Silk Road forums

Discussion => Security => Topic started by: WhiteShark on May 21, 2013, 07:27 pm

Title: Law Enforcement on SR??? PLEASE READ
Post by: WhiteShark on May 21, 2013, 07:27 pm
Basically this is the message:
"    Hi, I'm not sure if you are the right person or not, but I live near to you and have noticed you making quite a few deliveries to the mailbox, some of which I managed to get on video... search for 'silk road local delivery' on www.videoupload.us and click on the the first video and you will be able to see.

This is not a threat, I am just trying to pre warning you to be more careful when mailing things (and maybe send someone else to the mailbox instead of yourself)

P.S If it is not you in the video, then you can ignore this

Simon"



My reaction " HAHA". Why?
1. My drop offs do not involve mail boxes at all. In fact I never come near a mail box, and no not telling you how. But first off I knew this was not me
2. How the hell would he know this is me, and who would go through that much work to message every single vendor in the country (assuming he did this --> unless he specifically targeted me


Now, my curiosity got the better of me, I opened it in Tor. Soon as I saw a java script appalet I CLOSED IT RIGHT AWAY!
The reason is because extensions like Java and other addons can be used to track you, EVEN IN TOR!

For those of you who are unaware:

Tor does not protect all of your computer's Internet traffic when you run it. Tor only protects your applications that are properly configured to send their Internet traffic through Tor. To avoid problems with Tor configuration, we strongly recommend you use the Tor Browser Bundle. It is pre-configured to protect your privacy and anonymity on the web as long as you're browsing with the Tor Browser itself. Almost any other web browser configuration is likely to be unsafe to use with Tor.
Don't enable or install browser plugins

The Tor Browser will block browser plugins such as Flash, RealPlayer, Quicktime, and others: they can be manipulated into revealing your IP address. Similarly, we do not recommend installing additional addons or plugins into the Tor Browser, as these may bypass Tor or otherwise harm your anonymity and privacy. The lack of plugins means that Youtube videos are blocked by default, but Youtube does provide an experimental opt-in feature (enable it here) that works for some videos.


Tor will encrypt your traffic to and within the Tor network, but the encryption of your traffic to the final destination website depends upon on that website. To help ensure private encryption to websites, the Tor Browser Bundle includes HTTPS Everywhere to force the use of HTTPS encryption with major websites that support it. However, you should still watch the browser URL bar to ensure that websites you provide sensitive information to display a blue or green URL bar button, include https:// in the URL, and display the proper expected name for the website.

Don't open documents downloaded through Tor while online
The Tor Browser will warn you before automatically opening documents that are handled by external applications. DO NOT IGNORE THIS WARNING. You should be very careful when downloading documents via Tor (especially DOC and PDF files) as these documents can contain Internet resources that will be downloaded outside of Tor by the application that opens them. This will reveal your non-Tor IP address. If you must work with DOC and/or PDF files, we strongly recommend either using a disconnected computer, downloading the free VirtualBox and using it with a virtual machine image with networking disabled, or using Tails. Under no circumstances is it safe to use BitTorrent and Tor together, however.
Use bridges and/or find company

Tor tries to prevent attackers from learning what destination websites you connect to. However, by default, it does not prevent somebody watching your Internet traffic from learning that you're using Tor. If this matters to you, you can reduce this risk by configuring Tor to use a Tor bridge relay rather than connecting directly to the public Tor network. Ultimately the best protection is a social approach: the more Tor users there are near you and the more diverse their interests, the less dangerous it will be that you are one of them. Convince other people to use Tor, too!



So I still want to see this video, so I head over to an internet cafe across the street. Try and load it, and it is just a continuous java running in the background with nothing occurring. My conclusion?
THIS IS LAW ENFORCEMENT ATTEMPTING TO TRACK VENDORS THROUGH TOR! DO NOT OPEN THIS LINK! DO NOT ENABLE JAVA!

If mods can sticky this or get support to send a warning out, would suck to see a bunch of vendors go down like this. I mean I hate competition, but I ain't gonna wish death on nobody. There ain't no coming back from that ;)



My advice for anyone who clicked the link and had java on --> clean your house for a while, just to be safe. Hate to see you go down like this.


Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: scout on May 21, 2013, 07:35 pm
Hmmmm ... we can't sticky threads until we've received permission to do so, so let me pass this along to my fellow mods and the admins and see what we can do about getting a warning up here!
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: WhiteShark on May 21, 2013, 07:40 pm
Thanks scout =)
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: K Queen on May 21, 2013, 07:41 pm
We came across this message also, deleted it immediately!  :P
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: scout on May 21, 2013, 07:42 pm
Yes, for anyone who has received this message - JUST DELETE IT IMMEDIATELY AND DO NOT VISIT THE LINK!
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: goblin on May 21, 2013, 07:43 pm
Sounds like a fishing expedition combined with a Nigerian prince scam and a chain letter-like message! All scamamundo.
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: ACutAbove on May 21, 2013, 08:22 pm







Now, my curiosity got the better of me, I opened it in Tor. Soon as I saw a java script appalet I CLOSED IT RIGHT AWAY!
The reason is because extensions like Java and other addons can be used to track you, EVEN IN TOR!


  I opened the link in TOR, with JAVA Off.  Do you think they can still track anything?  I let it try and load for about 30 seconds or so.  Thank you
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: astor on May 21, 2013, 08:29 pm
The site doesn't show up in a Google search. This an attack that I've predicted in the many times I've said not to visit links posted on this forum over clearnet. The attacker knows that only people on SR know about his site, so anyone who visits over clearnet has linked their IP address (and possibly their identity) to the fact that they use SR.

The Java app is probably supposed to phone home to expose the IP addresses of Tor users.
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: PuertoRico on May 21, 2013, 08:37 pm
Just had made a thread on this when I saw it.

Couple vendors I know got the same message.. UK vendors even though its a .us url? is this global attack?
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: JezuzWazaMushroom on May 21, 2013, 08:39 pm
All vendors as well as buyers IMO should be running Private Internet Access who will sell you a 12mth VPN subscription anonymously for $40 and you can use 3 computers simultaneously even using Shitcoin, or someone like HideMyAss who, although aren't taking Bitcoin as payment (at least when I signed up ages ago) but do have a shit tonne more IP's but you can only use two comps at the same time.

They are your best protection and should be used on top of TOR, that way if somehow there was a flaw in TOR, your covered on the backdoor, and the LE are left on their knees sucking your cock on the floor, like a dirty dirty whore, that you must be to serve the law!   :P

- JWM  8)
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: astor on May 21, 2013, 08:39 pm
Now's a perfect time to boot up a disposable VM with a Tor gateway and figure out what this javaupdate.exe does...

The sad part is, there are people visiting that site over clearnet right now...
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: Talk to Frank on May 21, 2013, 08:44 pm
Opening that URL automatically gets picked up by anti-virus and the java applet is prevented from running. I assume that means the IP can't be traced? After anti-virus picks it up, it just doesn't load the website, rather, it just leaves it as if you've opened a new tab. I posted this in other threads on the matter, but I thought I'd spread it across to get more viewpoints.
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: JezuzWazaMushroom on May 21, 2013, 08:57 pm
I got this random as fuck message from a guy the other day and was wondering if anyone else had the same message from AU because it was out of the blue, on the main site not here where they claim as you will see to have read my messages, and I have never heard of them before nor since I would be interested in other people's opinions and also there was news on the vendor forum I would like to add about a huge crackdown about a month ago in AU with customs but has since finished as it was unsustainable cost wise for too long...

Name ommitted in case they are just dumb and/or inexperienced and possibly young...

HI JWM,

I probably sound like a knob jockey, lol... but I saw your posts on the forum and wanted to get in touch... you sound like a fairdinkum ozzie larkin.... (anyone who knows me knows that is bullshit)

you remind me a little of myself only more of a baller! (No, I am nothing like you and do not just contact people on the main site asking questions I could find the answers to on the forums)


I was somewhat baffled by this message so replied trying to seem relatively civil and in order to see just how stupid this character was and I wasn't disappointed...

"Hi mate, where you from sailor?"

To which he/she/they responded without questioning me at all about my intentions and who I dealt with etc and is either very stupid or very clever trying to lull me into a false sense of security...

Hi again JWM,

To be honest I haven't got my head around that whole PGP stuff yet, I did try and hook it all up... I think i have it hooked up, but don't know if its working properly... as when i open it i get a warning message... i'm not one of these computer geeks... you know I'm not no dumbie either, lol.... also I'm a little worried about the pgp software being able to be linked to my account if my laptop falls in the wrong hands....

