Author: DarkOwl Analyst Team

UPDATES:

(8/7/19 1:45pm MST): We’ve now learned that Homeland Security has sent a letter to 8chan owner Jim Watkins demanding he come before Congress and answer questions on the site’s extremist content. Read more.

(8/7/19 11:30am MST): One of 8chan’s admins published a tweet denying that 8chan is behind the creation of their ZeroNet bunker.

If @CodeMonkeyZ is being truthful, then someone else is responsible for preparing the 8chan ZeroNet bunker on their behalf. We will continue to investigate and update here as we find out more information.

ORIGINAL ARTICLE:

For a long time now, 8chan has known that their days as part of the mainstream internet (or “surface web”) were numbered. In this case, it took an unstable individual publishing a “manifesto” on their site to force an action to migrate to the dark web. The manifesto in question advocated for violence, eugenics, and mass-murder on one of their boards. While the 8chan platform is known for its forums seeped in hate, racism, sexism, offensive humor, and just general derision, this appeared to be the tipping point. There was bound to be something posted by one of their users that crossed a line, which is how 8chan found themselves setting up a potentially permanent camp on the dark web.

For those unfamiliar with the website, 8chan is an online forum that is essentially a mixture of 4chan and Reddit, and is known for its hands-off policy when it comes to moderating user content. This laissez-faire approach is at the heart of the platform. The website itself came about when a frustrated user of 4chan, Fredrick Brennan (known as Hotwheels), felt that 4chan moderators were overstepping rights to free speech by removing content.

Knowing this, it makes some sense that people with perhaps unpopular or fringe viewpoints would find a safe haven in 8chan. And, to their benefit, the administrators behind the divisive platform have arguably done their due diligence in ensuring its survival.

“Welcome to the semi-official 8chan emergency bunker”

Traditionally, 8chan has operated on the surface web (8chan.net), while also maintaining a mirror .onion site on the popular darknet, Tor. However, DarkOwl Vision has records of a third 8chan hub that has existed since at least early April. This version of 8chan – nearly identical to its counterparts – is hosted on ZeroNet, a slightly lesser known dark web that is similar to Tor.

While many recent reports in the press are indicating that 8chan scrambled for a new place to land, this is only somewhat true. ZeroNet is a lesser known darknet, yes, but painting 8chan moderators as shocked or unprepared for this type of event would be inaccurate. It appears they anticipated something of this nature happening for several months.

Self-described as an “emergency-bunker,” the 8chan “zite” was all-but inactive until this past weekend. Records from DarkOwl Vision indicate little to no user activity when it was first collected into Vision’s dataset. Meaning, this zite was put in place truly to serve as a back-up hub for 8chan. The administrators foresaw an end to the site on the mainstream internet.

The takeaway here is that 8chan administrators anticipated losing network stability and set up a version of their chan board on ZeroNet, a peer-to-peer decentralized anonymous network that very few people are – or were – familiar with. In the last 48 hours alone, the volume of users or “seeds” on the ZeroNet 8chan zite has skyrocketed with thousands of posts.

The popular boards, “Politically Incorrect (/pol/) and Noob dig (/QResearch/) include several posts about the recent El Paso shooter’s manifesto and activities. Further discussions cover attempts to censor “free speech” and the fact that taking down 8chan’s service will have little to no impact on gun violence in the US.

One user pointed out the manifesto was posted to the popular social media app Instagram prior to 8chan, spreading the conspiracy that this was all an effort to justify shutting down 8chan’s boards.

Some anonymous users have expressed concern over the security of ZeroNet, and the potential that this new platform could be a government honeypot collecting user’s IP addresses and VPN services-a similar tactic used by law enforcement in previous hidden service takedowns on Tor.

How 8chan scrambled to stay online and found its new home on the dark web

While the details of how 8chan lost its footing on the surface web and Tor are still emerging, we do know a few things for sure. 8chan used CloudFlare’s services to protect it from DDOS attack, until over this past weekend Cloudflare chose to terminate its security services for 8chan servers, calling it a “cesspool of hate.”

