Summary (1/2)
- 39824 hidden service descriptors on
4th February 2013
-- Port scanning
-- Popularity
Summary (2/2)
- A good chunk of Tor hidden services are
not bad
- Massively used by botnets
- Most popular hidden services are shady
- One can catch clients of those shady
services
Consensus
TLS
Client
TLS
Guard
T or hidden services
TLS
M iddle
Exit
Server
criptors on
HT T P
T or Rendezvous Protocol
T or Rendezvous Protocol
T or Rendezvous Protocol
otnets
services are shady
s of those shady
T or Rendezvous Protocol
T or Rendezvous Protocol
Shadowing
A technique described in [1] allowed us
to collect onion addresses fast and
cheaply
[1] Trawling for Tor Hidden Services: Detection,
Measurement, Deanonymization, IEEE Symposium on
Security and Privacy
Tor
TLS
Client
TLS
TLS
Guard
Middle
Exit
Server
Consensus
10
11
12
13
14
15
16
17
18
19
20
Shadowing
A technique described in [1] allowed us
to collect onion addresses fast and
cheaply
[1] Trawling for Tor Hidden Services: Detection,
Measurement, Deanonymization, IEEE Symposium on
Security and Privacy
21
Statistics
Tor
4,027
443-https
1,366
22-ssh
1,238
385
4050
138
6667-irc
113
- 8,153 tried
- Were able to connect to 6,579 using
HT T P/HT T PS
- 3529 were inappropriate for classification
886
other
6
1
15
8
4
7
3
er
an
n
lia
th
O
Ita
p
Ja
es
e
es
h
nc
nis
h
lis
Po
e
Fr
a
Sp
gu
an
sia
rtu
Po
s
Ru
15,000
h
lis
10,000
m
er
G
5,000
g
En
y
er
th og
O nol
ch
Te s
t
or ibs
Sp al l
it
ig
D ce
n
ie
Sc s
e
am
G ces
e
i
ar
rv
dw
Se
ar
t
,H
Ar are
fw
So ng
ki ty
i
ac
H ym
on
An rity ials
r
cu to
Se ,Tu
s
Q
FA on
p it
ea fe
W ter
un
Co cs
i
lit
Po s
g
ru
D
t
ul
Ad
11009-TorChat
72
80-http
17
I nt er ne
84
Topics distribution, %
13,854
55080-Skynet
Mevade botnet
#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
RQSTS
13714
11582
11315
7324
7183
6852
6528
4941
3746
3678
2573
1950
1863
1665
1631
1481
1326
1175
1094
1021
942
Addr
uecbcfgfofuwkcrd.onion
arloppepzch53w3i.onion
pomyeasfnmtn544p.onion
lqqciuwa5yzxewc3.onion
eqlbyxrpd2wdjeig.onion
onhiimfoqy4acjv4.onion
saxtca3ktuhcyqx3.onion
qxc7mc24mj7m4e2o.onion
mwjjmmahc4cjjlqp.onion
mepogl2rljvj374e.onion
m3hjrfh4hlqc6 *** .onion
ua4ttfm47jt32igm.onion
opva2pilsncvt *** .onion
nbo32el47o5cl *** .onion
firelol5skg6e *** .onion
niazgxzlrbpevgvq.onion
owbm3sjqdnndmydf.onion
silkroadvb5piz3r.onion
candy4ci6id24 *** .onion
x3wyzqg6cfbqrwht.onion
4njzp3wzi6leo772.onion
Desc
Goldnet
Goldnet
Goldnet
Goldnet
Goldnet
< n/a>
Goldnet
< n/a>
BcMine
Skynet
Adult
Skynet
Adult
Adult
Adult
Skynet
Skynet
Silk Road
Adult
Skynet
Skynet
#
22
23
24
25
26
27
28
29
30
...
34
...
47
...
62
...
157
...
250
...
547
RQSTS
899
898
889
781
746
694
667
585
542
...
453
...
255
...
172
...
55
...
30
...
10
Addr
qdzjxwujdtxrjkrz.onion
6tkpktox73usm5vq.onion
kk2wajy64oip2 *** .onion
gpt2u5hhaqvmnwhr.onion
smouse2lbzrgeof4.onion
xqz3u5drneuzhaeo.onion
f2ylgv2jochpzm4c.onion
kdq2y44aaas2a *** .onion
4pms4sejqrryc *** .onion
...
dkn255hz262ypmii.onion
...
dppmfxaacucguzpc.onion
...
5onwnspjvuk7cwvk.onion
...
3g2upl4pq6kufc4m.onion
...
x7yxqg5v4j6yzhti.onion
...
torhostg5s7pa2sn.onion
TABLE II
R ANKING OF MOST POPULAR HIDDEN SERVICES
Desc
Skynet
Skynet
Adult
Skynet
< n/a>
FreedomHosting
Skynet
Adult
Adult
...
SilkRoad(wiki)
...
TorDir
...
BlckMrktReloaded
...
DuckDuckGo
...
Onion Bookmarks
...
