Tor Gets Torched

What has changed after the law enforcement conducted the takedown of several illegal marketplaces as part of the Operation Onymous?

deepwebThe recent shutdown of several black market places in the Tor network, including the popular SilkRoad 2.0, has captured the attention of media of the extension of illegal activities in the part of the web so called Deep Web. The Operation Onymouscoordinated by Europol’s European Cybercrime Centre (EC3) has dealt a major blow to organized crime, intent to exploit the anonymizing networks like Tor.

Following the euphoria of the success of the operation by the police of many countries, privacy and security experts have begun to question how the police were able to locate the servers hosting hidden services and operators who ran the illegal activities. Members of the Tor project published a blog post titled Thoughts and Concerns about Operation Onymous, in which they try to explain how low enforcement managed to locate the hidden services.

“Over the last few days, we received and read reports saying that several Tor relays were seized by government officials. We do not know why the systems were seized, nor do we know anything about the methods of investigation which were used.” states the post.

they hypothesized that law enforcement has exploited one of the following scenarios:

  • Lack of Operational Security of hidden services.
  • Exploitation of bugs in the web application.
  • Bitcoin de-anonymization.
  • Attacks on the Tor network.

The anonymity of the location of a server behind a hidden service is ensured under the following conditions:

  • The hidden service must be properly configured.
  • The web server should be not vulnerable, this means that it must be not affected by any flaw and must be properly configured.
  • The web application should have no flaws.

An attacker that is able to exploit a vulnerability in the web server or in the web application (e.g. the e-commerce system exposed by the operators to propose the illegal products) could easily hack the targeted hidden service.

For example the presence of an SQL injection flaw could give the access to many functions of the hidden service, could allow attacker to dump its database.

The list of dark markets seized by law enforcement includes Alpaca, Black Market, Blue Sky, Bungee 54, CannabisUK, Cloud Nine, Dedope, Fake Real Plastic, FakeID, Farmer1, Fast Cash!, Flugsvamp, Golden Nugget, Hydra, Pablo Escobar Drugstore, Pandora, Pay Pal Center, Real Cards, Silk Road 2.0, Smokeables, Sol’s Unified USD Counterfeit’s, Super Note Counter, Tor Bazaar, Topix, The Green Machine, The Hidden Market and Zero Squad.

Security Researcher at Kaspersky, Stefan Tanase and Sergey Lozhkin wrote an interesting blog post that analyzes the impact over the Dark Web of the operation conducted by law enforcement recently.

According to the researchers the takedown affected a limited number of Onion sites, just 5 percent, meanwhile nearly 21 percent are still alive and 74 percent of the onion addresses are offline.

“Right now there are 4 times more hidden websites online in the Tor network than those that were shutdown.” state the researchers in the post.

Security experts consider the effect as transient, unfortunately, the cybercrime is quite impossible to eradicate completely, and the researchers are conscious that new illegal services soon will replace the website that are taken down.

Experts at Kaspersky have analyzed the number of hidden services being set-up after the takedown related to the Operation Onymous, in the following graph represents the amount of new .onion addresses appearing each day and it is evident a spike just after the operation of law enforcement.

law enforcement Operation Onymous new onion addresses Tor cybercrime

The analysis of the lifetime of the Onion-sites which were taken down in the Operation Onymous shows that the majority of the targeted website were alive for at least 200 days on average, but usually not more than 300 days.

law enforcement Operation Onymous new onion addresses lifetime Tor cybercrime

 

The experts at Kaspersky explained that to de-anonymize Tor users, it is possible to compromise a poorly configured server or the web application it exposes, this means that there is no need to search and exploit an alleged vulnerability in Tor architecture.

The researchers state that to locate a physical location of a server is it possible to compromise it installing a backdoor, for example exploiting a vulnerability in a third-party application used by a dark marketplace.

Another possibility for law enforcement is to try to compromise the machine of the administrator, localized through ordinary investigations, of an illegal website with spyware, in this way the agents access to its machine and steal information on his activities and network of contacts.

“This could be easier than it seems: for example, if a vulnerability is found in a hidden service, it is possible to rig it’s admin page with an exploit and wait for when the drug shop administrator will access his site. Then he would be infected with malware as a result of this highly targeted waterhole attack.” states the post.

The researchers also mentioned the possibility to infiltrate the operators of the dark market or hit them with spear-phishing

Resuming … no one really knows how law enforcement has localized the server behind the illegal hidden services.