On Sunday, 8chan creator Frederick Brennan, who no longer runs the forum, called for 8chan to be shut down. 

What comes next is less clear. It is confirmed that after losing CloudFlare, 8chan then shifted to BitMitigate security protection services, who also provide DDOS protection to White Supremacist news outlet The Daily Stormer. Reports have widely indicated that BitMitigate also dumped 8chan of its own volition, though it is unclear if that is accurate. It appears that instead of deciding to drop the controversial forum, BitMitigate may have been blacklisted by its service providers and “de-platformed” for hosting 8chan. Evidence of this is supported by reports that at sometime this weekend, all sites hosted on BitMitigate were offline.

Shortly after discontinuation of its security services, 8chan suffered outages from its 8chan.net surface website and of its Tor hidden service site due to large scale DDOS attacks targeting the servers.

As of Tuesday afternoon, 8chan’s Tor hidden services had been restored and was back online.

Is the 8chan culture the culture of the dark web?

Decentralized internets or “darknets” (or “dark webs”) have long been infamously characterized as hubs for the darker side of society. Some of the most popular examples of this are the abundance of dark web market places selling drugs, hitmen for hire, child pornography, human trafficking operations, etc. However, defenders of the merits of dark webs often market the right to free speech and unregulated communication as a vital function of society, with the dark web being a tool to achieve these ends.

That being said, it would be remiss to not acknowledge that “free-speech” forums seemingly come with a heavy load of potentially dangerous baggage. 8chan is not the only type of discussion board where hate speech and political ideology is proliferated. 4chan, Oniichan, and 2chan contain similar types of posts, and many dark web chat rooms and underground internet relay chats also support the congregation of radical nationalistic personas.

We will continue to monitor the dark web as the situation develops. For more information on the darknet and ZeroNet, contact us today.

As Dream Market staff mentioned prior to their shutdown, a new market was on the horizon. On Friday, former official Dream moderator, waterchain, announced the opening of Saṃsāra, based on the source code of the infamous Dream Market. Saṃsāra is a term from eastern religious philosophy. Ironically it refers to the eternal cycle of birth, suffering, death, and rebirth.

The official market announcement is received with skepticism. Many questioning its legitimacy and a number of inconsistencies with the story behind the return of the market.

The new Saṃsāra market layout is strikingly similar to Dream, yet includes several new security elements. Admins refer to a new “anti-phishing feature” as the first of its kind that purports to completely defeat man-in-the middle attacks along with the option for a user to login with their PGP key or two factor authentication(2FA) for additional security. Once in the market, the source code is identical to the original Dream Market with the addition of a News and Community section that allows for interaction with Admins on market features. There is no mention of a traditional separate market forum like Dream supported.

Even with a new market theme, logos, and user interface on top of Dream Market source code, within hours of the announcement, many users uncovered bugs across the cryptomarket, including issues with saving public PGP keys, which forced users to employ 2FA for additional profile security.

The new market administrator dismissed community concerns over the lack of presence by SpeedSteppers. Further, dismissing questions about why the new onion address as advertised for weeks on Dream Market is not listed as a valid mirror for Saṃsāra. He instead attempted to encourage people to “forget the past” and “move on” insisting numerous times that he was a former official Dream moderator, as if to validate everything he said on the forum as legitimate.

• Others quickly noticed that waterchain’s new PGP key was created in June with only 2096 bits instead of the more secure 4096 bit key of the former legitimate waterchain. The moderator claims they lost his key in a corrupted Tails configuration. It does appear suspicious that they would choose to rebuild his key with less security, considering he is now essentially running a market instead of moderating it.

• The market does not support Monero transactions, which is possibly a more secure and less traceable cryptocurrency than Bitcoin. There is a discussion along with member vote on the integrating XMR available through July 18th in the new Community section of the market.