I'm from sin city, sydney, where is your secret location state, lol.....

you know these internet tough guys/ wankers they call them trolls and flamers, they hide behind their keyboards acting like know it alls and tough guys...in the old days they would get a swift back hander and probably eventually wake up to themselves these days they just hide behind a computer screen being closet gangsters.... therefore I don't take the forums too serious, that's why I contacted you, I don't like to air my dirty laundry/business in public arena....

so have you done much purchasing here, would I be out of line to ask what types of things and maybe a bit of an insight to the quality or trusted sellers.....

I'm very interested to know a little more about your professional gambling, if you feel comfortable discussing any of this.... I could understand if you didn't want too

to be honest not sure how to use your pgp, I know laughable

TO WHICH I RESPONDED WITH:

Okay, to get PGP working, download www.gpg4win.org and tick all the boxes and when you've installed it, you save a particular key in a .txt file format. Then open GPA and select Import Key, then open the file you saved, and you can save as many as you like on the one file, then it will import that key. You can then copy a message from said person that is encrypted into the GPA clipboard and press Decrypt and enter your password. I would suggest you use a VPN such as www.privateinternetaccess.com that you can pay for with Bitcoins and run that full time and use that over the top of TOR, otherwise your provider can know everything you look at and even when you initiate TOR that will red flag your account. You also just use GPA and select generate new key, and enter the decryption password you desire, then to send it to people you simply select it and copy it, then paste it into a message and send it.

I won't reveal my location and nor should you be so relaxed about where you disclose your info and you should never send your address over TOR, or any other network unencrypted, and when leaving your information for another vendor without using their PGP key.

If you are worried about them getting your PGP keyring should someone find your laptop encrypt the said program with BitLocker or something similar.

My location is wherever you want it to be and my name is JWM, and if indeed you are someone phishing for info on where I am and who I use or do being LE, then you should be a little less obvious, but I think you are just inexperienced at what you are doing.

Be careful on SR or any Darknet without the adequate software and protection. I have given you the site that is by far the best VPN and completely anonymous including the payment method available.

Hope this helps you out good luck.

- JWM


The last message they sent me was this, and please note the way he refers to me as mister, like seriously... DAFUQ?

Mr JWM

i'm not fishing or phishing, it's all good... i was just meaning what state, but i respect your right to privacy as well as you assistance and suggestions... I'm just a newbie and not a computer nerd.... It wasn't my intention to come across like that, to offend you or for anything sinister....

thanks for you help, i had got that gpg4win going before you messaged, I also got a file encryption program, so I feel a lot better with the direction I'm heading..... I'm not confident with how to use the codes or send a message, I guess its just a matter of finding somebody to exchange messages with, i had a link on one of the forums that suggested they would help... i guess i should trail and error it before purchasing...

I will be looking into this whole VPN thing, I thought TOR alone protected you, such a newbie, I am...

I had heard or privacy note, which i had since read is all bullshit.... so i will be using these other methods to protect all detail and files related to SR....

thanks so much for your help and advice, I really appreciate it.... you are a good judge of character cause I had no malicious intention, I found it kind of funny your advice if i was phishing, to be less discreet, lol.......obviously I'm not dumb if that's what i was doing, I would have been a whole lot more discrete and targeted somebody that was way less intelligent then you.... but as a self proclaimed newbie.... I'm a little wet behind the ears to say the least.....

again I very much appreciate your assistance, its hard to find good people like you that would even care to help some random stranger that in places like this will be quite often phishing, scamming or just be self righteous arseholes....... i will be busy further investigating and trying to implement the processes of protection you have advised....

what's LE? i have seen it around a bit, I also know my status makes me look a little suspicious as I'm sure a lot or scam accounts have no purchases, but I want to protect myself and everybody else before jumping on in....

when you said about "red flagging account" would that be happening when you open tor or depending on what you are searching on tor or just when and if you make sales or purchases?

without trying to sound like a brown tongue you're the man!


VERY FUCKING STRANGE! I'M OFF TO WORK ON A JOB SITE ALL DAY, THERE'S SOME INFO FOR YOU YA BASTARD!!!  :P

What do you all think I would be interested to see?  ???

- JWM  8)


Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: astor on May 21, 2013, 09:11 pm
That is confirmed malware. I just spoke to someone who visited that site, actually ran the Java, and now multiple anti-virus programs detect malware on his computer where there was none before.

Now to determine whether it's LE or some random asshole who wants to install keyloggers to steal account credentials, or possibly enumerate the IP addresses of vendors and blackmail them.
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: jameslink2 on May 21, 2013, 09:46 pm
I got this today and knew something was up.

What to know what it does?

So, I did a wget to grab the index.

