Possible linux trojan disguised as Tor

19 respostas [Última entrada]
skilo
Desconectado
Joined: 08/11/2013

So just wanted to post this and warn people about a possible linux trojan i discovered, I was using ubuntu about a week ago as my primary OS, I had to wipe my HD because i noticed some strange stuff happening after i installed Torchat the browser bundle.

Basically i became suspicious of my network activity when i ran netstat to see active connections, I noticed Even after exiting Tor there where still active connections being displayed to the tor network and to a few servers hosted in california, It seems when i installed one of those programs is created another Tor executible and set it to run on startup.

I then uninstalled torchat and deleted the TBB from my system and rebooted only to find the hidden tor executable was still there and still running on startup.

Weird..

At that point a pretty much assumed my system had been compromised so i imediately shut it down and wiped the drive.

When i downloaded torchat i did not verify the hash like i should have so it could have been trojan desguised as tor.

GNUser
Desconectado
Joined: 07/17/2013

Thanks for the heads up!
I try to always make sure I am downloading Tor apps with https on, and I also compare sigs (I am getting used to it :P).
It's very important to keep up with this kind of things.
One question, you usually download the Tor apps using Tor Browser?

skilo
Desconectado
Joined: 08/11/2013

At that time i did download both Torchat and the TBB from within Tor network.

I guess it's possible it could have been a MITM attack but i don't think so, I think someone got to one of the executables on one of the servers.

From now on i refuse to install Tor or any other program not in the repositories, I believe it is to risky and you would be better off using a live system like TAILS for accessing Tor.

GNUser
Desconectado
Joined: 07/17/2013

If you think that someone got to the servers, they might also get to the servers of Trisquel repos.
However, I would advise that youu be more careful, use https and check sigs.
If you don't mind changing the system everytime you need to use Tor, Tails is a good choice.

skilo
Desconectado
Joined: 08/11/2013

There has been a lot of speculation lately questioning the integrity of the Tor Project, They seem to be doing a lot of things to inentionally created securtiy holes, Like leaving javascript enabled by default, And leaving no script disabled by default in some releases.

The question is can we still trust the Tor Project?

After this security breech I have since moved to Trisquel for security reasons, I don't want any non-free software running on my machine anymore, The only proprietary thing on my system now is the bios but im not to worried about that.

GNUser
Desconectado
Joined: 07/17/2013

What are you talking about "proprietary software", Tor is free software.
As for the javascript, Tor Browser has ALWAYS shipped with javascript enabled by default. Their opinion is that disabling it would:

1. Make you less anonymous on the net;
2. Break too many websites to make it usable.

So, you might disagree with them, but they have always handled things pretty much the same way.
Noscript is not disabled, it comes with scripts allowed, but it still protects agains xss attacks and such.

Look, I am not trying to insist that you should use Tor. I am merely stating that the Tor team has done more than anyone else to keep the people safe and private. They always stated the weaknesses in the Tr design, they always encouraged people to take their own look on the code and even accept people trying to perform attacks on a controled environment to try to find ways to secure the Tor network.
If you want JS disabled, you can do so yourself. However, they also change some stuff on the firefox browser so that even with JS enabled, your anonimoty prevails. Those are called the "Tor Browser Patches". Tails uses them too!

I am not saying Tor is perfect. And the developers admit they can make mistakes of course. But they have been working on it for over 10 years now and they have never compromised the system. So, yeah, they are worthy some trust... of course, one should keeo examining the code and look out for mistakes on their behalf, and alert if they do something nasty, but talking about pure especulation is negative for both developers and users.

Also, how do you make your browsing private without Tor? The alternatives are far worse.

My two cents =)

quantumgravity
Desconectado
Joined: 04/22/2013

" Their opinion is that disabling it would:

1. Make you less anonymous on the net;
2. Break too many websites to make it usable. "

They never said disabling it would make you less anonymous.
They said": enabling javascript for certain websites when having it disabled by default can do harm to your security.
Just disabling javascript is the best solution for anonymity and the tor project never stated something different.

andrew
Desconectado
Joined: 04/19/2012

On 14/08/13 18:13, name at domain wrote:
>> Their opinion is that disabling it would:
>
> 1. Make you less anonymous on the net; 2. Break too many websites to
> make it usable.
>
> They never said disabling it would make you less anonymous. They
> said": enabling javascript for certain websites when having it
> disabled by default can do harm to your security. Just disabling
> javascript is the best solution for anonymity and the tor project
> never stated something different.

