Silk Road forums
Discussion => Security => Topic started by: fuckingACE on September 10, 2013, 08:51 pm
-
So I´ve been doing some thinking about the recent Spyware propagated by the feds and its got me worried..
I was wondering if anyone that understands the technology and legal ramifications of it could help me answer some questions.
1. How do we know if our machines are infected. I know its best to be safe than sorry and format anyway at the slightest doubt. But I want to find a way to actually test to see if any machines are infected. Are there any processes or files we can search for, any rootkit finder apps (think sysinternals rootkit revealer type apps), sypyware finders etc. that we know alert positive to its presence.
2. Infection vectors, What are the chances the feds are currently using other sites to get it on our machines. Perhaps propagating links to news articles on the forums or main site, Are there any other sites known to be carrying the same payload.
3. I imagine with the amount of machines infected, the job of data-mining must be huge for the feds. SO I doubt its done by hand. Are all the details just stored on one big database for access later in individual cases. Or are there key markers like url bookmarks, apps or other things that if the spyware finds on the system will prompt the feds to do a manual investigation. or perhaps all infected systems are due for a manual analysis at a later stage
4. I have seen a comprehensive list of the information that this tool is programmed to collect. but I cant believe thats all they would want. Can that tool keylog? can it be used to retrieve passport information or internet history in amnesic browsers?
5. I have read that the kit is memory persistent. I wanted to know If they mean this in the the sense that its written in the MBR and thus persistent after a fresh install or simply memory persistent and will only survive reboots and shutdowns.
6. Am I correct in the assumption that there is only one version of the tool and that is a windows binary only. So if we run Linux or Mac were good?
I realise its probably tedious for someone techy to answer all this as they´ve probably been bombarded with questions since it first happened. So perhaps we could start a discussion or something, or if the info already exists point me in the right direction.
-
1. That's hard. Rootkit finders probably won't detect it. Maybe you could monitor your internet traffic by sending it through another computer and see to which places it connects to by recording all connections with Wireshark.
2. Windows update maybe. They could hijack the connection between you and the Windows update server and send you malware. Not sure if Linux updates could be affected, because they automatically check package integrity? Anyway, you can turn off update checks in Linux.
3. They don't infect huge amount of machines, only strategically useful machines or machines of targets. Mostly they just passively spy on everyone and store their data in giant data centers, sometimes maybe hijack your connection to give you their own SSL certificates etc.
4. They can retrieve everything which is not encrypted at the time of the spying. They can extract encryption keys from your memory etc. But for that too you'd have to become a target. They can't recover data from amnesic operating systems, unless maybe they record everything by installing malware into the computers processor or MBR. For that you would have to become a target.
5. They can write malware in the MBR or into the CPU. Though backdoored CPU's may just be a rumor.
6. They most likely have malware for Linux and Mac. But it's probably a lot harder to make your computer execute the malware if you use Linux. I think for the CPU to install their malware they'd have to make your computer execute a program, e.g. by sending you a PDF exploit or get through the router and exploit some unknown security vulnerability on one of the services which open a port (SMTP, SSH, webserver etc.).
-
What spyware that was propagated by the feds?
-
1. That's hard. Rootkit finders probably won't detect it. Maybe you could monitor your internet traffic by sending it through another computer and see to which places it connects to by recording all connections with Wireshark.
2. Windows update maybe. They could hijack the connection between you and the Windows update server and send you malware. Not sure if Linux updates could be affected, because they automatically check package integrity? Anyway, you can turn off update checks in Linux.
3. They don't infect huge amount of machines, only strategically useful machines or machines of targets. Mostly they just passively spy on everyone and store their data in giant data centers, sometimes maybe hijack your connection to give you their own SSL certificates etc.
4. They can retrieve everything which is not encrypted at the time of the spying. They can extract encryption keys from your memory etc. But for that too you'd have to become a target. They can't recover data from amnesic operating systems, unless maybe they record everything by installing malware into the computers processor or MBR. For that you would have to become a target.
