Tor Node Experiment

With many major DarkNet sites being taken down, several DDoS Tor based decloaking exploits being disclosed, tools like Tortilla being released, along with reports of APT Tor Nodes modifying downloaded binaries by replacing them with a malware wrappers ie binding trojan backdoors(OnionDuke). I can confirms Tor is becoming increasingly unsafe, especially for DarkMarket users! My grey hat friend, Bastien ands me did an experiment to see how malicious tor nodes are becoming… and it not good :/

We setup fresh clean Windows 7 VirualMachine, updated & patched it completely, installed latest versions of our favorite Anti-Virus/Malware software and downloaded the latest version of the Tor Browser. Then we collected and setup many fake accounts on different sites like Facebook, Twitter,Paypal, BoA, Wells Fargo and especially DarkMarket sites Agora & Evolution. We then allowed scripts globally on Tor as a user might do to watch a Youtube video or anything requiring javascript, sometimes solving captchas.
(Note we didnt use a VPN with Tor so all Tor Exit Node traffic is plain text, using VPN would encrypt all traffic.)
(Also note we werent using strict tor nodes in our torrc, so our exit nodes were completely random.)

We then began to log into teh various fake and old hacked accounts to see if anything weird would happen.At first everything seemed normal for the first 15-18 logins and new identity IPs, UNTIL… we started trying the DarkMarket logins.We started to notice a pattern of Nodes we were being redirected thru everytime we loaded one of the two major DarkMarket sites…not only that buts one of the Agora accounts user/passwd was sniffed and changed!! (prolly a javasniffer) Also since the Agora servers are being heavily stressed now(govt DDoS to find servers like they dids to SR2, not just wave of new customers) and no new accounts are allowed on Agora seems US Govt with Europol are trying anything to get into these sites.

Once we started focusing the normal login sites like Facebook, Twitter, Paypal and WellsFargo the weird redirects to some large USA Tor Nodes stopped happening. Eventually after around 36-38 logins and new indentity IPs is when we had our first Bank of America user/passwd sniffed and changed! We looked into the Tor Node and it wasnt very big and seemed pretty normal but was obviously malicious! While on the Node we logged into several other bank sites which were also all sniffed and has creds changed. However the social media accounts were still untouched. This malicious node’s javasniffer was prolly only capturing financial banking info for sites with keywords instead of social media accounts!

Eventually around the 67-69 logins and new identity IPs is when we started to hit some nodes that were sniffing social media accounts and changing their passwords. And i mean it was sniffing and changing passwords to every social media account we tried but none of the bank creds which i thought was weird. Bastien theorizes they are spammers running a Tor Node and are specifically interested social media accounts. Probably for mass collecting e-whore pictures and for selling likes/followers etc…

So basically in our little experiment we find that just using Tor without additional security like a VPN or proxy and also not editing the torrc file to use specific Exit Nodes can be extremely dangerous for sensative banking, social media and DarkMarket credentials, so we do not suggest it anymore. In our experiment we encountered 3 types of Nodes; clean, malicious blackhat and malicious government. It was most likely the Government nodes redirecting traffic and sniffing for DarkMarket site info like usr/passwd login and different Blackhat Nodes were for sniffing banking&social media accounts logins. We recommend using at least one off-shore VPN or VPNchain/Proxychain that doesnt log in combination with the Tor Browser to completely encrypt all traffic. Also edit your torrc file to strict Tor Nodes that you trust! Tor is still a great tool as long as you know how to use it safely, however i suggest looking into alternatives like i2p and OpenBazaar for the future 🙂

(Note: Dont allow scripts globally unless you haves editted torrc to use trusted Exit Nodes or using VPN)

[+] Sources [+]
http://torstatus.blutmagie.de/
http://www.crowdstrike.com/community-tools/
https://www.f-secure.com/weblog/archives/00002764.html
http://thehackernews.com/2014/11/81-of-tor-users-can-be-easily-unmasked_18.html
http://arstechnica.com/security/2014/11/silk-road-other-tor-darknet-sites-may-have-been-decloaked-through-ddos/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s