Seems it attempts to download an exe from www.claimfreebitcoins.co.uk

I am betting the EXE is a rootkit/Trojan for windows.

Just one more reason to run Linux.
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: quixotist on May 21, 2013, 10:14 pm
To stop obvious scams like this, it might be useful to give vendors the option to disallow messages from users who both don't have enough money in their accounts to buy their cheapest item and have made no purchases. It should be enabled by default.
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: astor on May 21, 2013, 10:29 pm
This is the exact malware on that site. It's a Trojan downloader:

https://www.virustotal.com/en/file/35970e91c4d3364f8b05f5b40d892224084c7fc207af4db8165ebf6ca9bd5357/analysis/

The checksums on the Client.jar file are the same.

AVG has also detected rootkits in my VM.

On Windows XP, the files ntoskrnl.exe and hal.dll get infected.
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: Fallkniven on May 21, 2013, 10:37 pm
A friend had some extremely strange shit happen to them yesterday while browsing over Tor/SR, Vidalia crashed with an application error (see log below) so they rebooted the system and upon reloading found that Malwarebytes Anti-Malware had its definitions and some critical program files DELETED, that had to be re-installed. MSSE, Super Anti-Spyware, Malwarebytes Anti-Malware & Spybot Search/Destroy all fully updated to latest definitions have found no malware on this system, I'd like to check to see if my friend has visited this site over clearnet for some stupid reason and not told me about it.

Vidalia log - strange never seen this before! (this happening after reading about this malware javascript website is even stranger)

Faulting application name: vidalia.exe, version: 0.2.21.0, time stamp: 0x50ba3144
Faulting module name: QtGui4.dll, version: 4.8.1.0, time stamp: 0x4f6c7cef
Exception code: 0xc0000005
Fault offset: 0x0068a99d
Faulting process id: 0x500
Faulting application start time: 0x01ce55e365c83a52
Faulting application path: Z:\Tor Browser\App\vidalia.exe
Faulting module path: Z:\Tor Browser\App\QtGui4.dll
Report Id: 954d1368-c200-11e2-b8a3-00a0d5ffffae


Friend said that they had no trouble whatsoever before this 'crash', everything was apparently working well. It may be nothing at all, but i'd like to be sure that their system is clean, this whole thing is just way too much of a coincidence... I might just do a low level format of their drive and re-install Winblows - and suggest they only visit SR through Tails.

(edit - got the site name - www.video******.us - thanks...)

(edit 2 - i'll re-scan the system with some different scanners, apparently MBAM & SAS don't recognize the virus)
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: Baraka on May 21, 2013, 10:40 pm
Java rootkits are all the rage these days. Totally disable and delete Java if you really don't need it and don't ever click on suspect links. As a default, the Tor browser setup should be able to completely cut off Java since it's so compromising and dangerous. I guess that'll be the next step for Tor Project.
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: astor on May 21, 2013, 10:46 pm
I "cleaned" the files, rebooted and now there are more rootkits.

Anti-virus programs are fucking snake oil. It's a sham industry. If you got hit with this, format your hard drive and do a clean reinstall.

I'm deleting my VM now...
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: Baraka on May 21, 2013, 10:54 pm
Ask him to check his system processes under Task Manager (ctrl-alt-del). I check this regularly to see if anything is running in there that shouldn't be.

Running antivirus like something from Malwarebytes, and TDSSKiller from Kaspersky after a thorough scan, will expose and tear apart all known rootkits that I've ever come across. All viruses and rootkits operate the same way and exposes themselves pretty easily. The only question is, how do they hide on your system and how do they replicate? A lot will bury themselves deep in regular system directories and mark themselves as hidden. They all need a foothold in the registry too. Even if you manage to delete them, they'll replicate and copy themselves elsewhere. The task manager and registry editor are generally disabled by some rootkits to prevent identification and removal. A well written rootkit is a real bitch to remove manually.

The right antivirus setup with enough monitoring from you will be able to prevent any infections before they even start. Download a good boot CD too. It'll save your system one of these days. Count on it.

Friend said that they had no trouble whatsoever before this 'crash', everything was apparently working well. It may be nothing at all, but i'd like to be sure that their system is clean, this whole thing is just way too much of a coincidence... I might just do a low level format of their drive and re-install Winblows - and suggest they only visit SR through Tails.
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: Fallkniven on May 21, 2013, 10:55 pm
Who's to say it's not the Anti-virus program companies that are bringing out all the new Virii to sell more copies of their useless products?