5. They can write malware in the MBR or into the CPU. Though backdoored CPU's may just be a rumor.
6. They most likely have malware for Linux and Mac. But it's probably a lot harder to make your computer execute the malware if you use Linux. I think for the CPU to install their malware they'd have to make your computer execute a program, e.g. by sending you a PDF exploit or get through the router and exploit some unknown security vulnerability on one of the services which open a port (SMTP, SSH, webserver etc.).
From your answer then, It would seem that you need to specifically be picked out as a target for this form of active monitoring.
My question then: was everyone classed as a target who accessed tor-mail during the critical period in which the feds used a vulnerability in the browser bundle code to allow spyware to install on any machine accessing the tormail url during the time window from the servers seizure until unknown, could still be happening Or was the spyware only activated or used on certain machines, or was only certain information collected from all machines.
Astor - From my limited understanding of whats going on. The FBI after taking control of the servers that hosted tormail made alterations to the sites code to exploit a vulnerability in the browser bundle to install spyware on any machine attempting to access the URL after its seizure. This spyware was set be persistent with no date to stop monitoring and its job to gather information from the clients such as MAC, IP, bookmarks, I am unsure as to exactly what it is meant to gather, exactly who is affected, and to what extent, that is ideally what I would like to find out.
My two biggest concerns are, how many people right now on here are unwittingly accessing from infected machines, and also the capability of the spyware, I want to know if it has the ability to collect things above and beyond what has been stated, including account info from cookies etc.. Autofill info, files, key logging things that could be used to easily pinpoint SR members by doing a quick search for example for the SR url in all the data that the machines are sending back, and if then they could even go a step further and after having located a machine that accesses the SR URL regularly to then activate keylogging on the client and capture SR login credentials... You can see where im going with this..
Any help appreciated.
-
Ace, I think astor just thought you were talking about a different spyware attack, as I did when I initially saw this thread. Something that happened a good while ago (now) is not really what one would call "recent," but do as you like. In any event, there were several threads started a month or two ago discussing this matter; I would chip in really quickly with the capabilities of the spyware but I actually have not been on the forums as much lately, so I cannot remember the exact capabilities; but they are out there. They were posted on another site and quoted on this forum, so that info should be in one of the discussion threads regarding the attack. And yes, it's very possible that there are several individuals (especially those that foolishly do not keep up on current events in this EXTREMELY dynamic business), whose computers were infected, that are accessing the site right now. I think that should be fairly obvious.
-
Yeah, I thought he was talking about the botnet and had concluded it was LE spyware. I've seen no evidence of that. Some blog post claimed to have identified the malware in the botnet attack, and there was no indication it was LE related.
-
The exploit delivered from the FH/Tormail takedown seems to be very well understood. It tried to capture the MAC address of the machine, then phone home to a public Internet site to denanonymize the user. Only seems to have affected Windows + Tor Browser Bundle users (who were NOT using the current TBB version at the time).
That's it. That's all it did. No long-term infection, no keylogging, nothing else. Just told them the IP you were sending non-Tor traffic from at the moment it ran.
Now if there's some *other* exploit or malware that I'm not aware of that somebody found from the FH servers, somebody post a link.
-
The exploit delivered from the FH/Tormail takedown seems to be very well understood. It tried to capture the MAC address of the machine, then phone home to a public Internet site to denanonymize the user. Only seems to have affected Windows + Tor Browser Bundle users (who were NOT using the current TBB version at the time).
That's it. That's all it did. No long-term infection, no keylogging, nothing else. Just told them the IP you were sending non-Tor traffic from at the moment it ran.
Now if there's some *other* exploit or malware that I'm not aware of that somebody found from the FH servers, somebody post a link.
It also left a cookie lying around for about 20-30mins for some reason. Probably so if you went on a certain clearnet site you could be identified for having that cookie and decloaked. Anyways, it self deleted itself so there is no federal malware hanging around.