• All of the market mirrors use Tor’s legacy V2 hidden service domains instead of V3. Dream Market issued several v3 mirrors earlier this year when suffering from heavy DDoS attacks.

Even with these concerns, vendors are taking advantage of the limited offer of 0.025 BTC vendor bonds and over 400 market listings, consisting of mostly drugs, were online and ready for purchase within the market’s first day.

On a technical note, a few more inconsistencies appear. First, when requesting /server-status/ on the Saṃsāra url, we find what looks like a status page for another darkweb forum, Torum. Second, the HTTP-Headers also appear to leak IP addresses pointing at both a host in The Netherlands and the United States.

In recent days, user waterchain has been banned on Dread forum for rule violations.

Only time will tell how long this market will be reliably online before the DDoS attacks against Saṃsāra begin.  Remember to check back here for updates as more information emerges.

Dream Market — one of the largest and most active remaining darknet marketplaces — has announced that it is officially shuttering its doors in its current location. The notification, which can be found on every page in the marketplace, indicates it will be transferring its services to a new URL and partner company at the end of April.

This news announcement comes just weeks after Dream Market has been weathering heavy DDoS attacks, leaving many of its domains unserviceable for intermittent periods.

Notification on Dream Market about migrating services to a new URL at the end of April 2019.

Dream Market has been around since 2013, making it one of the darknet’s longest lasting marketplaces and a leading go-to in the community for illicit sales. The news about the migration has been a topic of many discussions on the darknet, including on Dread, a darknet forum dedicated to security and harm reduction for darknet marketplace purchases.

User “waterchain”, a moderator for Dread’s Dream Market sub forum and alleged member of Dream Market’s team, posted a statement regarding the migration. The statement claims that it was prompted by DDoS attacks “on the Tor browser side” and an alleged extortion attempt.  

“Official” statement by an alleged Dream Market team member on the darknet forum Dread. (Image via DarkOwl Vision)

Vendors and buyers alike feel displaced after this announcement as they try to figure out their exit plans. Earlier this week, the Drug Enforcement Agency (DEA) published a press release about shutting down 50 darknet accounts that were used for illicit activities under operation SaboTor (Sabotage Tor).

This, and the timing of Dream Market’s closure, has led some darknet market consumers to believe that Dream Market has been compromised by law enforcement.

Dread user expressing concern regarding the timing of Dream Market’s closure and Operation SaboTor. (Image via DarkOwl Vision)

Some members are hopeful that Dream Market is simply experiencing technical difficulties and still plan to use their new market once it’s back online, while other vendors have already transitioned to other markets.

Dream Market vendor UPactive advertises listings on two other popular markets. (Image via DarkOwl Vision)

Some newer, less active markets have tried to capitalize on this opportunity by offering incentives for vendors to transition to their marketplace. One such market is Cryptonia Market, which has offered incentives for former Dream Market vendors to switchover to their marketplace.

A post from Cryptonia Market, offering fee waivers and other incentives to verified Dream Market vendors. (Image via DarkOwl Vision)

While moderators of Dread’s Dream Market sub forum have tried to assure the public that the market was not compromised, there hasn’t been an announcement signed with Dream Market’s official PGP key. This, and the fact that the official Dream Market forum is offline, leaves some users skeptical.

Update:

On the forum DNM Avengers, user rockemsockem45 pointed out that the date format used in the shutdown message is different than previous messages by admin and staff, further adding to the suspicion that the market has been compromised.

DNM Avengers user rockemsockem45 posts about the inconsistency of the date format used in the shutdown message.

Also, starting earlier this week, multiple vendors have claimed that Dream Market’s support staff are attempting to scam vendors. According to Dread user Terrysukstock, the scam starts by disabling the vendor’s ability to withdraw funds from their account. The vendor is notified via support ticket that fund withdrawal will be restored after the vendor verifies their identity by supplying their password and most recently used bitcoin address.