Tor Host
User 1
HSDir
User 2
Mevade botnet
- Popular but no results in search engines
- Port 80 (503 error)
- T hey forgot to disable
Server-status page =)
- 330 KBytes/sec, 10 req\sec
- From uptime: two different physical servers
Mevade botnet
- Command and control connectivity via
T or .onion links
- Seems that the purpose of this malware
network is to load additional malware
onto the system and that the infected
systems are for sale
Mevade botnet
Thank you
22
13,854
55080-Skynet
4,027
80-http
443-https
1,366
22-ssh
1,238
385
11009-TorChat
4050
138
6667-irc
113
886
other
0
5,000
10,000
15,000
23
HTTP classification
- 8,153 tried
- Were able to connect to 6,579 using
HTTP/HTTPS
- 3529 were inappropriate for classification
%
24
Internet
84
4
1
2
6
1
1 1
2
3
2
3
1
2
1
3
3
Tor
72
th
ne
er
lia
pa
Ita
Ja
lis
se
es
an
gu
is
ch
an
en
Po
Fr
Sp
r tu
si
an
is
gl
er
us
Po
En
15
17
4
4
8
9
Topics distribution, %
25
y
er
th og
O nol
ch
Te s
t
or ibs
Sp l l
ita
ig e
D
nc
ie
Sc es
am
es
G
e
ic
ar
rv
dw
Se
ar
t
,H
Ar are
fw
So ng
ki ty
i
ac
H ym
on
An rity ials
r
cu to
Se Tu
s,
Q
n
FA
po it
ea fe
W ter
un
Co cs
i
lit
Po
gs
ru
D
t
ul
Ad
RQSTS
13714
11582
11315
7324
7183
6852
6528
4941
3746
3678
2573
1950
1863
1665
1631
1481
1326
1175
1094
1021
942
Addr
uecbcfgfofuwkcrd.onion
arloppepzch53w3i.onion
pomyeasfnmtn544p.onion
lqqciuwa5yzxewc3.onion
eqlbyxrpd2wdjeig.onion
onhiimfoqy4acjv4.onion
saxtca3ktuhcyqx3.onion
qxc7mc24mj7m4e2o.onion
mwjjmmahc4cjjlqp.onion
mepogl2rljvj374e.onion
m3hjrfh4hlqc6 *** .onion
ua4ttfm47jt32igm.onion
opva2pilsncvt *** .onion
nbo32el47o5cl *** .onion
firelol5skg6e *** .onion
niazgxzlrbpevgvq.onion
owbm3sjqdnndmydf.onion
silkroadvb5piz3r.onion
candy4ci6id24 *** .onion
x3wyzqg6cfbqrwht.onion
4njzp3wzi6leo772.onion
Desc
Goldnet
Goldnet
Goldnet
Goldnet
Goldnet
<n/a>
Goldnet
<n/a>
BcMine
Skynet
Adult
Skynet
Adult
Adult
Adult
Skynet
Skynet
Silk Road
Adult
Skynet
Skynet
#
22
23
24
25
26
27
28
29
30
...
34
...
47
...
62
...
157
...
250
...
547
RQSTS
899
898
889
781
746
694
667
585
542
...
453
...
255
...
172
...
55
...
30
...
10
TABLE II
Addr
qdzjxwujdtxrjkrz.onion
6tkpktox73usm5vq.onion
kk2wajy64oip2 *** .onion
gpt2u5hhaqvmnwhr.onion
smouse2lbzrgeof4.onion
xqz3u5drneuzhaeo.onion
f2ylgv2jochpzm4c.onion
kdq2y44aaas2a *** .onion
4pms4sejqrryc *** .onion
...
dkn255hz262ypmii.onion
...
dppmfxaacucguzpc.onion
...
5onwnspjvuk7cwvk.onion
...
3g2upl4pq6kufc4m.onion
...
x7yxqg5v4j6yzhti.onion
...
torhostg5s7pa2sn.onion
Desc
Skynet
Skynet
Adult
Skynet
<n/a>
FreedomHosting
Skynet
Adult
Adult
...
SilkRoad(wiki)
...
TorDir
...
BlckMrktReloaded
...
DuckDuckGo
...
Onion Bookmarks
...
Tor Host
an
#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Mevade botnet
er
15,000
10,000
is
5,000
gl
En
26
27
User 1
HSDir
User 2
28
29
5,000
10,000
15,000
Mevade botnet
#
1
2
3
4
5
6
7
8
9
10
11
12
RQSTS
13714
11582
11315
7324
7183
6852
6528
4941
3746
3678
2573
1950
Addr
uecbcfgfofuwkcrd.onion
arloppepzch53w3i.onion
pomyeasfnmtn544p.onion
lqqciuwa5yzxewc3.onion
eqlbyxrpd2wdjeig.onion
onhiimfoqy4acjv4.onion
saxtca3ktuhcyqx3.onion
qxc7mc24mj7m4e2o.onion
mwjjmmahc4cjjlqp.onion
mepogl2rljvj374e.onion
m3hjrfh4hlqc6*
**. onion
ua4ttfm47jt32igm.onion
Desc
Goldnet
Goldnet
Goldnet
Goldnet
Goldnet
<n/a>
Goldnet
<n/a>
BcMine
Skynet
Adult
Skynet
#
2
2
2
2
2
2
2
2
3
..
3
..
30
Mevade botnet
- Popular but no results in search engines
- Port 80 (503 error)
- They forgot to disable
Server-status page =)
- 330 KBytes/sec, 10 req\sec
- From uptime: two different physical servers
31
Mevade botnet
32
Mevade botnet
- Command and control connectivity via
Tor .onion links
- Seems that the purpose of this malware
network is to load additional malware
onto the system and that the infected
systems are for sale
33
Tracking detection
- One entiity has taken over all 6 HSDir's
for a single time period, a month before
the silkroad was taken down by the FBI
34
Thank you