The research revealed that more than 81 percent of Tor clients can be de-anonymized by exploiting a new traffic analysis attack based on Netflow technology.

traffic analysis attack

A team of researchers conducted a study between 2008 and 2014 on the de-anonymization of the Tor users, the team worked to disclose their originating IP addresses.

A group led by professor Sambuddho Chakravarty, now researching Network Anonymity and Privacy at the Indraprastha Institute of Information Technology in Delhi, has published numerous papers on the topic over the last years.  Chakravarty claims that his team has reached a 100 percent ‘decloaking’ success rate under laboratory conditions.

The research revealed that more than 81 percent of Tor clients can be de-anonymized by exploiting the Netflow technology designed by Cisco for its network appliances.

The Netflow technology was introduced by Cisco into its routers to implement an instrument to collect IP network traffic as it enters or exits an interface. The data provided by NetFlow allows a network administrator to qualify the network traffic managed by the router and identify the causes of congestion. The protocol is a standard de facto and it runs today by default in the hardware of many other network device manufacturers.

The technique proposed by Chakravarty implements an active traffic analysis based on the introduction of specific traffic perturbations on server side and evaluating a similar perturbation on the client side through statistical correlation.

“We present an active traffic analysis method based on deliberately perturbing the characteristics of user traffic at the server side, and observing a similar perturbation at the client side through statistical correlation. We evaluate the accuracy of our method using both in-lab testing, as well as data gathered from a public Tor relay serving hundreds of users. Our method revealed the actual sources of anonymous traffic with 100% accuracy for the in-lab tests, and achieved an overall accuracy of about 81.4% for the real-world experiments, with an average false positive rate of 6.4.” states the paper.

In a previous research Chakravarty demonstrated that having access to a few Internet exchange points is enough for monitoring a significant percentage of the network paths from Tor nodes to destination servers. This means that a powerful and persistent attacker can run traffic analysis attacks by observing similar traffic patterns at various points of the network.

This new research exploits reveals how to run an effective traffic analysis attack with less traffic monitoring capabilities, such as Cisco’s NetFlow,to run a traffic analysis attack on a large scale.

Differently from previous research, this new traffic analysis attack would not necessarily need the resources of a Government to run the monitoring activity, the researcher explained that a single AS (Autonomous System) could monitor more than 39 percent of randomly-generated Tor circuits.

A traffic analysis attack doesn’t request the enormous infrastructural effort than the previous technique, but it exploits one or more high-bandwidth and high-performance Tor relays. The team used a modified public Tor server, hosted at the time at Columbia University, running on Linux for its tests.

traffic analysis attack 3 live

The researchers simulate the internet activity of a typical Tor user, they injected a repeating traffic pattern (i.e. HTML files) into the TCP connection that it sees originating in the target exit node, and then analyzed the traffic at exit node, as derived from the router’s flow records, to improve client identification.

traffic analysis attack

 

In a first phase the research was conducted in Lab environment with surprising results, in a second phase the team started the live sessions using real Tor traffic. The team analyzed the traffic obtained from its public Tor relay that served hundreds of Tor circuits simultaneously.

The targeted victims were hosted on three different locations on the Planetlab, the global research network that supports the development of new network services. The chosen locations are Texas (US), Leuven (Belgium) and Corfu (Greece).

The victim clients downloaded a large file from the server that deliberately introduced perturbations in the arriving TCP connection’s traffic, thereby deliberately injecting a traffic pattern in the stream between the server and the exit node.

“The process was terminated after a short while and we computed the correlation between the bytes transferred between the server and the recently terminated connection from the exit node and the entry node and the several clients that used it, during this interval.” states the paper.

The test session was organized in two parts, a first session to evaluate the effectiveness when retrieving data from open-source NetFlow packages, in the second round  the team used sparse data obtained from its institutional Cisco router.

traffic analysis attack 2 live

De-anonymization of Tor users is a primary goal for law enforcement and intelligence agencies, that having great computational resources are able to run similar attacks. Many experts speculate that also the recent Operation Onymous that allowed the seizure of several dark market places, including the popular Silk Road 2.0, may have exploited a traffic analysis attack against Tor network to identify the operators of the black markets.

Experts at F-Secure discovered a link between the crew operating a rogue Tor node used to spread OnionDuke malware and MiniDuke APT.

exit node serving OnionDuke malware 2

A few weeks ago the security research Josh Pitts of Leviathan Security Group identified a Russian Tor exit node that is patching the binaries downloaded by the users with malware.

The researcher informed officials of the Tor Project, who flagged the Tor exit node as bad.

