Monday, August 11, 2014

A protest! What's bad stays bad. Legalized any badness then you'll ruin the faith..

The issue:

I think all friends know exactly what will InfoSec people react to this "search warrant" (see twitter embedded image or direct link below). Like it or not, geographically I am a part of one of InfoSec as a "non-US" fraction and feeling VERY upset about this privacy-violation, not to mention the risk of having infection damage during our process of investigation in the affected environment.

Please do not tell the world about the story of "freedom of speech", "justice for all", "liberalism", "human rights" or "privacy", since we see that federal entity of a government doesn't give a care to infect thousands multinational people in the internet service, abusing their privacy's right, just to nail a bunch of pedo porn crooks, where valuable people's rights (which includes cyber crime investigators) were getting ripped and violated as a "disposable casualties" by this act, by the usage of one where-about district's "regular" court's warrant, which this is all IS WRONG!.

This is the well-described reddit thread for the malicious activity verdict in this issue-->[HERE] with the payload sample (called "magneto") as evidence, is in here-->[HERE]

The protest:

This "Torpedo Affidavit" (linked-->HERE) is not only against our privacy, which it has been assumed to be violated silently based on disclosure in "the Snowden issues", but the worst part of the problem has been ESCALATED now..

Why? This search warrant was LEGALIZING the usage of malware and actually was being used as permission to infect thousands internet user accessing several services in the onion land, and taking this further, it will motivate bad people to also use malware / malicious methods more!

(Legalizing the usage of malware in the aspect of these operations: luring victims w/hidden frame to get infected with a malicious code by performing a drive-by-download compromising effort with using zeroday exploit to aim the affected vulnerable browser software to execute and to install a program (script) to infect malicious shellcode as the payload, to then calling-back to CNC host to send affected system & location data which is part of the privacy components of the affected innocent internet users!,..these MO ring any bell to you? Does it sounds like a cyber crook operation you know?)

This is a VERY principle matter to all of us.

How we suppose to suppress malware growth now if a "regular court order" (linked-->HERE) from a country that is known as creator of the internet is PUBLICLY (I said publicly since that warrant is searchable and view-able w/o secrecy) legalized the usage of malware??

There are still more options to dig up & use, and there are tons of good folks out there who are happy and willing to help the law enforcement to nail porn crooks in onion-land, yet WHY yet the nastiest offensive way must be chosen?? You can come to people like us, for example, and we can show you interesting ways to track the bad "Tor"'s "Pedo" users (hence it is called "Torpedo" operation) WITHOUT USING MALWARE! Why didn't you consider that, asking about that, or, do that before? There are many great skilled hackers in United States that can get this done in more legit ways.

This is going to be written in the history of malware, like, "In 2014 2012 US Court publicly issued search warrant to allow the FBI to use "malware method" on ..etc etc etc.." < How does it sound? (Thank's for the "friend" initialed AP who contacted and correction the date! )

We're off the field then, go pick up some other players to play in this nasty setup game, this is just way out of line for all of us. Ah, yes, BTW, you can expect us to STOP sharing malcodes and samples to you guys because I am afraid those evil technology will be misused for the similar purpose later on.. that will be surely LEGALIZED also to hit all of us back too someday under what-ever reason, right!? or even worse..

I still can't believe my eyes after reading, dissecting samples, and checking the facts, we keep the faith, that faith that has been mutually supported our collaboration, our research and our sharing, it's our heartbeats...and it has been ruined, what is BAD is just BAD..no matter what excuse it is given to!

Unless something will be done accordingly from the US's side to put the perception back in the right place, this will be my last post on our beloved internet as malwaremustdie.

Oh yes, and I am damn serious about everything I wrote!

Supported information or article on the issue:

http://www.wired.com/2014/08/operation_torpedo/
http://reason.com/blog/2014/08/06/fbi-tracking-tor-users
http://www.wowt.com/home/headlines/Fed-Tactics-on-Trial-in-Porn-Case-255716621.html
Twitter thread twitter.com/csoghoian/status/496700679084597249
https://www.facebook.com/malwaremustdie..

Internet feedbacks:

So that's your excuse to legitimate the wrong perception that your country's court legalized? Russian or China government NEVER issue warrant to legalize any malware. And you are saying something like: "if a scum can do us a scum acts.. Then good folks can act as scums do too?" No way, my friend. I was called as "vigilante" by some media for the things that I didn't even done, "that operation" was not aiming only specific targets but all people who visited the websites, including investigators too, what would this mass-infection of malware & public privacy exploitation be called then??


I am NO QUITTER and you don't know me THAT well! This is a principal matter of what's RIGHT and what's WRONG that have to be implemented in the webs. And that act is as WRONG as the malware itself.


Yep. Damn right I will.


And that act isn't doing any greater good for any of us. BTW.. Want people like us to keep on VOLUNTEERING working hard fighting malware?? Well.. we have some conditions like:
KEEP THE FAITH (DO IT THE RIGHT WAY)!! We can still make a good fight without infecting innocent people and act like a crook! So STOP USING MALWARE and revoke that idiotic warrant!
What's the matter with you guys?!! Why you're giving up your own values like this? Wake up America!! Geez..


Nope! It is a PROTEST, not drama.


..as they can have their decision I can decide mine too.

If a country starts to openly and shamefully play "anarchy" in infecting people with malware thinking they are okay to do that, so let THAT COUNTRY clean up all of malware them self without us! It's their internet after all, isn't it?


Oh I had no plan on quitting, in fact there are at least 3 events we planned to attend & being as speakers. Why should I make "Snowden buff" as an excuse for us quitting? I don't care about Snowden and mass espionage he disclosed because I can't comprehend what had happened and that is not my territory to judge him or what he did.

But I do care about THIS CASE since it is about stuff that I know well and legitimizing a malware that actually mass-infected a public network..just to aim some porn crooks..it's a huge difference.

There are SO MANY ways without using malware to trace the bad tor users, and I believe Tor Project folks will always cooperate to law enforcement. Why should law enforcers use technique that is commonly used to break the LAW itself? Since when we all started to allow Government we've chosen, to operate with our tax money, to be OK to use malware to infect our self?? Who gave that OK> And does he really understand the impact of that decision before signing the warrant?? I think an illegal method in collecting evidence doesn't mean much to a crime trial at all, no? Does US Congress know about this matter and giving approval to the method used in this "operation"?? Further,I am telling you all this methods won't give ANY good nor merit for USA in your coalition to fight cyber crime and that will weaken you.

KEEP THE FAITH!! It's all we ask. There are also good people too out there in onionland, who are sacrificing hours after work by doing something good and having those faith to help your LEA, and they got infected by malware from that operation too! If we can keep faith why can't you??


I can answer this question practically, principally and morally speaking:

They all are answered with a "YES".


Malware Must Die is the name. We against the usage of malware by anyone, to whoever the target is, or for whatever purpose! Every malware is naturally designed to do bad things, to infect, to steal, to spy, to manipulate, to attack or to destruct. That is why it was called as MAL-WARE = MALICIOS SOFTWARE. There is nothing good that can come up by using them, There is no excuse to legitimate any usage of malware by any reasons, and in this case it is so WRONG to evade multinational worldwide people's privacy by infecting malware to thousands PC of innocent internet users just to get 12 ID of crooks!! We don't have to be a "jerk" to nail a "jerk", there are more intellect way, more legal procedure applicable, more legit facilities to use, and more cooperation between good people that can be utilized more.


You damn right! We're not politician. Enough talking, let's start walking. So as you has just challenged, it's the follow up:


We do VALUE every effort we do, the action made is breaking those values apart, that's why we are protesting.
Our protest is the reaction of that action, I don't care if nobody care.


A bad misinterpretation of our protest:


Putting things right! THE MALWARE ANALYSIS:

As you can see in the analysis above, the malicious hidden IFRAME redirector driven by javascript, which are implemented in some pages under the Freedom Hosting site, is redirecting users matching to criteria Wndows OS and Firefox browser to the specific .onion domain to exploit 0day CVE-2013-1690 and executing shellcode as the payload. The shellcode part of operation is (we do not expose all for etiquette purpose) sending ARP to the remote host followed by HTTP/1.1 GET to a host in USA that has no specific registered organization listed (ghost block IP), with the below trace:

65.222.202.54
ASN: 701 / UUNET
Prefix: 65.192.0.0/11
Vienna, Virginia, United States, North America         
38.9012,-77.2653 Verizon Business
It's beyond any doubt now that sensitive information (READ: PRIVACY): (1) Infected PC hostname, (2) MacAddress (attached in packet) and (3) IP address is sent to this remote host. Not to mention (4) environment, the cookie (with another sensitive data) which was installed in infected PC can be use for tracking and identifying purpose of Tor/onion anonymous service's users.
Below is the evidence of the traffic capture snapshot.
PCAP picture in big image-->[HERE]

That's the evidence you're all asking for.

Malware MUST Die! /* Including the legalized one! */