11/15/12

Iran Sites Open 2 Joomla -K-CMS Hacking

Iran Sites Open 2 Joomla -K-CMS Hacking

gAtO wAs – in the kitty box scratching and found some sites in Iran that have the same problem that Syria has. Outdated older Content Management systems like Joomla and KCMS_1.0[2] and many other sites have Microsoft Visual Studio.NET 7.0. These require more research as to vulnerabilities but we are working on that. But gAtO found you guessed it Joomla 1.5 CMS all over the place. The same vulnerabilities that Syria has they have

This is easy to do with any browser do a search on any search engine “site:.gov.ir” and you will get a list of all the .gov.ir sites everywhere. Now remember with a translate button(on your browser) you can read these site in any language you want. The other trick is once you get to any site on your browser just go to >>Edit>>Source Code. and lot’s of sites will tell you the content creation: All sites in any language the HTML is always in english.

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />

If your smart and are doing this in a government site I would remove this information. Now besides Joomla 1.5 gAtO found lots of sites with KCMS_1.0[2] and you guessed it again they are older versions and have vulnerabilities.  So now gAtO will publish this list and update it as we find more and more vulnerabilities. Why doe gATo do this. It my way of showing the world that anyone can help, anyone with any talent can contribute to making this world a better world. I hope this informtion helps someone to be free- gAtO oUt.

Some site have this warning be careful :This site may harm your computer.

Research Notes:

IRAN site:.gov.ir

http://xforce.iss.net/xforce/xfdb/33437 Apr 4, 2007 – CVE-2007-2106: Directory traversal vulnerability in index.php in Kai Content Management System (K-CMS) 1.x allows remote attackers to ..

K-CMS (Kai Content Management System) could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted URL request to the index.php script using the current_theme parameter to specify a malicious file from a remote system, which could allow the attacker to execute arbitrary code on the vulnerable Web server.

Many of Irans site use ArPortal 7.1.2 while many others us Microsoft Visual Studio.NET 7.0

<meta name=”generator” content=”Expans! 1.5 – Open Source Content Management

[1] security tips for Joomla Websites http://www.itoctopus.com/10-security-tips-for-your-joomla-website

<META NAME=”GENERATOR” CONTENT=”ArianaPortal 7.1.2″>

[2] <meta name=”generator” content=”KCMS 1.0″ />

K-CMS (Kai Content Management System) index.php file include

http://www.sarvabad.gov.ir/

<meta name=”generator” content=”KCMS 1.0” />

http://www.abhar.gov.ir/index.php?limitstart=63

<meta name=”generator” content=“Joomla! 1.5 – Open Source Content Management. Developed By MamboLearn.com” />

http://www.abhar.gov.ir/

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management. Developed By MamboLearn.com” />

pishva.gov.ir

<meta name=”generator” content=”Expans! 1.5 – Open Source Content Management

http://www.zanjan.gov.ir/

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management. Developed By MamboLearn.com” />

http://chaloos.gov.ir/

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />

http://mianeh.gov.ir/

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management. Developed By Mambolearn.com” />

http://easabt.gov.ir/protocol/

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management. Developed By Navid Iranian Co. Ltd” />

Saman Information Structure

http://ea.mim.gov.ir/

http://www.sadra-ntoir.gov.ir/

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />

http://www.sarvabad.gov.ir

News – ????? ??? ????? ? ????? ???

sabtyazd.gov.ir/index.php?option=com_newsfeeds…id…

This site may harm your computer.

Joomla 1.5.15 Released. The Joomla Project is pleased to announce the immediate availability of Joomla 2.5.0. This is a security release. Version 2.5.0 is is the

www.khodabandeh.gov.ir/ – Translate this page

Copyright © 2009 — Webdesign aus Tirol – All Rights Reserved. Template Demo Joomla 1.5 Template by pc-didi.. Translate By : Meisam Heidarzadeh | hotfa.ir.

www.sabtyazd.gov.ir/index.php?… – Translate this page

This site may harm your computer.

C:\Inetpub\vhosts\sabtyazd.gov.ir\httpdocs\libraries\joomla\session\session. php %PDF-1.5 3 0 obj < > endobj 4 0 obj < > stream x?U?k A ?? ? :? ?Zz s

http://www.leader.ir/langs/en/

http://www.president.ir/en/

http://www.saamad.ir

iten.behdasht.gov.ir – Site News

11/14/12

What Are ToR Hidden Service?

gAtO tHiNkInG - anonymity serves different interest for different user groups; To a private citizen it’s privacy, to a business it’s a network security issue. A business needs to keep trade secrets or have IP (knowledge base data-centers), communicate with vendors securely and we all know that business need to keep an eye on there competition – the competition can check your stats

update -11-14-2012 -uscyberlabs.com Tor Hidden Servicehttp://otwxbdvje5ttplpv.onion gAtO built this as a test sandbox / honeypot — cool logs stats -DOWN 4 upgrade – 06-11-2013