If the vendor supplies the password, Dream’s support staff changes the password and removes their PGP key, making the vendor’s account inaccessible. Terrysukstock, a vendor with over 34,000 reviews and an average rating of 4.8/5 on Dream Market, claims he followed these instructions and lost over 5 bitcoin.

Vendor Terrysukstock posts about falling victim to Dream Market’s support staff scam. (Image via DarkOwl Vision)

Several vendors have supported Terrysukstock’s experience. Vendor GreentreeCA’s posted his support ticket to Dread to provide evidence of the scam.

The support ticket that Vendor GreentreeCA received, providing evidence of the scam.

Meanwhile, Dread’s Dream Market subforum moderator Waterchain has announced retirement due to “corrupted” moderators that have allegedly locked him out of his account.

Retirement message by former Dream Market moderator Waterchain. (Image via DarkOwl Vision)

No official message has been forthcoming from Dream Market’s team regarding the scam allegations.

Note: This story is developing. DarkOwl will continue to monitor developments and post updates here, so remember to check back!

Curious about something you’ve read on our blog? Want to learn more? Please reach out. We’re more than happy to have a conversation.

On January 9, the KickAss Forum went offline. On Twitter, user @bitsdigit initially reported that the site was seized by law enforcement, but then said the seizure was not a legitimate notice (remarking that “something is very fishy”) and warned others to stay clear. Though the URL in the initial @bitsdigit reporting correlates to an older KickAss hidden service URL, DarkOwl confirmed the two most recent onion v3 KickAss URLs are indeed down, but do not display the Seized Hidden Service Banner.

On January 7, KickAss moderators started the thread, “KICKASS TOR VERSION 3 URLS”, announcing deactivation of the old v2 hidden service addresses and new v3 URLs would be circulating “for security reasons” – perhaps due to recent publicity relating to forum member TheDarkOverlord. Shortly after, the login page for KickAss changed to PRIVATE, with instructions for members to message a Jabber address using Off-The-Record (OTR) for continued access.

Screenshots from DarkOwl Vision from January 2019, listing new KickAss URLs.

Screenshot from DarkOwl Vision from January 2019, with Jabber contact.

However, according to historical records of the forum in DarkOwl Vision, the [email protected] Jabber account from a few days ago does not match Jabber accounts KickAss moderators have ever mentioned. Additionally, an announcement thread from November 2018, captured by DarkOwl Vision, stated that KickAss staff only uses OMEMO for end-to-end encryption, as OTR is not “save” [sic] anymore.

Screenshot from DarkOwl Vision from November 2018, mentioning that Kickass staff only use OMEMO, not OTR.

Given the abrupt private state of the forum days before it disappeared and use of OTR instead of OMEMO, it seems likely Law Enforcement has seized the KickAss forum, and the Jabber account with OTR was a phishing attempt to garner information about its active members. In the past, Law Enforcement have taken over hidden services and impersonated its moderators in attempt to get information about the sites’ members. Dutch police studied the logs of the real admins of Hansa for weeks and even operated the illegal marketplace, throwing the darknet community into chaos in 2017.

One thing that is consistent on the darknet is that hidden services come and go. On Thursday, members of Torum, another popular Tor-based cybersecurity forum, discuss the disappearance of KickAss and the importance of making the most of what’s online while it’s online.

Screenshot of Torum discussion about the KickAss forum disappearance.

DarkOwl will continue to follow this story and report updates as they are available.

This Week, 6,500 Hidden Services were Ousted from the Darknet

The name Daniel Winzen may not mean much to the ordinary internet user, but on the darknet @daniel is the legendary nickname for the individual  known for offering free anonymous web hosting, chat, e-mail, and XMPP/Jabber services on Tor for the last 5 years and perhaps longer. He started out humbly – installing a small number of Tor-based hidden services, or websites, on a Raspberry PI 2 – but over the years expanded his presence to hosting upwards of 7,000 hidden services per month for darknet users across Tor and I2P. That is, until last week.

