[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Wired Story on Uncovering Users of Hidden Services.

On 08/13/2014 03:01 PM, Anders Andersson wrote:
> On Wed, Aug 13, 2014 at 12:06 PM,  <blobby@xxxxxxxxxxxxxxx> wrote:


>> How, in this case, was it possible for the FBI to learn the IP
>> addresses of visitors to this hidden service? The Tor hidden server
>> page states that "In general, the complete connection between
>> client and hidden service consists of 6 relays: 3 of them were
>> picked by the client with the third being the rendezvous point and
>> the other 3 were picked by the hidden service."
>> Can someone knowledgeable please explain how visitors to a Tor
>> hidden service can have their real IPs detected?
> AFAIK the malware used javascript to break the users' browsers. As 
> someone who argues against using javascript in any context, I can
> only say "told you so", but that doesn't really help anyone. :)
> Because they managed to get in to the client browser, they could
> learn the real IP address and MAC address, they didn't learn this
> through Tor.

This is an old story. Here is an explanation from Wired[0]:

> The heart of the malicious Javascript was a tiny Windows executable
> hidden in a variable named “Magneto.” A traditional virus would use
> that executable to download and install a full-featured backdoor, so
> the hacker could come in later and steal passwords, enlist the
> computer in a DDoS botnet, and generally do all the other nasty
> things that happen to a hacked Windows box.
> But the Magneto code didn’t download anything. It looked up the
> victim’s MAC address — a unique hardware identifier for the
> computer’s network or Wi-Fi card — and the victim’s Windows hostname.
> Then it sent it to a server in Northern Virginia server, bypassing
> Tor, to expose the user’s real IP address, coding the transmission as
> a standard HTTP web request.
> “The attackers spent a reasonable amount of time writing a reliable
> exploit, and a fairly customized payload, and it doesn’t allow them
> to download a backdoor or conduct any secondary activity,” said Vlad
> Tsyrklevich, who reverse-engineered the Magneto code, at the time.
> The malware also sent a serial number that likely ties the target to
> his or her visit to the hacked Freedom Hosting-hosted website.

They didn't get the "real" IP address through the browser. Magneto just
sent information to the FBI's server directly, rather than through Tor.
Also, Magneto is a Windows executable ;)

Proper firewall rules would have prevented that leak. Those using Whonix
weren't affected, because nothing in the workspace knows the "real" IP
address (and also because it's Debian, not Windows).

[0] http://www.wired.com/2013/09/freedom-hosting-fbi/
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to