(http://www.alexa.com/siteinfo/uscyberlabs.com) and check on how your business is doing, what keywords your using, demographics of users hitting your site—— by the way in the Tor-.onion network a web site/service cannot be monitored unless you want it…

How would a government use a ToR-network I’m asked all the time —

// if I was an (agent/business-person)state actor doing business in China (and other countries too) well I would use a ToR-.onion connection to keep my

business private from a government that is know to snoop a bit on travelers to their country. The fact is governments need anonymity for their security -think about it “What does the CIA Google for?” Maybe they us ToR??? But this is about Hidden services right.

 

What is a hidden service in ToR-.onion network?

SImply put it’s a web site/service, a place in the ToR network were we have a service like:

  • Search Engine
  • Directories
  • web / pop3 email
  • PM Private Messages
  • Drop Box’s
  • Re-mailers
  • Bulletin Boards BBS
  • Image Boards
  • Currency exchange
  • Blog
  • E-Commercce
  • Social Networks
  • Micro-Blog -

Hidden Services are called hidden, because your website’s IP in ToR is hidden- they cannot see the IP of your server — they can’t track you- if they can’t find you how are they gonna hack you???? Sorry I had to say that -((more about that later)). Now how do I keep this secret (my IP) and let you the user use my services. In the normal web if your in uscyberlabs.com your on my site,— my server -you can do a whois and get my IP and geo-location— then you can attack my website with dDoS and other IP attack vectors, you also get my location so you can physically find me- my server/my website – maybe go dumpster diving in the trash and get my company secrets— mAyBe sI – nO,

Well in the ToR-.onion network you the client ask the business website if they can use the websites service / then decide and start a handshake to a rendezvous POINT to meet  —we meet at an OR ((onion relay))-a rendezvous POINT) not at my server/ my IP — so your never ever on the business site/server when your in onionLand, you can’t do a whois and get my IP because we meet at an OR, you cannot find my geo-location…..

We have heard of the killings of Iranians and Syrian rebels being killed in todays news, when an Iranian rebel is fighting for his and his families life if they(the government) finds his IP or the IP of the website he visited // they will hunt that person down and the Iranian police/government will kill the whole family sometimes. So keeping an IP from someone is not an evil act it is an act of privacy for safety on both sides the client and the business.

you need to look at Figure 2 to explains this better:

Now let’s focus on R2 OR the yellow key. That’s the spot were you(your company’s hidden website) and your client meet — I know it’s a sneaky way of doing business but once again if they can’t get to your IP at least that is one attack vector that can’t be used to hack you or ddos you. OK they can still hack you but it’s software then. How it’s all done – the magic —the technical thingy to this is below —/this is just an outline of events of the client /hidden web/service protocol:














I goes something like this –

  • ESTABLISH RENDEZVOUS cell
  • INTRODUCE1
  • INTRODUCE2 cell
  • INTRODUCE ACK cell.
  • INTRODUCE2 cell
  • RENDEZVOUS1 cell
  • sends a RENDEZVOUS2 cell Chat
  • sends a RENDEZVOUS2 cell Blog
  • RENDEZVOUS ESTABLISHED cell

1. Whenever the rendezvous point receives a RELAY_COMMAND_RENDEZVOUS1  with the same cookie as the OR sent in the RELAY_COMMAND_INTRODUCTION1 cell it logs the reception and the IP address of the immediate transmitter of the cell. At the same time, the OR middle node monitors the circuits passing through it. Whenever it receives a DESTROY  cell over a circuit it checks:

1) whether the cell was received just after the rendezvous point received the RELAY_COMMAND_RENDEZVOUS1 cell;

2) if the next node of the circuit at the middle node coincides with the previous node of the circuit at the rendezvous point;

3) whether the number of forwarded cells is exactly 2 cells up the circuit and 52 cells down the circuit.

More Geek network kinda stuff::

1. Jun 03 20:50:02.100 [notice] Tor 0.2.1.0-alpha-dev (r14739) opening new log file.

2. Jun 03 20:50:11.151 [notice] We now have enough directory information to build circuits.

3. Jun 03 20:50:12.697 [info] rend_services_introduce(): Giving up on sabotage as intro point for stuptdu2qait65zm.

4. Jun 03 20:50:18.633 [info] rend_service_intro_established(): Received INTRO_ESTABLISHED cell on circuit 1560 for service stuptdu2qait65zm

5. Jun 03 20:51:18.997 [info] upload_service_descriptor(): Sending publish request for hidden service stuptdu2qait65zm

6. Jun 03 20:51:22.878 [info] connection_dir_client_reached_eof(): Uploaded rendezvous descriptor (status 200 (“Service descriptor stored”))

People ask me how can these hidden services be attacked???