Shortly after 10:00pm UTC on the 15th of November 2018, Daniel Winzen’s server was breached, databases accessed, and accounts deleted, including the root, or administrator account, rendering his services unusable. In less than three hours, the intruders deleted SQL databases for his chat, onion-link list, and hit counter. Hackers initially accessed the main phpMyAdmin and adminer panels using the correct hosting management password, inferring the password may have been harvested via phishing attempt or the server was accessed by someone with access to Daniel’s credentials. Daniel’s popular GitHub account also experienced a failed login for his popular software repository on November 9th, which has not been determined as related as of yet.

Daniel’s updates on his portal indicates that this hack was a “database only” breach.

According to updates posted to his surface net and darknet portal, Winzen is thoroughly investigating all potential vulnerabilities in his server before restoring services. He has also listed concern over a 0-day exploit, released exactly one day before the attack, in the imap_open() function of PHP that he has since patched.

30% of Online Domains Disappeared Overnight

Over 30% of the operational and active hidden services across Tor and I2P disappeared with the hack of Daniel’s Hosting Services and over 6-Million documents archived in DarkOwl Vision are no longer available on the darknet.

DarkOwl quantified the impact to the size of the darknet, specifically Tor, using its internal “Map the Dark” reporting, which includes statistics from darknet websites indexed over the previous 24-hour period. Our data substantiates the hosting provider’s offline status, with a delta of 4,887 domains going offline between the 15th and 16th of November. DarkOwl has indexed the archives of 5,300 domains from early November and has assessed them to be services that were formerly hosted on Daniel’s server.

Daniel’s previous online-link list advertised that he hosted over 1,500 private hidden services whose domain URLs are unknown at this time. DarkOwl’s estimated total number of domains hosted by Daniel are consistent with the 6,500 offline domains quoted by Daniel on his server portal.

• 657 of the hidden services have only title “Site Hosted by Daniel’s Hosting Service” and contain no meaningful content worth mentioning. Darknet hidden service domain could have been used for something other than serving web content.  

• Over 4,900 of the hacked domains are in English and 54 are Russian-language hidden services. Two of the oldest hidden services are interestingly in the Portuguese language.

• 457 of the hidden services contain content related to hacking and/or malware development, while 136 include drug-specific keywords.

• 304 of the hidden services have been classified as forums and 148 of them are chatrooms.

• 109 of the hidden services contain counterfeit related content while 54 specifically mention carding-specific information.

• Over 20 of the hidden services contain content including weapons & explosive related keywords.

Daniel’s hosting service, chatroom and online-link list have served as a pillar for the darknet community for years. For example, his online-link list is referenced by nearly 500 other hidden services, making it the second most commonly referred to directory listing (behind Fresh Onions) and providing a foundational starting point for new users navigating Tor.

Given that his services were provided free of charge and generally reliable against attack, there are mixed theories as to who could have wanted to destroy this mainstay of the anonymous online community.

Are Russian Hackers Responsible?

In recent weeks, Russian hackers on a website called www.antichat.com, outlined the technical details of exploiting PHP’s imap_open() function to extract password hashes for privileged accounts, as an alternative to brute force mining. Then, on Thursday (the same day as the attack), antichat.com forum staff member “Big Bear” posted a MEGA.nz link including a PDF, titled, “[RCE] 0-day в imap/c-client на примере PHP” (in English: [RCE] 0-day in imap / c-client using the example of PHP) detailing the imap_open exploit. The same post identifies the authors by the nicknames crlf and Twost, the latter of whom is also known as “Aleksandr.”

The Anti Child-Exploitation Community

Daniel’s darknet notoriety increased in 2016 when he ported Lucky Eddy’s perl-CGI LE-Chat script into PHP with mySQL or PostgreSQL backend, optimizing the environment for Tor and decreasing the darknet community’s reliance on Javascript, thus allowing for image sharing inside a chat platform (which is not available via XMPP and IRC) without potentially compromising posters’ identities. As a result, Daniel’s LE-Chat code became a popular platform for the darknet pedophilia community, and the home for many well-known Child Pornography sharing chatrooms such as Tabooless, Camp Fire, and Child Priori.

