<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">@ Samir:<br>
<br>
Breaking: het mag dan belangrijk nieuws zijn, maar laat die CAPS
uit de topic voortaan, alsjeblieft. :)<br>
<br>
Groeten,<br>
eu-Robert.<br>
<br>
<br>
Op 4-8-2013 22:20, Core TX schreef:<br>
</div>
<blockquote
cite="mid:CADOB0dXeGX0NYVCWqtYRbYYqvZ5SriZ55GUK68zQHJNSr7pHGQ@mail.gmail.com"
type="cite">
<div dir="ltr">BREAKING: HALF OF TOR SITES COMPROMISED, INCLUDING
TORMAIL<br>
<br>
The founder of Freedom Hosting has been arrested in Ireland and
is awaiting extradition to USA.<br>
<br>
In a crackdown that FBI claims to be about hunting down
pedophiles, half of the onion sites in the TOR network has been
compromised, including the e-mail counterpart of TOR deep web,
TORmail.<br>
<br>
<a moz-do-not-send="true"
href="http://www.independent.ie/irish-news/courts/fbi-bids-to-extradite-largest-childporn-dealer-on-planet-29469402.html"
rel="nofollow">http://www.independent.ie/irish-news/courts/fbi-bids-to-extradite-largest-childporn-dealer-on-planet-29469402.html</a><br>
<br>
This is undoubtedly a big blow to the TOR community, Crypto
Anarchists, and more generally, to Internet anonymity. All of
this happening during DEFCON.<br>
<br>
If you happen to use and account name and or password
combinations that you have re used in the TOR deep web, change
them NOW.<br>
<br>
Eric Eoin Marques who was arrested runs a company called Host
Ultra Limited.<br>
<br>
<a moz-do-not-send="true"
href="http://www.solocheck.ie/Irish-Company/Host-Ultra-Limited-399806"
rel="nofollow">http://www.solocheck.ie/Irish-Company/Host-Ultra-Limited-399806</a><br>
<a moz-do-not-send="true" href="http://www.hostultra.com/"
rel="nofollow">http://www.hostultra.com/</a><br>
<br>
He has an account at WebHosting Talk forums.<br>
<br>
<a moz-do-not-send="true"
href="http://www.webhostingtalk.com/showthread.php?t=157698"
rel="nofollow">http://www.webhostingtalk.com/showthread.php?t=157698</a><br>
<br>
A few days ago there were mass outages of Tor hidden services
that predominantly effected Freedom Hosting websites.<br>
<br>
<a moz-do-not-send="true"
href="http://postimg.org/image/ltj1j1j6v/" rel="nofollow">http://postimg.org/image/ltj1j1j6v/</a><br>
<br>
"Down for Maintenance<br>
Sorry, This server is currently offline for maintenance. Please
try again in a few hours."<br>
<br>
If you saw this while browsing Tor you went to an onion hosted
by Freedom Hosting. The javascript exploit was injected into
your browser if you had javascript enabled.<br>
<br>
What the exploit does:<br>
<br>
The JavaScript zero-day exploit that creates a unique cookie and
sends a request to a random server that basically fingerprints
your browser in some way, which is probably then correlated
somewhere else since the cookie doesn't get deleted. Presumably
it reports the victim's IP back to the FBI.<br>
<br>
An iframe is injected into FH-hosted sites:<br>
<br>
TOR/FREEDOM HOST COMPORMISED<br>
By: a guest on Aug 3rd, 2013<br>
<a moz-do-not-send="true" href="http://pastebin.com/pmGEj9bV"
rel="nofollow">http://pastebin.com/pmGEj9bV</a><br>
<br>
Which leads to this obfuscated code:<br>
<br>
Javascript Mozilla Pastebin<br>
Posted by Anonymous on Sun 4th Aug 02:52<br>
<a moz-do-not-send="true"
href="http://pastebin.mozilla.org/2776374" rel="nofollow">http://pastebin.mozilla.org/2776374</a><br>
<br>
FH STILL COMPROMISED<br>
By: a guest on Aug 3rd, 2013<br>
<a moz-do-not-send="true" href="http://pastebin.com/K61QZpzb"
rel="nofollow">http://pastebin.com/K61QZpzb</a><br>
<br>
FBI Hidden Service in connection with the JavaScript exploit:<br>
7ydnpplko5lbgfx5<br>
<br>
Who's affected Time scales:<br>
<br>
Anyone who accessed an FH site in the past two days with
JavaScript enabled. Eric Eoin Marques was arrested on Sunday so
that's the earliest possible date.<br>
<br>
"In this paper we expose flaws both in the design and
implementation of Tor’s hidden services that allow an attacker