It’s all the same as in the surface web you find the software the hidden service is using /// let’s say Worpress (or flatPress) if they use an old version with vulnerabilities then, that site can be hacked by traditional hacking attack vectors— gAtO can’t wait till USCyberLabs.com will have a sandbox in the .onion were we can have a honeypot for people to hack and learn from.  (we need Funding for these project donate please – we will share) gAtO has not tried Backtrack 5 on ToR-.onion network – mAyBe sI -nO – uscyberlabs.com has been hacked a few times already and is consistently fighting bot’s and spammer, it goes on and on.everywhere-.-.-.-

Here are some technologies used in the ToR-.onion network:

update -11-14-2012 -uscyberlabs.com Tor Hidden Service = http://otwxbdvje5ttplpv.onion gAtO built this as a test sandbox and it turned into a honeypot — cool logs stats

TorStatusNet – http://lotjbov3gzzf23hc.onion/   is a microblogging service. It runs the StatusNet microblogging software, version 0.9.9, available under the GNU Affero General Public License.

FlatPress is a blogging engine like -Wordpress blog http://flatpress.org/home/   – http://utup22qsb6ebeejs.onion/

Snapp BBS works fine in OnionLand - http://4eiruntyxxbgfv7o.onion/ -

PHP BBS – http://65bgvta7yos3sce5.onion/

Nginx is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server.  – http://ay5kwknh6znfmcbb.onion/torbook/

Anyway I hope this open up the mystery of a hidden service in ToR – it’s just a website, you go to a rendezvous point and do your business — your IP and the business IP are totally secure. No digital breadcrumbs. Now a word to the wise in the ToR-.onion network you have some very tech savvy people and some are very stupid be a critical-cyber user always -gAtO oUt.

10/13/12

Customized .onion URL Address

gAtO hAs- been looking for this golden grail —how to customize a .onion address  —  but nobody knew how to do it or would never tell. Job security I guess but as I have been in i2p land and not much on Tor but I found this link to Shallot in github.com from and i2p site about Tor and i2p. Well the jig is up. I understand why it may not be a good idea for a custom name – It’s all about math and every custom digit of the 16 digit .onion address takes more time to calculate when your onion ur;l is generated in Tor. I have a new toy for a Saturday night project – Well here it is enjoy it- gAtO out

https://github.com/katmagic/Shallot

Shallot allows you to create customized .onion addresses for Tor’s hidden services. (By customized, it is meant that part of the address can be selected. Choosing an entire address would take far longer than the universe is believed to have been in existence.)

A History of Shallot

Shallot has a long history in Onion Land. In its original incarnation, Shallot was originally written by a mysterious Onion Lander called Bebop, who created its predecessor, onionhash-0.0.1, at some unknown time in the distant past. That quickly(?) evolved into onionhash 0.0.2 and 0.0.3, until Bebop and Bebop’s New Home in Onionspace mysteriously vanished. At this point, it was picked up by `Orum, who gave Shallot its current name, and went through three versions until `Orum’s site, hangman – hidden (in plain) site, went down. I (katmagic) got Shallot’s sources from Tas’s site and put them into a Git repository. I made a few modifications, wrote a new README, and put the whole thing up on GitHub for all to see.

10/9/12

Tor Hidden Service Setup Headaches

%67%61%74%6f%6d%61%6c%6f

gATO mEsSeD – up with my BT (backTrack5) server I am using for my Tor hidden server — otwxbdvje5ttplpv.onion — To set up a hidden service is simple but you have to have a plan and gAtO did not have one—/ as usual I just go into it AND I wiped out mysql – I mean I wiped out my whole installation – Re-Set – I had to install Windows 7, then download BackTrack5 and re-install that- but once I went back and re-installed everything – my hidden service was getting and ERROR —  NO ACCESS permissions error — This led me down a rabbit hole of things I never wanted to learn about apache2 server and linux commands but it was good at the end of 9 hours to beat the thing. OK end of Story…

LAB stuff.— My test BOX is Windows 7 and BT5 unbuntu-10.04.2 LTS

Files to Modify —

/Data/Tor/torrc

/var/apache2/apache2.conf

/var/apache2/envvars

APACHE_RUN_USER=gato

APACHE_RUN_GROUP=gat0

/var/apache2/ports.conf

/var/apache2/sites-available/default

/etc/hosts

These should be all the files to setup a hidden service in Tor. _BUT_ Tor cannot run as ROOT user so you need to create a normal user – I called it gato—

–/ gato User gets all permission for all Tor files and directories

—/ apache runs as ROOT so i run it as sudo

Apache installs it’s website  in /var/www directory – as gato-user I need access to this and creating ALL TOR directories and files so Tor has the right permissions.