Individual “pedo-hunters” and anti-pedophilia groups have called for hacking Daniel’s services using large-scale distributed denial of service (DDoS) campaigns, specifically because it was rumored that the principal administrator and some key staff members were active in pedophilia-specific chats.

A Potential Law Enforcement Operation

Daniel’s Chat quietly resurfaced this past Saturday with a clean install and backup from early 2017, accompanied by a flurry of confusion over the assignments of administrator, moderators, and members. Without the comforting presence of the  “regular” member database and credentials, users had no way to verify that anyone was who they said they were. Many legitimately feared that popular nicknames of members and staff had been spoofed by trolls trying to capture access to the members-only chat. One user on the darknet social media site Galaxy3 stated that @daniel re-installed the chat and that it “sounded like him,” although with a caveat that everyone should be cautious.

At the same time, others theorized the extreme possibility that @daniel had actually been arrested and the take-down was led by international law enforcement or the German police. Daniel’s hidden services experienced extreme DDoS in the weeks preceding the hack, similar to other law enforcement-led darknet seizure operations.

Anti-Syntax Club or an Inside Job

For over a year, the nickname Syntax has been referenced with either extreme love or extreme hate. Hundreds of trolls have posted across forums and paste sites about how this purportedly 17-year-old female teenager is responsible for taking down a number of pedophilia chatrooms and community leaders in recent years. Since early this fall, there has been an increase in the number of anti-Syntax trolls repeatedly calling for attacks against Daniel’s services, more specifically Syntax and her ally ChatTor, since she was promoted to Super Moderator of Daniel’s popular and drama-filled chatroom during the summer and accused of abusing the position.

Other members have suggested the remote possibility the attack on Daniel’s was led by Syntax and ChatTor so that they could take administrative control of the chatroom, although a recent image capture from ChatTor states that it was simply about being at the right place at the right time.

News broke out mid-August that Princess Evolution, a revamped form of the infamous Princess Locker ransomware that was first seen several years ago, is back with a fresh toolkit (see this article for example).

News coverage at the time suggested that the Princess Evolution ransomware had only recently surfaced. However, after further digging into the “newly uncovered” iteration of the ransomware, DarkOwl analysts discovered that Princess Evolution has actually been offered on darknet marketplaces dating as far back as this past April.  

What is the Princess Ransomware? 

Princess Evolution is a form of ransomware that encrypts most files on the infiltrated computer system and holds them hostage until the targeted user pays enough money to regain access to them. During the encryption process, the ransomware changes affected file extensions to a randomly generated string of characters.

To notify the targeted party that their files have been compromised, users are notified via a ransom note telling them that their files are locked, followed by instructions on where and how to pay the ransom sum. As of August 8 2018, users were instructed to pay the amount of 0.12 bitcoin (equivalent to US$773 as of that date). The malicious software is currently being advertised on 0day forum as RaaS (ransomware as a service) and is soliciting associates to help spread the malware to unsuspecting victims.

Screen capture of a DarkOwl Vision result – scraped in April of this Year – that depicts the ransomware Princess Evolution being sold on a darknet marketplace.

A similar posting on 0day forum; responses haven’t slowed down since the original post earlier this year.

Interested members are instructed to leave their Jabber ID as a thread comment or to send it in a private message to the 0day account “PR1NCESS.”  Our analysts calculate that there have been over one hundred comments from individuals interested in joining the campaign since the original post scraped by DarkOwl Vision in April.

Images: (Above, Right) Profiles of PR1NCESS on Codex and Kickass forums.

What is 0day?

0day is a popular darknet carding and hacking forum first established in 2015. Users are required to register an account before accessing any content on the forum. Additionally, once registered, user accounts must go through an activation process to receive full access to the forum.

