The issue:
I think all friends know exactly what will InfoSec people react to this "search warrant" (see twitter embedded image or direct link below). Like it or not, geographically I am a part of one of InfoSec as a "non-US" fraction and feeling VERY upset about this privacy-violation, not to mention the risk of having infection damage during our process of investigation in the affected environment.
Please do not tell the world about the story of "freedom of speech", "justice for all", "liberalism", "human rights" or "privacy", since we see that federal entity of a government doesn't give a care to infect thousands multinational people in the internet service, abusing their privacy's right, just to nail a bunch of pedo porn crooks, where valuable people's rights (which includes cyber crime investigators) were getting ripped and violated as a "disposable casualties" by this act, by the usage of one where-about district's "regular" court's warrant, which this is all IS WRONG!.
This is the well-described reddit thread for the malicious activity verdict in this issue-->[HERE] with the payload sample (called "magneto") as evidence, is in here-->[HERE]
The protest:
I AGAINST this warrant, unless things is put into right place or this is my last post. More: https://t.co/Y374ZoLCtY pic.twitter.com/ecA6qHn0s1
— MalwareMustDie, NPO (@MalwareMustDie) August 10, 2014
This "Torpedo Affidavit" (linked-->HERE) is not only against our privacy, which it has been assumed to be violated silently based on disclosure in "the Snowden issues", but the worst part of the problem has been ESCALATED now..
Why? This search warrant was LEGALIZING the usage of malware and actually was being used as permission to infect thousands internet user accessing several services in the onion land, and taking this further, it will motivate bad people to also use malware / malicious methods more!
(Legalizing the usage of malware in the aspect of these operations: luring victims w/hidden frame to get infected with a malicious code by performing a drive-by-download compromising effort with using zeroday exploit to aim the affected vulnerable browser software to execute and to install a program (script) to infect malicious shellcode as the payload, to then calling-back to CNC host to send affected system & location data which is part of the privacy components of the affected innocent internet users!,..these MO ring any bell to you? Does it sounds like a cyber crook operation you know?)
This is a VERY principle matter to all of us.
@ejhilbert @csoghoian @ubentobox You missed the punchline. They are using those "regular warrants" to infect everyone visiting the website.
— Kevin Don (@mrkevindon) August 5, 2014
How we suppose to suppress malware growth now if a "regular court order" (linked-->HERE) from a country that is known as creator of the internet is PUBLICLY (I said publicly since that warrant is searchable and view-able w/o secrecy) legalized the usage of malware??
There are still more options to dig up & use, and there are tons of good folks out there who are happy and willing to help the law enforcement to nail porn crooks in onion-land, yet WHY yet the nastiest offensive way must be chosen?? You can come to people like us, for example, and we can show you interesting ways to track the bad "Tor"'s "Pedo" users (hence it is called "Torpedo" operation) WITHOUT USING MALWARE! Why didn't you consider that, asking about that, or, do that before? There are many great skilled hackers in United States that can get this done in more legit ways.
To @FBI why you must use driven-by-download #malware for THAT? There're still many other options w/o violating privacy+utilizing bad method!
— MalwareMustDie, NPO (@MalwareMustDie) August 10, 2014
This is going to be written in the history of malware, like, "In 2014 2012 US Court publicly issued search warrant to allow the FBI to use "malware method" on ..etc etc etc.." < How does it sound? (Thank's for the "friend" initialed AP who contacted and correction the date! )
@ejhilbert If the FBI is running arbitrary code in on my computer, and doing so requires a browser exploit, they're using malware.
— Christopher Soghoian (@csoghoian) August 5, 2014
@ejhilbert No. If they are exploiting a flaw in your browser's security system to deliver & execute code in computer memory, it is a search
— Christopher Soghoian (@csoghoian) August 5, 2014
@pwnallthethings Using malware without explicitly telling judges is a really bad thing. That happened here.
— Christopher Soghoian (@csoghoian) August 5, 2014
We're off the field then, go pick up some other players to play in this nasty setup game, this is just way out of line for all of us. Ah, yes, BTW, you can expect us to STOP sharing malcodes and samples to you guys because I am afraid those evil technology will be misused for the similar purpose later on.. that will be surely LEGALIZED also to hit all of us back too someday under what-ever reason, right!? or even worse..