But any files on apache will have to have ROOT permissions:

I had everything set up right – but I was getting permission rights error on the Tor hidden service — after I checked everything I found the error the apache user had an environmental variable set to run as someone else not the / gato-user- and I found it in the apache enviers file..

/var/apache2/envvars

APACHE_RUN_USER=gato

APACHE_RUN_GROUP=gate

This APACHE_RUN_USER was set to wstools because that’s what the BT5 installation installed but never told anyone- so I chased this permission stuff down for 4-8 hours – re-booting and Tor start-up and test every setting – THEY SHOULD TELL SOMEONE BT5

Yeah this build has owner stuff mixed up a bit – I am still working on mysql stuff but it should be up next to install mediawiki – it should be a great learning curve AGAIN – but I am having fun and learning all my unix stuff back – good because  I been working on php for the Tor directory crawler that I will be launching from this server in a few weeks…

below are my lab notes — I hope it helps someone some time —gAtO oUt

check out the site otwxbdvje5ttplpv.onion — it has BeEF and mstool for XXS and SQLi testing online and a cool C&C controller for bots. – I still don’t know why BT5 put this in the distro but I want to play with it…. https://github.com/beefproject/beef/wiki/BeEF-and-Backtrack-5

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-lab notes=-=-=-=-=-=-=-=-=-=-

Start Tor – /home/gato/Desktop/tor

./start-tor-browser 

Start apache2 –> sudo /etc/init.d/apache2 restart

For security, I recommanded to lauch the command as a service

Start Mysql –> service mysqld start

the tool to manager mysql is mysqladmin

check is mysql started

–> ps -ef | grep mysql

Start Apache

–> sudo /etc/init.d/apache2 stop

/Desktop/tor/Data/Tor$ nano torrc

root@bt:/var/www# nano index.html

root@bt:/var/www# cd /etc/apache2

root@bt:/etc/apache2# ls

apache2.conf  envvars     magic           mods-enabled  sites-available

conf.d        httpd.conf  mods-available  ports.conf    sites-enabled

root@bt:/etc/apache2# ls

#!/bin/bash

# Changes to this file will be preserved when updating the Debian package.

source /usr/share/mysql/debian-start.inc.sh

MYSQL=”/usr/bin/mysql –defaults-file=/etc/mysql/debian.cnf”

MYADMIN=”/usr/bin/mysqladmin –defaults-file=/etc/mysql/debian.cnf”

MYUPGRADE=”/usr/bin/mysql_upgrade –defaults-extra-file=/etc/mysql/debian.cnf”

MYCHECK=”/usr/bin/mysqlcheck –defaults-file=/etc/mysql/debian.cnf”

MYCHECK_SUBJECT=”WARNING: mysqlcheck has found corrupt tables”

MYCHECK_PARAMS=”–all-databases –fast –silent”

MYCHECK_RCPT=”root”

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

398  sudo /etc/init.d/apache2 status

399  sudo /etc/init.d/apache2 reload

400  sudo /etc/init.d/apache2 restart

401  sudo /etc/init.d/apache2 reload

402  sudo /etc/init.d/apache2 restart

391  sudo ps aux | grep tor

392  sudo ps aux | grep apache

393  sudo ps aux | grep apache2

394  sudo ps aux | grep mysql

395  sudo ps aux | grep apache

396  sudo ps aux | grep “tor”

397  sudo ps aux | grep “/tor”

398  sudo ps aux | grep /tor/

 

/etc/apache2/apache2.conf

port.conf

/var/www/otwxbdvje5ttplpv.onion#

uscyberlabs

< otwxbdvje5ttplpv.onion

other secret site -not working

3rtiazp6p4t2vxfn.onion

09/28/12

Tor Command syntax

gAtO wAnT’s – just the simple command syntax -from the OG-OR Roger Dingledine -Nick Mathewson the Tor gods.

href=”http://manpages.ubuntu.com/manpages/hardy/man8/tor.8.html#contenttoc6″>

 

NAME

       tor - The second-generation onion router

SYNOPSIS

       tor [OPTION value]...

DESCRIPTION

       tor  is  a connection-oriented anonymizing communication service. Users
       choose a source-routed path through a set of  nodes,  and  negotiate  a
       "virtual  circuit"  through  the  network, in which each node knows its
       predecessor and successor, but no  others.  Traffic  flowing  down  the
       circuit is unwrapped by a symmetric key at each node, which reveals the
       downstream node.

       Basically  tor  provides  a  distributed  network  of  servers  ("onion
       routers"). Users bounce their TCP streams -- web traffic, ftp, ssh, etc
       -- around the routers, and recipients, observers, and even the  routers
       themselves have difficulty tracking the source of the stream.

OPTIONS

       -h, -help Display a short help message and exit.

       -f FILE
              FILE   contains   further   "option   value"   pairs.  (Default:
              /etc/tor/torrc)

       --hash-password
              Generates a hashed password for control port access.

