I realize this marks me a failure as a hacker and a human being, but JavaScript is not my native tongue and Google Translate doesn't seem to have an option for it. Could someone please post some actual news about...whatever is happening?
Targets Firefox version 17 and lower. This is the version (17.0.7) that you're required to use for TOR on Windows.[1]
It would take a long time to walk through what's being done, and even that isn't likely to be helpful. There's a lot of Array, Int32Array, and ArrayBuffer allocation and retrieval. It's possible one of the larger strings is for injecting code into memory. It doesn't look at the guid stored in the cookie or the query param. If it is a memory injection, your guess is as good as mine.[2]
Just my sense for staring at this for an hour. I know JavaScript, but I'm not a security expert.
Original iframe w/ ?requestID=<guid>: http://pastebin.com/HcGRQk2N (with HTML)
content_1.html: <connection reset> (only used for versions of Firefox less than 17)
content_2.html: http://pastebin.com/7sTk8bgx
content_2.html?????: http://pastebin.com/t9x4GHr1 (same as content_2.html)
content_3.html: http://pastebin.com/GGCny4Vb
error.html: <connection reset> (it's likely meant to fail)
It includes a hexdump of the shell code, showing it's building an HTTP request to somewhere. So it's likely identifying Tor users through non-Tor connections.
Based on my poking around, the guid provided is included in the shell code to be loaded into memory. I'm not sure if it is a windows only exploit or not. There is an ID of ws2_32IPHLPAPIPA6 that is also included as part of the shellcode.
Could the kind intelligence that decodes this post a play-by-play for us regular folk? Is the first step trying to trace the logic mentally? Building some kind of graph-based representation of the code and its calling behavior...? When I read var77, var78, var79... well, yea.
The Tor Project should offer a bundle with 1) a VirtualBox image with Tor installed configured to work with 2) a Tor daemon installed on the host system. This should add another level of security.
The IP that's hosting the iframe is a Verizon Business one. The JS also looks to be setting a cookie, probably for identification purposes (reading the cookie from another site to confirm the user?). I'm not sure that's the case because once the Tor Bundle is closed, cookies are automatically deleted.
Funnily enough the IP address in the iframe location is in a /11 formerly belonging to D.C.-headquartered MCI Communications, now under Verizon, and traceroute points to it being in D.C. as well.
This could be faked, but it's interesting on its own.
So the founder of Tor Freedom is arrested and now this. Quite a coincidence. Maybe not NSA, but probably some kind of government agency. I think the best bet people can make these days is to assume that government is guilty and means to do nasty things - until proven otherwise.
Probably because they have a hard-on for snooping and TOR, by design, makes it extremely hard to correlate usage with a person without owning exit nodes and/or social engineering.
Realistically though, if the NSA were going to penetrate TOR, they would just own exit nodes and do social engineering. Bear in mind that the American government had a hand in building TOR to begin with.
That this appears to be so blatant suggests to me that it has nothing to do with surveillance at a state level.
Realistically they'd probably use a variety of approaches. Each approach could have its own limitations or be closed off without much notice. Wouldn't you want to hedge your bets?
Even if it isn't outside the realm of possibility, I don't think it's plausible for an organization that's supposedly powerful enough to monitor and archive all domestic and incoming electronic communication, when there's an entire ecosystem of hackers and skiddies out there anyway who do this kind of thing elsewhere all the time. JS in an iframe? XSS? Why would they even bother?
It is NSA[1]. No implication needed. FBI nabs host owner and suddenly code is injected to exploit all end users? Rather tired of people downplaying these events at every attempt. What does your comment add? At least the parent comment you are responding hinted at a potential suspect.
Perhaps he doesn't want to be hunted either directly implicating the US for the US's work.
Seriously, bring something to the discussion if you are going to be asking others to do the same.
By the way the person who started the site linked is being prosecuted by the DoJ[2], no doubt with others involved being hunted down as well. I'm sure there is no implications to any of this.
FBI, who happens to work as a conduit for the NSA, along with any number of the other acronym boys? Or the corporations they hire while handing out legal immunity for the actions they are hired for? Or Google and others who also accept payoffs and immunity for helping monitor the acronym boy's targets?
How is the various crony corporations publicizing these deeds as services not relevant? This is the subject of exploits being used on users of a host whose owner was arrested, correct?
I am readily awaiting a more logical answer than another contracted service like Endgame and their pool of exploits they are so ready to use on the non legally immune citizens of the world. Or companies like Google for going along with the dragnet monitoring and exploitation of dissidents.
All of them are connected by virtue of payoffs, insider trading, market manipulation. None of it is irrelevant.
Which is a mistake, and this shows why. Javascript should be default-off everywhere, and then if there's a Tor site you trust (oxymoron if I've ever heard one) then you enable Javascript.
I've referenced Endgame Systems before[1], exploiting end users for-profit via for figures like the NSA is their type of game.
"There are even target packs for democratic countries in Europe and other U.S. allies. Maui (product names tend toward alluring warm-weather locales) is a package of 25 zero-day exploits that runs clients $2.5 million a year.[2]"
Endgame's product list was not marked classified, a product meant for distribution only to the likes of the NSA but peddled amongst fellow for-profit "whitehat" in arms. Yet another company with immunity to laws others are hunted and imprisoned for.
Speaking as someone in the field (I know people from Endgame, and work in a similar place with much more discretion), this is a load of shit. The FBI wouldn't be deploying Endgame product like this.