@csoghoian legit sites like TOR mail were also on that server :/ @thegrugq @octal
— fl0wn (@fl0wn_) August 5, 2014
@csoghoian OK. Actually read the warrant now. Tl;dr: anyone viewing images on a private CP website would be hacked to send their IP to FBI
— Pwn All The Things (@pwnallthethings) August 5, 2014
@csoghoian Yes. They call it a "network investigative technique", which sends env-vars, regkeys, and IP to FBI, but otherwise does nothing.
— Pwn All The Things (@pwnallthethings) August 5, 2014
I still can't believe my eyes after reading, dissecting samples, and checking the facts, we keep the faith, that faith that has been mutually supported our collaboration, our research and our sharing, it's our heartbeats...and it has been ruined, what is BAD is just BAD..no matter what excuse it is given to!
Unless something will be done accordingly from the US's side to put the perception back in the right place, this will be my last post on our beloved internet as malwaremustdie.
Oh yes, and I am damn serious about everything I wrote!
Supported information or article on the issue:
http://www.wired.com/2014/08/operation_torpedo/
http://reason.com/blog/2014/08/06/fbi-tracking-tor-users
http://www.wowt.com/home/headlines/Fed-Tactics-on-Trial-in-Porn-Case-255716621.html
Twitter thread twitter.com/csoghoian/status/496700679084597249
https://www.facebook.com/malwaremustdie..
Internet feedbacks:
@MalwareMustDie Honestly, this isn't anything new or an American problem. Russia and China are just as guilty or more so of invading rights
— Walter White (@WalterWhiteSec) August 10, 2014
So that's your excuse to legitimate the wrong perception that your country's court legalized? Russian or China government NEVER issue warrant to legalize any malware. And you are saying something like: "if a scum can do us a scum acts.. Then good folks can act as scums do too?" No way, my friend. I was called as "vigilante" by some media for the things that I didn't even done, "that operation" was not aiming only specific targets but all people who visited the websites, including investigators too, what would this mass-infection of malware & public privacy exploitation be called then??
@MalwareMustDie seems like you are letting malware win leaving like this, I seriously thought that #malwaremustdie
— Robert Šefr (@robert_sefr) August 10, 2014
I am NO QUITTER and you don't know me THAT well! This is a principal matter of what's RIGHT and what's WRONG that have to be implemented in the webs. And that act is as WRONG as the malware itself.
Damn. "Unless something will be done accordingly in US's side ... this will be my last post in internet as malwaremustdie." @MalwareMustDie
— Mr. Green (@Mario_Greenly) August 10, 2014
Yep. Damn right I will.
@MalwareMustDie Greater good for everyone overall and the security community exists if you make a stand continuing to do what you do
— Walter White (@WalterWhiteSec) August 10, 2014
And that act isn't doing any greater good for any of us. BTW.. Want people like us to keep on VOLUNTEERING working hard fighting malware?? Well.. we have some conditions like:
KEEP THE FAITH (DO IT THE RIGHT WAY)!! We can still make a good fight without infecting innocent people and act like a crook! So STOP USING MALWARE and revoke that idiotic warrant!
What's the matter with you guys?!! Why you're giving up your own values like this? Wake up America!! Geez..
@MalwareMustDie Don't you think it's a bit too much drama atm..?
— Kira 2.0 (@VriesHd) August 10, 2014
Nope! It is a PROTEST, not drama.
@MalwareMustDie You can protest the US and not leave the scene at the same time
— Link Cabin (@LinkCabin) August 10, 2014
..as they can have their decision I can decide mine too.
If a country starts to openly and shamefully play "anarchy" in infecting people with malware thinking they are okay to do that, so let THAT COUNTRY clean up all of malware them self without us! It's their internet after all, isn't it?
Oh I had no plan on quitting, in fact there are at least 3 events we planned to attend & being as speakers. Why should I make "Snowden buff" as an excuse for us quitting? I don't care about Snowden and mass espionage he disclosed because I can't comprehend what had happened and that is not my territory to judge him or what he did.
But I do care about THIS CASE since it is about stuff that I know well and legitimizing a malware that actually mass-infected a public network..just to aim some porn crooks..it's a huge difference.
There are SO MANY ways without using malware to trace the bad tor users, and I believe Tor Project folks will always cooperate to law enforcement. Why should law enforcers use technique that is commonly used to break the LAW itself? Since when we all started to allow Government we've chosen, to operate with our tax money, to be OK to use malware to infect our self?? Who gave that OK> And does he really understand the impact of that decision before signing the warrant?? I think an illegal method in collecting evidence doesn't mean much to a crime trial at all, no? Does US Congress know about this matter and giving approval to the method used in this "operation"?? Further,I am telling you all this methods won't give ANY good nor merit for USA in your coalition to fight cyber crime and that will weaken you.
