On 08/13/2014 03:01 PM, Anders Andersson wrote: > On Wed, Aug 13, 2014 at 12:06 PM, <blo...@openmailbox.org> wrote:
<SNIP> >> How, in this case, was it possible for the FBI to learn the IP >> addresses of visitors to this hidden service? The Tor hidden server >> page states that "In general, the complete connection between >> client and hidden service consists of 6 relays: 3 of them were >> picked by the client with the third being the rendezvous point and >> the other 3 were picked by the hidden service." >> >> Can someone knowledgeable please explain how visitors to a Tor >> hidden service can have their real IPs detected? > > AFAIK the malware used javascript to break the users' browsers. As > someone who argues against using javascript in any context, I can > only say "told you so", but that doesn't really help anyone. :) > > Because they managed to get in to the client browser, they could > learn the real IP address and MAC address, they didn't learn this > through Tor. This is an old story. Here is an explanation from Wired[0]: > The heart of the malicious Javascript was a tiny Windows executable > hidden in a variable named “Magneto.” A traditional virus would use > that executable to download and install a full-featured backdoor, so > the hacker could come in later and steal passwords, enlist the > computer in a DDoS botnet, and generally do all the other nasty > things that happen to a hacked Windows box. > > But the Magneto code didn’t download anything. It looked up the > victim’s MAC address — a unique hardware identifier for the > computer’s network or Wi-Fi card — and the victim’s Windows hostname. > Then it sent it to a server in Northern Virginia server, bypassing > Tor, to expose the user’s real IP address, coding the transmission as > a standard HTTP web request. > > “The attackers spent a reasonable amount of time writing a reliable > exploit, and a fairly customized payload, and it doesn’t allow them > to download a backdoor or conduct any secondary activity,” said Vlad > Tsyrklevich, who reverse-engineered the Magneto code, at the time. > > The malware also sent a serial number that likely ties the target to > his or her visit to the hacked Freedom Hosting-hosted website. They didn't get the "real" IP address through the browser. Magneto just sent information to the FBI's server directly, rather than through Tor. Also, Magneto is a Windows executable ;) Proper firewall rules would have prevented that leak. Those using Whonix weren't affected, because nothing in the workspace knows the "real" IP address (and also because it's Debian, not Windows). [0] http://www.wired.com/2013/09/freedom-hosting-fbi/ -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