 :o    :-X
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: quixotist on May 21, 2013, 10:57 pm
A friend had some extremely strange shit happen to them yesterday while browsing over Tor/SR, Vidalia crashed with an application error (see log below) so they rebooted the system and upon reloading found that Malwarebytes Anti-Malware had its definitions and some critical program files DELETED, that had to be re-installed. MSSE, Super Anti-Spyware, Malwarebytes Anti-Malware & Spybot Search/Destroy all fully updated to latest definitions have found no malware on this system, I'd like to check to see if my friend has visited this site over clearnet for some stupid reason and not told me about it.

That sounds suspicious as hell, I'd have to assume that their system is not clean. I usually use Tails in a VM for all my Silk Road activity so this sort of thing can't happen.

Exception code: 0xc0000005
That is an exception caused by the program accessing memory at a location which does not belong to it, the location may well be provided by a remote attacker. So this might be evidence of a remote attacker trying to inject a program into the victim's system. I would personally be rather worried about that, but I could just be being paranoid.

I suggest your friend disable their network connection, back up their documents and stuff, wipe their system and use a Tails VM for Tor in future.
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: quixotist on May 21, 2013, 11:10 pm
Ask him to check his system processes under Task Manager (ctrl-alt-del). I check this regularly to see if anything is running in there that shouldn't be.

If we're assuming that this is a different issue than in the OP then we aren't going to find a new rootkit this way, nor will antivirus help. If we're looking at a directed attack against Tor users then the level of sophistication is likely way beyond anything written by a teenage carder/phisher, the only way to be sure is to nuke it from orbit: burn the OS and start fresh.
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: medicalcannibas420 on May 21, 2013, 11:17 pm
I got that same message.....I just said ya funny..... :)
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: Libertas on May 21, 2013, 11:28 pm
Please see the sticky here regarding this issue:
http://dkn255hz262ypmii.onion/index.php?topic=161834.msg1151889#msg1151889

Libertas
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: whorledpeas on May 22, 2013, 12:22 am
good to know- i was curious and didnt understand the ramifications- keep the info coming
wp
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: Jack N Hoff on May 22, 2013, 01:00 am
Anti-virus programs are fucking snake oil. It's a sham industry.

Yeah.  I've read that a perfect AV could be developed but no one will do it because you make your money on subscriptions and updates and such.
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: quixotist on May 22, 2013, 01:23 am
Anti-virus programs are fucking snake oil. It's a sham industry.

Yeah.  I've read that a perfect AV could be developed but no one will do it because you make your money on subscriptions and updates and such.
It's not possible if you want to run arbitrary programs on your computer. In order to make a perfect antivirus you'd need to write a program that can determine whether any other program on the system will do something untrustworthy. One program can't read another program and decide whether it will continue forever or stop after a while (see Wikipedia: halting problem) so it has no chance of knowing a program's intentions.

The only way to prevent viruses and trojans is to have every program signed by someone who is trusted to decide what you can and can't run, and if Microsoft decided that for you then I bet they wouldn't let you run Tor.

I agree with astor though in that antivirus programs are snake oil, the entire industry is built on top of Windows being shit and the fear that it causes.
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: Baraka on May 22, 2013, 11:02 am
If you think this is something new, then how come this rootkit is readily detectable by 31 out of 47 antivirus apps after being around for only 5 days?

The fact is this is NOT something new. The only thing fairly new about it is that it's a Java applet, which has been a very popular way of infecting PCs over the past couple of months. Other than that, it writes to the registry and disk, then replicates itself when you find it and try to delete it. That's standard rootkit behavior. People here have gone about disinfecting their systems in the same way that others have when dealing with other rootkits.

Its purpose may very well be to unmask Tor users, but it obviously wasn't very successful because everyone noticed it right away. If anything, this event reinforces the need for a VPN for times when shit like this happens.

Ask him to check his system processes under Task Manager (ctrl-alt-del). I check this regularly to see if anything is running in there that shouldn't be.

If we're assuming that this is a different issue than in the OP then we aren't going to find a new rootkit this way, nor will antivirus help. If we're looking at a directed attack against Tor users then the level of sophistication is likely way beyond anything written by a teenage carder/phisher, the only way to be sure is to nuke it from orbit: burn the OS and start fresh.
Title: Re: Law Enforcement on SR??? PLEASE READ
Post by: primeroll on May 22, 2013, 10:04 pm
yeah its pretty lame. i closed tor and activated my vpn software and went to the link for the
sake of science and let it run for approximately 3 seconds then closed that shit and
made a thread about it:P