to measure the popularity of arbitrary hidden services, take
down hidden services and deanonymize hidden services<br>
Trawling for Tor Hidden Services: Detection, Measurement,
Deanonymization"<br>
<br>
<a moz-do-not-send="true"
href="http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf"
rel="nofollow">http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf</a><br>
<br>
The FBI Ran a Child Porn Site for Two Whole Weeks<br>
<a moz-do-not-send="true"
href="http://gizmodo.com/why-the-fbi-ran-a-child-porn-site-for-two-whole-weeks-510247728"
rel="nofollow">http://gizmodo.com/why-the-fbi-ran-a-child-porn-site-for-two-whole-weeks-510247728</a><br>
<br>
<a moz-do-not-send="true"
href="http://postimg.org/image/o4qaep8pz/" rel="nofollow">http://postimg.org/image/o4qaep8pz/</a><br>
<br>
On any other day one would say these sick perverts got what they
deserved. Unfortunately the Feds are stepping far beyond just
pedophiles in this latest issue.<br>
<br>
The js inserted at Freedom Hosting? Nothing really, just an
iframe inject script with a UUID embedded server-side.<br>
<br>
The iframe then delivers an exploit kit that appears to be a
JavaScript 0day leading to...something. It only attempts to
exploit Firefox (17 and up) on Windows NT. There's definitely
some heap spraying and some possible shell code. The suspect
shell code block contains some strings that look to formulate an
HTTP request, but I haven't been able to collect the final
payload yet. The shell code also contains the UUID with which
the exploit was delivered. Any UUID will work to get this part
of the exploit.<br>
<br>
I'm still pulling this little bundle of malware apart. So far,
I've got that the attack is split across three separate files,
each loaded into an iframe. Calls are made between the frames to
further obfuscate the control flow. The 'content_2.html' and
'content_3.html' files are only served up if the request "looks
like" Firefox and has a correct Referer header. The
'content_2.html' is loaded from the main exploit iframe and in
turn loads 'content_3.html'.<br>
<br>
Short version. Preliminary analysis: This little thing probably
CAN reach out without going through Tor. It appears to be
exploiting the JavaScript runtime in Firefox to download
something.<br>
<br>
UPDATE: The exploit only affects Firefox 17 and involves several
JS heap-sprays. Note that the current Extended Support Release
is Firefox 17, so this may also affect some large organizations
using Firefox ESR.<br>
<br>
<a moz-do-not-send="true"
href="http://pastebin.mozilla.org/2777139" rel="nofollow">http://pastebin.mozilla.org/2777139</a><br>
<br>
The script will only attempt the exploit on Firefox 17, so I'm
no longer worried about it being some new 0day. Enough of the
"Critical" MFSAs are for various sorts of memory corruption that
I don't have the time to find out if this is actually a new
exploit or something seen before.<br>
<br>
<a moz-do-not-send="true"
href="http://postimg.org/image/mb66vvjsh/" rel="nofollow">http://postimg.org/image/mb66vvjsh/</a><br>
<br>
Logical outcomes from this?<br>
<br>
1. FBI/NSA just shut down the #1 biggest hosting site and #1
most wanted person on Tor<br>
<br>
2. Silkroad is next on their list, being the #2 most wanted (#1
was Child Porn, #2 is drugs)<br>
<br>
3. Bitcoin and all crypto currenecies set to absolutely CRASH as
a result since the feds can not completely control this currency
as they please.<br>
<br>
I don't always call the Feds agenda transparent, but when i do,
I say they can be trying harder. </div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Algemeen discussielijst | Piratenpartij
<a class="moz-txt-link-abbreviated" href="mailto:Algemeen@lists.piratenpartij.nl">Algemeen@lists.piratenpartij.nl</a>
<a class="moz-txt-link-freetext" href="https://lists.piratenpartij.nl/mailman/listinfo/algemeen">https://lists.piratenpartij.nl/mailman/listinfo/algemeen</a>
</pre>
</blockquote>
<br>
</body>
</html>