Last time I checked, the Tor project recommended not changing any of the
settings in their browser, so the browser fingerprints would be the same
across all Tor users. IIRC they specifically recommended NOT disabling
JavaScript for this reason.

If only they had JavaScript disabled by default...

Andrew.

GNUser
Desconectado
Joined: 07/17/2013

Now you see quantumgravity, whenever you reply a comment of mine is always to disagree, even when you are wrong... Don't pretend like it's not what has been happening ever since I arrived -.-

ANyway, as Andrew already said, the Tor team has always stated that:

1. Having JS disabled by default makes you easier to identify (because regular people on the net use JS, and most people on Tor Network also use JS);
2. Changing settings in Tor Browser harms your anonymity, because you are different from everyone else in the Tor Network (fingerprints);
3. Having JS enabled for certain websites and disabled for others will also harm your anonymity (not security -.-) because it would reveal your browsing habits;
4. Disabling JS entirely would break most websites, so that would not be a good compromise;
5. NoScript serves another purpose: defend against clickjacking and xss attacks;
6: A good compromise (and what they really do) is to disable certain functions in the browser (called the Tor Browser Patches) so that JS can't do harm. They disable for example geolocation and others.

Now, one don't even has to believe them, I for example actually took a lot of time to read and watch presentations on Tor (both by Tor team and other people) and took a look at some settings on the Browser, and concluded pretty much the same as they did. I still chose not to use JS in certain websites (because I know they have malicious JS running that could still somehow reveal information about me), but that's a choice of mine and I am well aware of the risks. However, I don't go around making changes in the browser... I do those changes in each session and everything goes back to normal when I re-start the Tor Browser.

Any doubts, just ask, I am happy to help people running Tor =)

quantumgravity
Desconectado
Joined: 04/22/2013

" 1. Having JS disabled by default makes you easier to identify (because regular people on the net use JS, and most people on Tor Network also use JS);"

Where did you find this information? Link or something?

> 2. Changing settings in Tor Browser harms your anonymity

Yeah, a different issue. Doesn't mean disabling javascript harms your anonymity.

> 3. Having JS enabled for certain websites and disabled for others will also harm your anonymity

See above.

> 4. Disabling JS entirely would break most websites,

I never said they don't say *this*.

> 5. NoScript serves another purpose: defend against clickjacking and xss attacks;

Yes I agree and never said something different.

But I doubt they ever said it's a risk for your anonymity to disable javascript.
I mean ok, one can recognize that you have javascript disabled and might be a tor user because of this. But how should they manage to find out really private things about you?
I don't like the compromise they made anyway. A project like tor shouldn't make compromises when we talk about anonymity.
Many websites break, ok.
And a few people don't understand this. It's better they stop using tor instead of some people who really need anonymity are exposed to serious privacy issues.

GNUser
Desconectado
Joined: 07/17/2013

Look, honestly I don't know if you are just new to Tor or if you never cared enough about it to actually read some papers and watch some presentations about it... but you are very very wrong about Tor, it's purpose and it's design.

If you take the time to read the comments I made below, you will find links to Tor project, to video presentations, and even a post on their blog that addresses the JS issue. Everything you need to understand these matters is in those links.
Go, and take the time to do some reading, and also explore the Tor Browser settings. You will get a much better picture of these things.

I actually invested many many hours trying to decide if I should go with Tor or not. I am not deaf to the Tor suspicious claims people make on the web. I wanted to know if it was the real deal or not. I have known Tor for 10 years now, and I trust my knowledge of Tor to keep me safe with them. And let's be honest... if Tor is compromised and they can't be trusted, you don't really have a lot of alternatives. Jondo for example basically depends on german institutions which is basically as depending on the USA gov. There was a project I believe was called netsurf or something, they were basically using Google servers (which means, google could track you). Tor is the only real project that can help you.