       --list-fingerprint
              Generate your keys and output your nickname and fingerprint.

       --verify-config
              Verify the configuration file is valid.

       --nt-service
              --service [install|remove|start|stop]  Manage  the  Tor  Windows
              NT/2000/XP  service.   Current  instructions  can  be  found  at
              http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#WinNTService

       --list-torrc-options
              List all valid options.

       --version
              Display Tor version.

       Other options can be specified either on the command-line (--option
              value),  or  in  the configuration file (option value).  Options
              are case-insensitive.

       BandwidthRate N bytes|KB|MB|GB|TB
              A token bucket limits the average incoming  bandwidth  usage  on
              this  node  to the specified number of bytes per second, and the
              average outgoing bandwidth usage to that same value. (Default: 3
              MB)

       BandwidthBurst N bytes|KB|MB|GB|TB
              Limit the maximum token bucket size (also known as the burst) to
              the given number of bytes in each direction. This  value  should
              be at least twice your BandwidthRate. (Default: 6 MB)

       MaxAdvertisedBandwidth N bytes|KB|MB|GB|TB
              If set, we will not advertise more than this amount of bandwidth
              for our BandwidthRate. Server operators who want to  reduce  the
              number  of clients who ask to build circuits through them (since
              this is proportional to  advertised  bandwidth  rate)  can  thus
              reduce the CPU demands on their server without impacting network
              performance.

       ConnLimit NUM
              The minimum number of file descriptors that must be available to
              the Tor process before it will start. Tor will ask the OS for as
              many file descriptors as the OS will allow (you can find this by
              "ulimit -H -n"). If this number is less than ConnLimit, then Tor
              will refuse to start.

              You probably don’t need to adjust this.  It  has  no  effect  on
              Windows since that platform lacks getrlimit(). (Default: 1000)

       ControlPort Port
              If set, Tor will accept connections on this port and allow those
              connections to control the Tor process  using  the  Tor  Control
              Protocol (described in control-spec.txt).  Note: unless you also
              specify one of  HashedControlPassword  or  CookieAuthentication,
              setting  this  option will cause Tor to allow any process on the
              local host to control it. This option is required for  many  Tor
              controllers; most use the value of 9051.

       ControlListenAddress IP[:PORT]
              Bind  the  controller listener to this address. If you specify a
              port, bind to  this  port  rather  than  the  one  specified  in
              ControlPort.  We  strongly  recommend  that you leave this alone
              unless you know what you’re doing, since giving attackers access
              to   your   control  listener  is  really  dangerous.  (Default:
              127.0.0.1) This directive can be  specified  multiple  times  to
              bind to multiple addresses/ports.

       HashedControlPassword hashed_password
              Don’t  allow any connections on the control port except when the
              other  process  knows  the  password  whose  one-way   hash   is
              hashed_password.   You  can  compute  the  hash of a password by
              running "tor --hash-password password".

       CookieAuthentication 0|1
              If this option is set to 1, don’t allow any connections  on  the
              control  port  except  when  the  connecting  process  knows the
              contents of a file named "control_auth_cookie", which  Tor  will
              create  in  its  data  directory.   This  authentication methods
              should only be used on systems with  good  filesystem  security.
              (Default: 0)

       DataDirectory DIR
              Store working data in DIR (Default: /var/lib/tor)

       DirServer [nickname] [flags] address:port fingerprint
              Use a nonstandard authoritative directory server at the provided
              address and port, with  the  specified  key  fingerprint.   This
              option  can  be  repeated many times, for multiple authoritative
              directory servers.  Flags are separated by spaces, and determine
              what  kind of an authority this directory is.  By default, every
              authority is authoritative for current ("v2")-style directories,
              unless  the  "no-v2"  flag  is  given.   If  the  "v1"  flags is
              provided, Tor will use this server as an authority for old-style
              (v1)  directories  as  well.  (Only directory mirrors care about
              this.)  Tor will use this server  as  an  authority  for  hidden
              service information if the "hs" flag is set, or if the "v1" flag
              is set and the "no-hs" flag is not set.  If a flag "orport=port"
              is  given,  Tor  will  use the given port when opening encrypted
              tunnels to the dirserver.  If no dirserver line  is  given,  Tor
              will  use  the  default directory servers.  NOTE: this option is
              intended for setting up a  private  Tor  network  with  its  own
              directory   authorities.    If   you   use   it,   you  will  be
              distinguishable from other users, because you won’t believe  the
              same authorities they do.

