciated. And please take it easy on me. This is literally my first time reaching out.
    best
    Z

    • You can hide your ip using proxys, however, you can never be sure that said proxy doesn’t save your ip, record your activity and finally sells you out.
      freenet and tor are the best ways to hide your identity. however tor is hard to navigate in now, as the hidden wiki, which was part of the fh is down now.
      another way to stay hidden is not to tell the world what products you are using.
      i don’t know much of it but i think the freenet has good security, you might want to look into that. anyone correct me if I’m wrong here.

      i never tried to, but i have an idea on how to stay anonymous using mail:
      (note that this all of the following is speculation, it might not work at all, even if i don’t know how it could fail.)
      to make a email that cannot be linked to you, the best idea might be to
      find a public computer (which isn’t close to your home),
      create your account there (of course without similarities to your actual one),
      while making sure nobody can see your face (including cameras),
      while wearing clothes which cannot be traced back (maybe hand made, stolen or bought while managed to stay anonymous (obviously not using a card)).
      Then, never access the mail address using your home computer, or any notebook belonging to you or anyone you know.
      if you want to be really careful, you should use different public places to access your mail.
      Do not select their locations on how easy they are to access for you, but do not neglect those either, otherwise it could give hints to your own location.

  6. So… I’ve just discovered Tor, & the Deep Web, & after reading this, I’m not advanced in the technical stuff, but it sounds to me like Tor could still be safe to use, if Java Script is disabled. When I tried to research how to do this, I found that my freshly downloaded copy of the Tor Bundle already has Java disabled by default. So it sounds like F.H. has already found a solution to the threat.

    I’m no computer expert, but does any1 who knows more than me, have any thoughts on this.

Leave a comment

Your email address will not be published. Required fields are marked *