BREAKING: HALF OF TOR SITES COMPROMISED, INCLUDING TORMAIL
The founder of Freedom Hosting has been arrested in Ireland and is awaiting extradition to USA.
In a crackdown that FBI claims to be about hunting down pedophiles, half of the onion sites in the TOR network has been compromised, including the e-mail counterpart of TOR deep web, TORmail.
This is undoubtedly a big blow to the TOR community, Crypto Anarchists, and more generally, to Internet anonymity. All of this happening during DEFCON.
If you happen to use and account name and or password combinations that you have re used in the TOR deep web, change them NOW.
Eric Eoin Marques who was arrested runs a company called Host Ultra Limited.
He has an account at WebHosting Talk forums.
A few days ago there were mass outages of Tor hidden services that predominantly effected Freedom Hosting websites.
"Down for Maintenance
Sorry, This server is currently offline for maintenance. Please try again in a few hours."
What the exploit does:
An iframe is injected into FH-hosted sites:
TOR/FREEDOM HOST COMPORMISED
By: a guest on Aug 3rd, 2013
Which leads to this obfuscated code:
Posted by Anonymous on Sun 4th Aug 02:52
FH STILL COMPROMISED
By: a guest on Aug 3rd, 2013
Who's affected Time scales:
"In this paper we expose flaws both in the design and implementation of Tor’s hidden services that allow an attacker to measure the popularity of arbitrary hidden services, take down hidden services and deanonymize hidden services
Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization"
The FBI Ran a Child Porn Site for Two Whole Weeks
On any other day one would say these sick perverts got what they deserved. Unfortunately the Feds are stepping far beyond just pedophiles in this latest issue.
The js inserted at Freedom Hosting? Nothing really, just an iframe inject script with a UUID embedded server-side.
I'm still pulling this little bundle of malware apart. So far, I've got that the attack is split across three separate files, each loaded into an iframe. Calls are made between the frames to further obfuscate the control flow. The 'content_2.html' and 'content_3.html' files are only served up if the request "looks like" Firefox and has a correct Referer header. The 'content_2.html' is loaded from the main exploit iframe and in turn loads 'content_3.html'.
UPDATE: The exploit only affects Firefox 17 and involves several JS heap-sprays. Note that the current Extended Support Release is Firefox 17, so this may also affect some large organizations using Firefox ESR.
The script will only attempt the exploit on Firefox 17, so I'm no longer worried about it being some new 0day. Enough of the "Critical" MFSAs are for various sorts of memory corruption that I don't have the time to find out if this is actually a new exploit or something seen before.
Logical outcomes from this?
1. FBI/NSA just shut down the #1 biggest hosting site and #1 most wanted person on Tor
2. Silkroad is next on their list, being the #2 most wanted (#1 was Child Porn, #2 is drugs)
3. Bitcoin and all crypto currenecies set to absolutely CRASH as a result since the feds can not completely control this currency as they please.
I don't always call the Feds agenda transparent, but when i do, I say they can be trying harder.