       FetchHidServDescriptors 0|1
              If set to 0, Tor will never fetch any hidden service descriptors
              from the rendezvous directories. This option is only  useful  if
              you’re  using  a Tor controller that handles hidserv fetches for
              you.  (Default: 1)

       FetchServerDescriptors 0|1
              If set to 0, Tor will never fetch any network  status  summaries
              or server descriptors from the directory servers. This option is
              only useful if  you’re  using  a  Tor  controller  that  handles
              directory fetches for you.  (Default: 1)

       FetchUselessDescriptors 0|1
              If  set  to 1, Tor will fetch every non-obsolete descriptor from
              the authorities that it hears about. Otherwise,  it  will  avoid
              fetching  useless  descriptors, for example for routers that are
              not  running.   This  option  is  useful  if  you’re  using  the
              contributed  "exitlist"  script to enumerate Tor nodes that exit
              to certain addresses.  (Default: 0)

       Group GID
              On startup, setgid to this group.

       HttpProxy host[:port]
              Tor will make all its directory requests through this  host:port
              (or  host:80  if  port is not specified), rather than connecting
              directly to any directory servers.

       HttpProxyAuthenticator username:password
              If defined, Tor will use this username:password for  Basic  Http
              proxy authentication, as in RFC 2617. This is currently the only
              form of Http proxy authentication that Tor supports;  feel  free
              to submit a patch if you want it to support others.

       HttpsProxy host[:port]
              Tor  will  make  all  its  OR  (SSL)  connections  through  this
              host:port (or host:443 if  port  is  not  specified),  via  HTTP
              CONNECT  rather  than  connecting  directly to servers.  You may
              want to set FascistFirewall to restrict the  set  of  ports  you
              might  try  to  connect  to,  if  your  Https  proxy only allows
              connecting to certain ports.

       HttpsProxyAuthenticator username:password
              If defined, Tor will use this username:password for Basic  Https
              proxy authentication, as in RFC 2617. This is currently the only
              form of Https proxy authentication that Tor supports; feel  free
              to submit a patch if you want it to support others.

       KeepalivePeriod NUM
              To  keep  firewalls  from  expiring  connections, send a padding
              keepalive cell every NUM seconds on open connections that are in
              use.  If the connection has no open circuits, it will instead be
              closed after NUM seconds of idleness. (Default: 5 minutes)

       Log minSeverity[-maxSeverity] stderr|stdout|syslog
              Send all messages between minSeverity  and  maxSeverity  to  the
              standard  output  stream,  the  standard error stream, or to the
              system log. (The "syslog" value  is  only  supported  on  Unix.)
              Recognized  severity  levels  are debug, info, notice, warn, and
              err.  We advise using "notice" in  most  cases,  since  anything
              more  verbose  may  provide sensitive information to an attacker
              who obtains the logs.  If only one severity level is given,  all
              messages  of  that  level  or  higher will be sent to the listed
              destination.

       Log minSeverity[-maxSeverity] file FILENAME
              As above, but send log messages to  the  listed  filename.   The
              "Log"  option may appear more than once in a configuration file.
              Messages are sent to all the  logs  that  match  their  severity
              level.

       OutboundBindAddress IP
              Make  all  outbound  connections  originate  from the IP address
              specified.  This is only useful when you have  multiple  network
              interfaces,  and  you  want all of Tor’s outgoing connections to
              use a single one.

       PidFile FILE
              On startup, write our PID to FILE.  On  clean  shutdown,  remove
              FILE.

       ProtocolWarnings 0|1
              If  1,  Tor will log with severity ’warn’ various cases of other
              parties not following the Tor specification. Otherwise, they are
              logged with severity ’info’. (Default: 0)

       RunAsDaemon 0|1
              If  1,  Tor  forks and daemonizes to the background. This option
              has no effect on Windows; instead you should use  the  --service
              command-line option. (Default: 0)

       SafeLogging 0|1
              If  1,  Tor  replaces  potentially sensitive strings in the logs
              (e.g. addresses) with the string [scrubbed]. This way  logs  can
              still   be  useful,  but  they  don’t  leave  behind  personally
              identifying information about  what  sites  a  user  might  have
              visited. (Default: 1)

       User UID
              On startup, setuid to this user.

       HardwareAccel 0|1
              If  non-zero,  try  to  use  crypto  hardware  acceleration when
              available. This is untested and probably buggy. (Default: 0)

       AvoidDiskWrites 0|1
              If non-zero, try to write to disk less frequently than we  would
              otherwise.  This is useful when running on flash memory or other
              media that support only a limited number of  writes.   (Default:
              0)

       TunnelDirConns 0|1
              If  non-zero, when a directory server we contact supports it, we
              will build a one-hop circuit and make  an  encrypted  connection
              via its ORPort. (Default: 0)

       PreferTunneledDirConns 0|1
              If  non-zero, we will avoid directory servers that don’t support
              tunneled directory connections, when possible. (Default: 0)

CLIENT OPTIONS

       The following  options  are  useful  only  for  clients  (that  is,  if
       SocksPort is non-zero):

       AllowInvalidNodes entry|exit|middle|introduction|rendezvous|...
              If  some  Tor  servers  are  obviously  not  working  right, the
              directory authorities can manually mark them as invalid, meaning
              that  it’s  not  recommended  you  use  them  for  entry or exit
              positions in your circuits. You can opt  to  use  them  in  some
              circuit  positions,  though. The default is "middle,rendezvous",
              and other choices are not advised.

       CircuitBuildTimeout NUM
              Try for at most NUM  seconds  when  building  circuits.  If  the
              circuit  isn’t  open  in  that time, give up on it.  (Default: 1
              minute.)

       CircuitIdleTimeout NUM
              If we have keept a clean (never used)  circuit  around  for  NUM
              seconds, then close it. This way when the Tor client is entirely
              idle, it can expire all of its circuits, and then expire its TLS
              connections.  Also,  if  we  end up making a circuit that is not
              useful for exiting any of the requests we’re receiving, it won’t
              forever  take up a slot in the circuit list.  (Default: 1 hour.)

       ClientOnly 0|1
              If set to 1, Tor will under no circumstances run  as  a  server.
              The  default  is to run as a client unless ORPort is configured.
              (Usually, you don’t need to set this; Tor  is  pretty  smart  at
              figuring  out whether you are reliable and high-bandwidth enough
              to be a useful server.)  (Default: 0)

       ExcludeNodes nickname,nickname,...
              A list of nodes to never use when building a circuit.

       EntryNodes nickname,nickname,...
              A list of preferred nodes to  use  for  the  first  hop  in  the
              circuit.    These   are   treated  only  as  preferences  unless
              StrictEntryNodes (see below) is also set.

       ExitNodes nickname,nickname,...
              A list of preferred nodes  to  use  for  the  last  hop  in  the
              circuit.    These   are   treated  only  as  preferences  unless
              StrictExitNodes (see below) is also set.

       StrictEntryNodes 0|1
              If 1, Tor will never use  any  nodes  besides  those  listed  in
              "EntryNodes" for the first hop of a circuit.

       StrictExitNodes 0|1
              If  1,  Tor  will  never  use  any nodes besides those listed in
              "ExitNodes" for the last hop of a circuit.

       FascistFirewall 0|1
              If 1, Tor will only create outgoing connections to  ORs  running
              on  ports that your firewall allows (defaults to 80 and 443; see
              FirewallPorts).  This will allow you to  run  Tor  as  a  client
              behind  a firewall with restrictive policies, but will not allow
              you to run as a server behind such a firewall.  This  option  is
              deprecated; use ReachableAddresses instead.

       FirewallPorts PORTS
              A  list  of  ports  that your firewall allows you to connect to.
              Only  used  when  FascistFirewall  is  set.   This   option   is
              deprecated; use ReachableAddresses instead. (Default: 80, 443)

       ReachableAddresses ADDR[/MASK][:PORT]...
              A  comma-separated  list  of  IP  addresses  and ports that your
              firewall allows you to connect to. The  format  is  as  for  the
              addresses  in  ExitPolicy,  except  that  "accept" is understood
              unless  "reject"   is   explicitly   provided.    For   example,
              ’ReachableAddresses  99.0.0.0/8,  reject  18.0.0.0/8:80,  accept
              *:80’ means that your firewall allows connections to  everything
              inside  net  99,  rejects  port  80  connections  to net 18, and
              accepts connections to port  80  otherwise.   (Default:  ’accept
              *:*’.)

       ReachableDirAddresses ADDR[/MASK][:PORT]...
              Like  ReachableAddresses,  a  list  of addresses and ports.  Tor
              will   obey   these   restrictions   when   fetching   directory
              information,  using  standard  HTTP  GET  requests.  If  not set
              explicitly then the value of  ReachableAddresses  is  used.   If
              HttpProxy  is  set  then  these connections will go through that
              proxy.

       ReachableORAddresses ADDR[/MASK][:PORT]...
              Like ReachableAddresses, a list of  addresses  and  ports.   Tor
              will  obey  these restrictions when connecting to Onion Routers,
              using  TLS/SSL.   If  not  set  explicitly  then  the  value  of
              ReachableAddresses  is  used.  If  HttpsProxy  is set then these
              connections will go through that proxy.

              The     separation     between     ReachableORAddresses      and
              ReachableDirAddresses   is   only   interesting   when  you  are
              connecting through proxies (see HttpProxy and HttpsProxy).  Most
              proxies  limit  TLS  connections  (which  Tor uses to connect to
              Onion Routers) to port 443, and some  limit  HTTP  GET  requests
              (which  Tor uses for fetching directory information) to port 80.