The forum’s main purpose is to act as a marketplace for buyers and sellers of illicit goods, such as stolen credit cards, hacked accounts for legitimate websites, malwares and exploits, as well as other services. Some prolific sellers also advertise their own websites in the message boards.

The below image shows just a sample of the items offered for sale on 0day, as captured in DarkOwl Vision.

Example of items being sold on the 0day forum.

So, what should you do if you find yourself infected with the Princess Evolution ransomware? We recommend that you refer this article, which has a great step-by-step guide for regaining control of your computer and your files: https://www.pcrisk.com/removal-guides/10531-princess-ransomware. And, as always, organizations should continue to be proactive against ransomware threats by adhering to security best practices and actively educating all of their employees on their internal security plan.

In recent weeks, analysts at DarkOwl have witnessed a number of vulnerability issues in key utilities used for dark web (i.e. deep web and darknet anonymous network) intelligence collection and analysis. Last week, analysts found the official Chrome extension for MEGA.nz’s file sharing service was harvesting sensitive user data; while Tor Project’s latest browser release based on Firefox Quantum, was deployed with default settings that could potentially compromise users’ identities.

On which side is the Tor Project?

The Tor Project is a non-profit organization that prides itself on providing users free software and an open network for securely browsing the Internet. Tor’s Browser, developed collaboratively with Mozilla, allows users with any operating system (OS) to freely visit clearnet, deep web, and darknet anonymous websites or sites that might be blocked in countries with Internet censorship. With little to no configuration changes nor detailed understanding of networking protocols, Tor Browser prevents somebody watching your Internet connection from learning what sites its users visit and thwarts the sites its users visited from discerning one’s physical location through location identifiable information such as IP and/or MAC Addresses.  

Digital Fingerprints

One historical security feature of Tor Browser has been user agent obfuscation. Every browser sends its user agent (UA) to every website it visits. The UA is a string of text that identifies the browser and the operating system to the web server, or host of the website visited. There are millions of different UA combinations given how they change with both software and hardware. The web server uses this information for a variety of purposes. In the Surface Web, website creators use the UA to help optimally display the website to different browsers for the “best possible browsing experience.” Knowing the UA also assists when a web server hosts both desktop and mobile versions of a site, e.g. serving up content adjusted for the screen size of the device.

Example User Agents

For more example user agents check out this site.

The default Tor Browser user agent has historically included a mixture of Mozilla and Windows OS UA’s with the following string:  Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0. The revision “rv:52.0” and “/52.0” strings correlate to the version of Tor browser installed. 52.0 corresponded Tor Browser 7.0a4.  In the recent 5 September release of Tor Browser 8.0/8.5a1, the user’s actual OS is exposed in the UA.

Exposing this information presents risk to Tor users. Darknet web servers could maliciously use this information to identify anonymous users or link users based on speech and UA across multiple forums and chatrooms. While including the user’s OS in the UA does not reveal one’s physical location, in a world where anonymity is irreplaceable, this issue could prove disastrous. 

In order to update or change the UA in Tor Browser, the following steps are required:

1. Enter about:config in the URL bar and accept the risks

2. Search for: general.useragent.override, right click on the user agent, and select Reset.

If you want to replace the UA with another unique or custom text string, right click on the user agent and choose “Modify.” The pop-up that displays is editable. Enter whatever string you wish, then click OK.

Figure 1 Tor Browser about:config useragent override popup

Tor users who want to delay their upgrade to 8.0/8.5a1, might want to reconsider as Zerodium released yesterday on Twitter details around a NoScript “bug” discovered in all Tor Browser 7.x versions that subjects the user to embedded code on the hidden service regardless of whether or not NoScript was “actively blocking all scripts.” (Source)

Figure 2 Zerodium Tweet posted on 10 September 2018 (Source)

Javascript = Yes? Or No?

