[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Regarding the Hacking Team leak and the "TOR interception" (all uppercase Tor obviously)



The browser would send a socks5 connect request to the hacking team
proxy server, which would connect to the real hidden service and
transparently proxy the content to the browser. If the hidden service
had an SSL connection (like facebook hs), it would try to MITM with the
installed cert.
The infected client would have to use internet explorer or chrome, setup
for tor usage.

chloe wrote:
> Hello,
> 
> how would this method work if an infected client tries to visit a hidden
> service?
> 
> Regards,
> Chloe
> 
> aka skrev den 7/7/2015 16:52:
>> Nothing special, they try to infect the machine using browser exploits
>> while the victim surfs without Tor. The malware then manually installs
>> an ssl cert and redirects the browser proxy from 127.0.0.1:9050 to
>> evilguys.com:9050, which does ssl interception with that installed ssl
>> cert. At the time of leak only browsers on mac and internet explorer on
>> windows were supported, because they used registry keys to change proxy
>> settings...
>> Their attack currently doesn't work on TBB, not because it's securer,
>> but because Hacking Team is incapable to program proper
>> pre-encryption-interception on the victim machine. If your computer is
>> infected ALL your traffic CAN be intercepted by definition, it just
>> takes some *able* malware developers to implement it.
>> Fun fact: old, public source malware like ZeuS is able to intercept all
>> encrypted traffic in internet explorer and firefox (including TBB).
>> So don't panic if hipsters like jacob post pdfs without
>> reading/understanding them.
> 
> 
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk