Embed Size (px)
Citation preview
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem
Dr. Marco Balduzzi @embyte
Sr. Researcher at Trend Micro
Forward-Looking Threat Research
A perfect platform for eCrime
Courtesy Ionut Ilascu, Softpedia
What do attackers do?
What do attackers do? After…
How to Study such Attacks?(In the Dark Web)
We simulate a cyber-criminal installation in Tor
Honeypot
I. Black market
II. Hosting/service provider in Tor
III. Underground forum
IV. Misconfigured server (FTP/SSH/IRC)
Technology
I. OsCommerce
II. WordPress + Shells
III. Custom
IV. Debian Linux
Honeypot #3
Registration Only Forum
Exposes a Local File Inclusion vuln
Role of Tor2web proxies
Data Collection and Advertisement
• 7 months experiment
• Month 1: Different advertisement strategies to honeypot #1
• Month 2: Advertised ALL honeypots using ALL strategies
• Month 3-7: Restricted access by blocking incoming Tor2web traffic
Daily POST Requests
Attacks and Files Uploads
• Phase 2 onwards
• Average of 1.4 malicious uploads per day
[Canali et al. NDSS 2013]
Traditional Web Attacks
Password-protected Shells
Obfuscation
Abuse of Tor Anonymity for Attacks
• Specifically targeting underground services in Tor like marketplaces, forums
• Our honeypot!
Case of Tor-centric defacement
• Cyber-criminal gangs compromising opponents
• Self-promoting their “business”
Tor’s private key theft
• Used to compute the hidden service descriptor
Instruction Points
Public Key
Private Key
Instruction Points
Public Key
XYZ.onion
Signing
KeypairGeneration
Tor’s private key theft
• Over 400 attempts
• MiTM, hijack, decryption
Discussion
• Tor2web proxies play important role!
– Make the dark web not as private as someone would think
• Hidden services are equally visible and exposed as surface services
– Receive attacks within days
Discussion
• Dark Web is not safe heaven
– Attackers are actively conducting attacks against hidden services
– Both automated and manuals
• Cyber-criminals are looking for services operated by opponent groups
– Voluntarily attack them
• This work represents a first result in the direction of understanding the attacks landscape in the Dark Web.
Dr. Marco Balduzzi @embyte
Sr. Researcher at Trend Micro
Forward-Looking Threat Research
http://www.madlab.it/papers/sac17_darknets.pdf
![Doppelgängers on the Dark Web: A Large-scale Assessment on ... · strate the deanonymization of Tor hidden services, and there have been other studies [26, 42, 43, 46, 50] until](https://img.pdfslide.us/doc/110x75/5f5d158ea5c76c0f044f3444/doppelgngers-on-the-dark-web-a-large-scale-assessment-on-strate-the-deanonymization.jpg)
![A Radio for Hidden-Photon Dark Matter Detection · Firstly, the mass allows hidden photons to behave as cold matter, and thus to be considered as a dark matter candidate [14]. Secondly,](https://img.pdfslide.us/doc/110x75/5f14b7955132dd1a445872a6/a-radio-for-hidden-photon-dark-matter-detection-firstly-the-mass-allows-hidden.jpg)
![Trawling for Tor Hidden Services: Detection, Measurement ...original design paper, the current version of Tor is using a revised design [25]. Justifications of the design choices](https://img.pdfslide.us/doc/110x75/5f3ac712f8ad3a393405c943/trawling-for-tor-hidden-services-detection-measurement-original-design-paper.jpg)