KEEP THE FAITH!! It's all we ask. There are also good people too out there in onionland, who are sacrificing hours after work by doing something good and having those faith to help your LEA, and they got infected by malware from that operation too! If we can keep faith why can't you??
@MalwareMustDie Aren't these the types of attacks the FBI is suppose to be protecting us from?
— Mike Hunt (@VathDator) August 11, 2014
I can answer this question practically, principally and morally speaking:
They all are answered with a "YES".
@MalwareMustDie has sided against state sponsored malware. :D
— Kobra (@voodooKobra) August 11, 2014
Malware Must Die is the name. We against the usage of malware by anyone, to whoever the target is, or for whatever purpose! Every malware is naturally designed to do bad things, to infect, to steal, to spy, to manipulate, to attack or to destruct. That is why it was called as MAL-WARE = MALICIOS SOFTWARE. There is nothing good that can come up by using them, There is no excuse to legitimate any usage of malware by any reasons, and in this case it is so WRONG to evade multinational worldwide people's privacy by infecting malware to thousands PC of innocent internet users just to get 12 ID of crooks!! We don't have to be a "jerk" to nail a "jerk", there are more intellect way, more legal procedure applicable, more legit facilities to use, and more cooperation between good people that can be utilized more.
@MalwareMustDie It is an "easy to agree with" blogpost, but imo you shouldn't go politics, instead go on killing malware, even the fbi one.
— Robert Šefr (@robert_sefr) August 12, 2014
You damn right! We're not politician. Enough talking, let's start walking. So as you has just challenged, it's the follow up:
Friends. We'll disclose CODE used in #OPTorpedo (FBI #Malware), help us to send your sample. CLEAN Onionland!
Upload: http://t.co/LgqYZeS4nK
— MalwareMustDie, NPO (@MalwareMustDie) August 12, 2014
@MalwareMustDie If you actually value you work: Going on strike is pointless, the FBI don't give a fuck.
— MalwareTech (@MalwareTechBlog) August 12, 2014
We do VALUE every effort we do, the action made is breaking those values apart, that's why we are protesting.
Our protest is the reaction of that action, I don't care if nobody care.
A bad misinterpretation of our protest:
@paperghost says that the post is for govt agencies? You missed the point.
— MalwareMustDie, NPO (@MalwareMustDie) August 12, 2014
Putting things right! THE MALWARE ANALYSIS:
FBI #Tor #Malware!!
http://t.co/AMuGLlURV0 http://t.co/0e5esYr1hd http://t.co/tCCP2ELQLQ VT: https://t.co/EtWFq33w66 pic.twitter.com/gkU9Ascfu9
— MalwareMustDie, NPO (@MalwareMustDie) August 12, 2014
As you can see in the analysis above, the malicious hidden IFRAME redirector driven by javascript, which are implemented in some pages under the Freedom Hosting site, is redirecting users matching to criteria Wndows OS and Firefox browser to the specific .onion domain to exploit 0day CVE-2013-1690 and executing shellcode as the payload. The shellcode part of operation is (we do not expose all for etiquette purpose) sending ARP to the remote host followed by HTTP/1.1 GET to a host in USA that has no specific registered organization listed (ghost block IP), with the below trace:
65.222.202.54 ASN: 701 / UUNET Prefix: 65.192.0.0/11 Vienna, Virginia, United States, North America 38.9012,-77.2653 Verizon BusinessIt's beyond any doubt now that sensitive information (READ: PRIVACY): (1) Infected PC hostname, (2) MacAddress (attached in packet) and (3) IP address is sent to this remote host. Not to mention (4) environment, the cookie (with another sensitive data) which was installed in infected PC can be use for tracking and identifying purpose of Tor/onion anonymous service's users.
Below is the evidence of the traffic capture snapshot.
PoC PCAP (pic) of FBI #malware/analysis posted: https://t.co/z5t1OVeKwZ
Case http://t.co/WMuwLbyboj #MalwareMustDie! pic.twitter.com/VMcc1rWnQp
— MalwareMustDie, NPO (@MalwareMustDie) August 13, 2014
PCAP picture in big image-->[HERE]
That's the evidence you're all asking for.
Malware MUST Die! /* Including the legalized one! */