And like I said before on this forum, Tor might not be safe against the NSA. But it still makes us safe against a neighboor who tries to hack our wifi and spy us, a police officer next door who tries to use his access to spy on us, an ISP who wants to make money from us... That's my mindset, I use the BEST tools with hopes that they will defeat the LOWER enemies. Because about the NSA... they can break us down if they want. No matter if you use Tor or not.

And if you don't like or don't trust Tor, don't use it ;)

But really, take a little time to educate yourself on Tor and online security in general. It will only do you good. The links I provided in the comments below will help.

quantumgravity
Desconectado
Joined: 04/22/2013

I like tor and I trust the tor project, but I feel much better with javascript being disabled all the time and though I'm no tor specialist (you're perfectly right on this) I can't understand why disabling javascript should harm my anonymity.
Perhaps I will learn.
But I don't understand what I said so wrong.
Do you refer to the javascript thing or was it something else?

> But really, take a little time to educate yourself on Tor and online security in general.

I would agree on my limited knowledge about tor, but not about online security in general.
And I don't know if it's worth the effort for me learning so much about tor; for me, there are more urgent problems like participating in decentralized services, setting up an own mail server etc. and those things really need some time.
I don't suffer political repression and don't think it's good to use bandwidth just for my normal internet usage.

As you can see, I'm not dissing you all the time, did I this time?
By the way, after your first verbal escalation I answered to a thread of yours and posted something completely neutral (you wrote that you're never saving any personal data on your pc);
And yeah, after your insulted my many times just because I have a different opinion than you, I don't feel like expressing my joy about your posts so badly.

andrew
Desconectado
Joined: 04/19/2012

On 15/08/13 03:45, shiretoko wrote:
> I like tor and I trust the tor project, but I feel much better with
> javascript being disabled all the time and though I'm no tor
> specialist (you're perfectly right on this) I can't understand why
> disabling javascript should harm my anonymity.

I also disable JavaScript while running Tor.

However, it harms anonymity, at least theoretically, because a website
can easily detect if a browser has JS enabled or not. Give the page a
nonce value, and link to a script with the nonce value in the URL as a
parameter. The server can tell if the script has been requested or not.

Or maybe your browser will use keep-alive to download the script in the
same connection (so no nonce value is required).

You might want to read this:
https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled

Andrew.

GNUser
Desconectado
Joined: 07/17/2013

> I like tor and I trust the tor project, but I feel much better with javascript being disabled all the time and though I'm no tor specialist (you're perfectly right on this) I can't understand why disabling javascript should harm my anonymity. Perhaps I will learn.

I believe the links I posted will teach everyone more than they would ever want to know about Tor. To be honest, most users don't need a deep knowledge of the software to run it. But, if one wants to really be protected from all threats that might arise, he must educate himself. So, yes, learning is a good thing and I encourage you to do so. There are other presentations given about Tor, but the ones I posted are among the best ones I have ever seen, especially because they tackle a lot of different views and angles and ideas on the whole privacy thing.

> But I don't understand what I said so wrong. Do you refer to the javascript thing or was it something else?

Honestly, what shocked me was the fact that you always come around disagreeing with me and trying to be "the voice of reason". Only, this time, you were totally wrong in claiming that the Tor team had never stated that disabling JS would harm anonymity! And honestly, someone who always wants to "protect newcomers" should avoid making such strong claims about things that he recognizes he does not fully understand.
The link Andrew posted explains it with few details. It's a simple explanation and it answers the questions that arouse here.

>I would agree on my limited knowledge about tor, but not about online security in general.And I don't know if it's worth the effort for me learning so much about tor; for me, there are more urgent problems like participating in decentralized services, setting up an own mail server etc. and those things really need some time. I don't suffer political repression and don't think it's good to use bandwidth just for my normal internet usage.