-
1. How do we know if our machines are infected. I know its best to be safe than sorry and format anyway at the slightest doubt. But I want to find a way to actually test to see if any machines are infected. Are there any processes or files we can search for, any rootkit finder apps (think sysinternals rootkit revealer type apps), sypyware finders etc. that we know alert positive to its presence.
It didn't install a rootkit. I believe the term for what they did is 'beaconing' (though you could also call it a proxy bypass attack, or a side channel attack, but I suggest not calling it a side channel attack in front of any cryptographers). Essentially, they hacked you, phoned home immediately with your MAC address, also getting them your IP address, and that was that. Nothing persistent was installed. There was a cookie set but it expired after half an hour.
The attack only worked against Windows. If your OS is not Windows, you are fine. The attack only worked against version 17.0.6 of Firefox and prior, if you had an up to date Firefox, you are fine. It had been patched a month prior to them using it. The attack requires javascript to be enabled, if you had javascript disabled, you are fine. The attack can only phone home an IP address if you didn't isolate Firefox from external IP address. If you used Whonix or Qubes with a TorVM you are fine, and also you are fine if you isolated firefox yourself. If you used Whonix or isolated yourself they cannot even phone home a real MAC address. They can only phone home a real IP address if firefox isn't isolated from the network, if firefox can only talk to Tor because of firewall rules you are fine, which means even if the attack was targeted against Linux users and they infected you on Tails, they could only phone home a MAC address and not an IP address because the Tails Browser is network (but not process) isolated.
So you were not compromised at all if you meet any of the following criteria:
A. You don't use Windows
B. You had updated your browser roughly within the past month
C. You did not have javascript enabled
D. You used Whonix or isolated yourself with HVM or isolated with TorVM
If you meet none of the previous criteria, but still meet the following criteria, they did not get your IP address but did get your username and MAC:
E. You had firefox network isolated with a firewall
2. Infection vectors, What are the chances the feds are currently using other sites to get it on our machines. Perhaps propagating links to news articles on the forums or main site, Are there any other sites known to be carrying the same payload.
The feds could try that but I don't know that they will be allowed to hack random people reading news articles. I guess they could make a fake news site and direct SR people to it in order to pwn them. It is totally possible. No other sites are known to be carrying the same payload or exploiting the same vulnerability.
3. I imagine with the amount of machines infected, the job of data-mining must be huge for the feds. SO I doubt its done by hand. Are all the details just stored on one big database for access later in individual cases. Or are there key markers like url bookmarks, apps or other things that if the spyware finds on the system will prompt the feds to do a manual investigation. or perhaps all infected systems are due for a manual analysis at a later stage
I doubt they infected many machines. They only infected people who not only took absolutely no additional security measures versus using vanilla TBB, but who were on Windows and who had a TBB that was more than a month out of date. They got only the very lowest hanging fruit, and it is actually debatable if they even got a single person.
4. I have seen a comprehensive list of the information that this tool is programmed to collect. but I cant believe thats all they would want. Can that tool keylog? can it be used to retrieve passport information or internet history in amnesic browsers?
This entire attack has been analyzed to hell and back by probably a hundred different professional level security researchers and hackers. It cannot do any of that.
5. I have read that the kit is memory persistent. I wanted to know If they mean this in the the sense that its written in the MBR and thus persistent after a fresh install or simply memory persistent and will only survive reboots and shutdowns.
It is none of those things, it crashes itself immediately after phoning home and the only thing left is a cookie that expires half an hour later.
6. Am I correct in the assumption that there is only one version of the tool and that is a windows binary only. So if we run Linux or Mac were good?
The exploit technically is cross platform, but the delivered payload is for Windows only.
I realise its probably tedious for someone techy to answer all this as they´ve probably been bombarded with questions since it first happened. So perhaps we could start a discussion or something, or if the info already exists point me in the right direction.
NP glad to help.