Another issue DarkOwl analysts found with the latest Tor Browser release is the default configuration settings for Javascript. Tor users are mixed between browsing with or without Javascript enabled. As Tor becomes more inclusive of media and dynamic content, more and more Tor websites include embedded Javascript code. If Javascript is disabled, then the web sites may appear to be broken, missing content, prevent authentication, and frustrate the most patient of Tor users.  However, the community should also recognize that Javascript is a vulnerable vector that is leveraged by blackhat attackers. In 2014, law enforcement utilized injected Javascript code to infect everyone who visited any Tor server hosted by “Freedom Networking” with malware that exposed their real IP address. (Source)

In Paolo Mioni’s article entitled “Anatomy of a malicious script: how a website can take over your browser” the author gutted what seemed like an innocuous embedded piece of Javascript to outline how the elementary script was configured to redirect the user to a specific URL and could be simply adapted to arbitrarily inject other malicious scripts such keyloggers and cryptominers. (Source)

Coinhive, tagged as one of the largest threats to web users in the Spring of 2018, is an online crypto-service which provides cryptocurrency miners crypto mining malware, that can be installed on websites via embedded Javascript. The JavaScript miner runs in the browser of the website visitors and mines coins on the Monero blockchain. Unfortunately, the Coinhive code has been exploited by hackers for use as malware to hijack the end customer’s personal data and processor resources. This summer, independent security researcher, Scott Helme identified more than 4,000 websites, including many belonging to the UK government, infected with Coinhive malware.

Figure 3 Darknet Forum where Coinhive Exploit use is Discussed (633c61aaa0289fa0572b15b163f11b04)

Not MEGA.nz too…

MEGA.nz is a controversial but free cloud storage service, similar to Dropbox, that is a popular resource for blackhat and whitehat hackers. Over the last few years, data from many of the major commercial data breaches has been reliably posted to the MEGA.nz storage site and links shared across darknet forums. Despite previous concerns regarding the security of using the website, it proved a fruitful resource for personally identifiable information (PII) and credential data collection. Last week, DarkOwl analysts discovered a compromised version of the official Google Chrome extension for MEGA.nz, version 3.39.4, was published with malicious codes to harvest user credentials and private keys for cryptocurrency accounts. ZDNet broke the news of the hacked extension indicating that for the four hours after it was uploaded to Google’s Chrome Web Store, the extension sent users’ stolen data to a server located at megaopac[.]host, hosted in Ukraine. (Source)

Unsurprisingly, MEGA.nz has expressed significant dissatisfaction with Google over this security breach blaming Google’s recent policy to disallow publisher signatures on Chrome extensions. An updated version of the extension, v3.39.5 is now available on the Chrome Web Store.

While the Firefox version of the MEGA plugin was not compromised, Mozilla recently removed 23 Firefox Add-ons that illegally tracked user’s browser data. In August, Mozilla released a list of compromised add-ons which included one called “Web Security,” a security-centric Firefox extension with over 220,000 users, that was caught sending users’ browsing histories to a server located in Germany.

DarkOwl Vision recently archived a May-2018 post from Junior Member on a popular darknet forum offering custom Chrome malware. The self-promoted malware developer advertised a trojanized YouTube Video Downloader in their post, but emphasized their ability to develop custom malware, supporting the possibility that even more compromised Chrome extensions like MEGA.nz could be published in the future.

Figure 4 Darknet Forum Post about Custom Chrome Extension Malware (c726797ae6dcd1ac889aff630d2855eb)

Anonymity Impossible

The unfortunate and harsh reality in the world of the deep web and darknet anonymous networks is that anyone on these networks whether they be privacy conscious individuals, journalists, whitehat or blackhat hackers, must remain vigilant and hyper-aware that the tools and resources that advertise anonymity and security may be secretly exposing critical information of its users. Virtual Private Networks (VPNs) and Virtual Machines along with persistent endpoint protection may be the new norm for individuals who navigate potentially dangerous networks and sites; whereas DarkOwl Vision provides secure access to over 650 Million darknet and deep web pages to those who want to avoid the risk all together.