Well, that is a personal matter I think. One person could be worried about his emails, other person would be worried about having his browsing habits revealed, other person would worry about MIT attacks... It's up to you to decide what is more important. HOWEVER, I will make one thing clear: anonymity loves company! It is important that Tor becomes a natural part of our browsing, so that Tor can really achieve a lot of users and a lot of uses, so to better hide their users in the midst. Unless you are talking about large downloads, you should totally use Tor as a default browser.

> As you can see, I'm not dissing you all the time, did I this time?

About time! Must be what... the first maybe second time, you did not come with a negative attitude and targeting me specifically, trying to find ways to disagree with me. I don't want to make things ugly again, I would like for us to be able to coexist here, but in the past you did harass me with a constant negative attitude towards everything I wrote. So, yeah, you were being an a****** and that's why I called you that same name.

> By the way, after your first verbal escalation I answered to a thread of yours and posted something completely neutral (you wrote that you're never saving any personal data on your pc); And yeah, after your insulted my many times just because I have a different opinion than you, I don't feel like expressing my joy about your posts so badly.

Well, is not like I asked you to, but hey, feel free to comment on my posts! As long as you try to behave, I will do my part.

So, I would rather get back to the subject at hand here (which I believe has been answered already) instead of wasting more time with our previous arguments.
If you plan on using Tor, I would suggest you at least do some reading on their website, you should know about the software you are running if you want to be any safe. Anyway, you were right on saying that there are other important matters (like setting own email server and such) and we should try to tackle all of them in the meantime.

G4JC
Desconectado
Joined: 03/11/2012

Best to run things in TAILS, you can use QEMU for that.

Regarding TOR, it sounds odd, but is it possible you installed the TOR service?
in which case: sudo service tor stop
would have killed it.

Alternatively next time, if you can grab the suspicious file it may be very useful to the ClamAV project.

skilo
Desconectado
Joined: 08/11/2013

@GNUuser Yes i know Tor is opensource BSD liscense, I was just referring to other non-free software from other sources.

And umm didn't the feds use a firfox js 0 day just recently?

@G4JC

Tor continued to run even after i uninstalled torchat and deleted the TBB (which was a standalone executable)

I think the trojan might have been in the Torchat executable, It installed Torchat but it also installed something else too.

I hope i never get another trojan but if i do i will report it to clamAV.

GNUser
Desconectado
Joined: 07/17/2013

Running ClamAV on every file you download is a good policy. Even if you are running GNU/Linux it still serves the purpose of knowing if the source you are downloading files from is trustworthy. And if you give the file to a windows friend, he is more protected.

as for the firefox js 0 day, it's what has already been explained, it was something that would only affect outdated versions of Tor Browser and only in windows. I usually say: if you are running windows, it's nearly useless to run Tor... or Piding+OTR... or PGP... or anything, if you are running windows, you are DOOMEEEEEED!

Ok, that was scary :P

Also, if you will take a look at my reply to quantumgravity's comment, you will get a good idea of what the Tor Team stated concerning JS.
If you want to know more about Tor (which you should, considering you run the software!) you can take a look at these presentations:

https://www.youtube.com/watch?v=GwMr8Xl7JMQ
https://www.youtube.com/watch?v=bmj2w9HPPaE
https://www.youtube.com/watch?v=3GanD_lCqLA
https://www.youtube.com/watch?v=-VUyuFH9CbI

These have helped me a lot understanding Tor =)

freeme
Desconectado
Joined: 10/10/2012

"And umm didn't the feds use a firfox js 0 day just recently?"

Yes, if you were running Tor on Windows, using an outdated version of Firefox, with javascript enabled, then you were definitely at risk.

I still use Tor and was never at risk for the recent exploit, for numerous reasons.

GNUser
Desconectado
Joined: 07/17/2013

I just took a look at Tor Blog (should have done if before :P) and I think they answered all our questions. Take a look at their blog, the link is below:

https://blog.torproject.org/category/tags/tor-weekly-news

dadix
Desconectado
Joined: 07/01/2013

You may install ClamAv antivirus from Trisquel repo and Clamtk (gui for Clamav)
http://sourceforge.net/projects/clamtk/?source=dlp