[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] TOR tried to take a snapshot of my screen

22.08.2014, 23:38 BM-2cVvnFWSftFx8dv12L8z8PjejmtrjYjnUY@xxxxxxxxxxxxx:
> Hi,
> I have TOR 3.6.3 installed in a Windows XP computer that is used almost
> just for it with very few additional software installed.
> My understanding is that a potential attacker will test his
> exploit/approach against most of the security software available, but
> possibly will not be able to test against ALL of them, so I have a
> miscelaneous of popular and not popular security software installed in the
> same computer; among them is a not so common anti spyware called Zemana.
> I am using TOR browser and Zemana for years and I am familiar with the
> behaviour of both.
> The TOR I am running has just the extensions that comes with it; no
> additional extension was installed; no plug-in is installed.
> I have proper licenses to run all the software, including Zemana, so no
> crack or other suspicious tool was ever used.
> Zemana is a quiet software and I can not remember about any single fake
> alert.
> Few days ago, while browsing with TOR, I got a shocking alert from Zemana:

Was it a website you trusted you browsed to? Did the software attempt to
do anything without a website loaded?

> As Zemana allow me, I did block such screen capture and TOR crashed
> immediatly.
> By this crash I understand that TOR really tried to capture my screen.
> I restarted TOR with a new identity, changed the identity many times but
> TOR repeated the same behaviour a number of times with the screen capture
> try-Zemana block-TOR crash. Change the identity just does not works for
> such attacker.
> The script funcions were always blocked by NoScript
> On the following days I used TOR again, without any change in my system or
> software, accessing the same web sites but the attack no longer took
> place.

Looks, like the website(s) did something.

Maybe trying to access canvas, what the TorBrowser tried to prevent.
Maybe this triggered the alert.

> I verified the MD5 signature for the TOR browser (firefox.exe) and it is
> unchanged, i.e, it is as distributed by torproject.org
> The TOR 3.6.3 was downloaded from the TOR project web site, and not from
> other servers.
> The install package torbrowser-install-3.6.3_en-US.exe has the MD5
> signature: 9529C5A633CF0CF6201662CA12630A04
> I have the installer in my files for any forensic work.
> I am sending some screens with the Zemana log, where is possible to see
> the TOR MD5 signature (firefox.exe; FC19E4AFB0E68BD4D25745A57AE14047) and
> the logged behaviour ("screenlogger"), the TOR version, TOR button and the
> Zemana version screens, and the extensions and plug-ins existing in my TOR
> install (just to confirm that nothing strange is there). They are
> available to download here:
> http://www.datafilehost.com/d/dfb201d8
> or
> https://www.sendspace.com/file/6ygdl3

Both of the files are broken or corrupted. They can't be opened as an
archive on my end. The first source tries to make one download an .exe
file. Well you can download the zip file, without it.

How can we be sure that your upload is safe?

> Seems that TOR has hidden server capabilities, a back door that allow a
> remote operator take snap shot of the screen and possible perform other
> actions (record mic, turn on the webcam, ...).

I'm unaware of Firefox being able to activate the mic, Chrome can do
that. Both can access the webcam. Firefox will eventfully be able to
activate the mic.

It has to be ensured that those are not accessed without the users

The remote operator claim would require evidence of some sort.

Considerably attackers want to get into systems worth getting into.

> I think TOR can protect the users from many enemies, but at the same time
> it is a perfect tool to attract, identify and log very specific (users)
> targets.
> This may explain also the, until now, unclear role and objectives of the
> US goverment by funding the TOR Project.

I think they use Tor for many purposes themselves.

> Seems that hardly will be possible to identify suck attacker as it
> probably comes from the TOR network itself, but I am considering a
> trap/honney pot just in case this repeats.
> I am an entusiast of privacy tools and TOR is not used for any kind of
> unlawful purposes, is unlikely that I will attract attention from public
> authorities and I am not worried with any data such attacker eventually
> may have had access.

If someone would exploit against the TorBrowser he might be trying to
get as many hits as possible to see if someone is a target.

> Hope this information may help to improve the TOR community security and
> in some point in the future we will able to find a solution for this back
> door.

I hope this can be resolved.

Sebastian G.
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to