“We’ve now set the BadExit flag on this relay, so others won’t accidentally run across it. We certainly do need more people thinking about more modules for the exitmap scanner. In general, it seems like a tough arms race to play,” wrote Roger Dingeldine, one of the original developers of Tor. 

The officials with the privacy service immediately shut down the malicious Tor exit node, new investigations on the case reveal that the threat actors that managed the node is serving malware through the explained scheme for more than a year.

exit node serving OnionDuke malware

Pitts discovered the that attackers abused of the Tor exit node to serve backdoor to the victim’s PC, during file download, through a man-in-the middle attack.

Security experts at F-Secure discovered that the rogue exit node was tied to theMiniDuke criminal crew, MiniDuke is the name of a sophisticated cyber espionagecampaign discovered more than one year ago by experts at Kaspersky Lab and Hungary’s Laboratory of Cryptography and System Security (CrySyS). TheMiniDuke APT infected dozens of machines at government agencies across Europe exploiting a security flaw in Adobe software, the malicious Payload is dropped once the victim opens the malicious PDF file.

The malware was designed to steal sensitive information from government organizations and high profile entities, the level of sophistication and the nature of the chosen targets suggest that the attacks are part of a state-sponsored espionage campaign.
The backdoor coding style used by threat actor reminds to the experts a malware writing group which is believed to be extinct: 29A. The value 29A in hex means 666, and perhaps not unsurprisingly, was also left by the attackers as a clue in the code.
29A group published its first malware magazine in December 1996 and were active until February 2008, when Virusbuster, the last standing man announced the group’s dismissal.
“Their use of multiple levels of encryption and clever coding tricks made themalware hard to detect and difficult to reverse engineer. The code also contained references to Dante Alighieri’s Divine Comedy and alluded to 666, the “mark of the beast” discussed in the biblical Book of Revelation.” wrote Ars technical in a blog post.

According to the experts, “OnionDuke,” this is the name assigned to the malware spread through the bogus exit node, is a malware different from the ones used in the past by the threat actor behind the MiniDuke crew.

It must be noted that all five domains contacted by the OnionDuke aren’t dedicated malicious servers, instead they are legitimate websites compromised by threat actors.

The experts identified different sample of the malware and multiple other components of the OnionDuke malware family, which were designed to execute specific tasks like the data stealing.

“Through our research, we have also been able to identify multiple other components of the OnionDuke malware family. We have, for instance, observed components dedicated to stealing login credentials from the victim machine and components dedicated to gathering further information on the compromised system like the presence of antivirus software or a firewall.” states the post. “Most of these components don’t embed their own C&Cinformation but rather communicate with their controllers through the original backdoor process”

Anyway the analysis of the various samples allowed the researchers at F-Secure to discover the link with the MiniDuke gang, the owner of the Command & Control (C&C) server used to manage the a sample of the OnionDuke malware spread through the malicious exit node, W32/OnionDuke.A, is the same that was involved of MiniDuke agent.

This circumstance suggests that although OnionDuke and MiniDuke are two separate strains of malware, the threat actors behind them shared the control infrastructure.

 “One component, however, is an interesting exception. This DLL file (SHA1 d433f281cf56015941a1c2cb87066ca62ea1db37, detected asBackdoor:W32/OnionDuke.A) contains among its configuration data a different hardcoded C&C domain, overpict.com and also evidence suggesting that this component may abuse Twitter as an additional C&C channel. What makes the overpict.com domain interesting, is it was originally registered in 2011 with the alias of “John Kasai”. Within a two-week window, “John Kasai” also registered the following domains: airtravelabroad.com, beijingnewsblog.net, grouptumbler.com, leveldelta.com, nasdaqblog.net, natureinhome.com, nestedmail.com, nostressjob.com, nytunion.com, oilnewsblog.com, sixsquare.net and ustradecomp.com. This is significant because the domains leveldelta.com and grouptumbler.com have previously been identified as C&C domains used by MiniDuke. ” reports F-Secure in the blog post.

The experts suggest the used of encrypted channels to avoid manipulation of the binaries, as occurred for the spread of OnionDuke malware.

“SSL/TLSis the only way to prevent this from happening. End-users may want to consider installing HTTPS Everywhere or similar plugins for their browser to help ensure their traffic is always encrypted,” said Pitts.

All my readers that are interested to analyze samples of the malware could read the post published on Contagio.

###
Pierluigi Paganini is a security researcher and consultant who blogs here http://securityaffairs.co/wordpress/