       LongLivedPorts PORTS
              A list of ports for services  that  tend  to  have  long-running
              connections  (e.g.  chat  and  interactive shells). Circuits for
              streams that use  these  ports  will  contain  only  high-uptime
              nodes,  to reduce the chance that a node will go down before the
              stream is finished.  (Default: 21, 22, 706,  1863,  5050,  5190,
              5222, 5223, 6667, 6697, 8300)

       MapAddress address newaddress
              When a request for address arrives to Tor, it will rewrite it to
              newaddress before processing it. For example, if you always want
              connections  to  www.indymedia.org  to exit via torserver (where
              torserver is  the  nickname  of  the  server),  use  "MapAddress
              www.indymedia.org www.indymedia.org.torserver.exit".

       NewCircuitPeriod NUM
              Every  NUM  seconds  consider  whether  to  build a new circuit.
              (Default: 30 seconds)

       MaxCircuitDirtiness NUM
              Feel free to reuse a circuit that was first  used  at  most  NUM
              seconds  ago, but never attach a new stream to a circuit that is
              too old.  (Default: 10 minutes)

       EnforceDistinctSubnets 0|1
              If 1, Tor will not put two servers whose IP addresses  are  "too
              close"  on  the same circuit.  Currently, two addresses are "too
              close" if they lie in the same /16 range. (Default: 1)

       RendNodes nickname,nickname,...
              A list of preferred nodes to use for the  rendezvous  point,  if
              possible.

       RendExcludeNodes nickname,nickname,...
              A list of nodes to never use when choosing a rendezvous point.

       SocksPort PORT
              Advertise  this  port  to  listen  for  connections  from Socks-
              speaking applications.  Set this to 0 if you don’t want to allow
              application connections. (Default: 9050)

       SocksListenAddress IP[:PORT]
              Bind  to  this  address  to  listen  for connections from Socks-
              speaking applications. (Default: 127.0.0.1) You can also specify
              a port (e.g. 192.168.0.1:9100).  This directive can be specified
              multiple times to bind to multiple addresses/ports.

       SocksPolicy policy,policy,...
              Set an entrance policy for this server, to limit who can connect
              to  the  Socks  ports.   The policies have the same form as exit
              policies below.

       SocksTimeout NUM
              Let a socks connection wait NUM  seconds  handshaking,  and  NUM
              seconds unattached waiting for an appropriate circuit, before we
              fail it.  (Default: 2 minutes.)

       TestVia nickname,nickname,...
              A list of nodes to prefer for  your  middle  hop  when  building
              testing   circuits.   This   option   is  mainly  for  debugging
              reachability problems.

       TrackHostExits host,.domain,...
              For each value in the  comma  separated  list,  Tor  will  track
              recent connections to hosts that match this value and attempt to
              reuse the same exit node for each. If  the  value  is  prepended
              with  a  ’.’, it is treated as matching an entire domain. If one
              of the values is just a ’.’, it  means  match  everything.  This
              option  is  useful  if you frequently connect to sites that will
              expire all your authentication cookies (ie log you out) if  your
              IP  address  changes.  Note  that  this  option  does  have  the
              disadvantage of making it more clear that  a  given  history  is
              associated  with  a  single user. However, most people who would
              wish to observe this will observe it through  cookies  or  other
              protocol-specific means anyhow.

       TrackHostExitsExpire NUM
              Since exit servers go up and down, it is desirable to expire the
              association between host and exit server after NUM seconds.  The
              default is 1800 seconds (30 minutes).

       UseEntryGuards 0|1
              If  this  option  is  set  to  1,  we pick a few long-term entry
              servers, and try to stick with them.  This is desirable  because
              constantly changing servers increases the odds that an adversary
              who owns some servers will observe a  fraction  of  your  paths.
              (Defaults to 1.)

       NumEntryGuards NUM
              If  UseEntryGuards  is  set to 1, we will try to pick a total of
              NUM routers as long-term entries for our circuits.  (Defaults to
              3.)

       SafeSocks 0|1
              When  this  option  is  enabled,  Tor  will  reject  application
              connections that use unsafe variants of the  socks  protocol  --
              ones that only provide an IP address, meaning the application is
              doing a DNS resolve first.  Specifically, these are  socks4  and
              socks5 when not doing remote DNS.  (Defaults to 0.)

       TestSocks 0|1
              When  this  option  is enabled, Tor will make a notice-level log
              entry for each connection to the Socks port  indicating  whether
              the  request  used  a  safe socks protocol or an unsafe one (see
              above entry on SafeSocks).  This helps to determine  whether  an
              application   using   Tor  is  possibly  leaking  DNS  requests.
              (Default: 0)

       VirtualAddrNetwork Address/bits
              When a controller asks for a virtual (unused) address  with  the
              MAPADDRESS  command,  Tor  picks an unassigned address from this
              range.  (Default: 127.192.0.0/10)

              When providing proxy server service to a  network  of  computers
              using   a  tool  like  dns-proxy-tor,  change  this  address  to
              "10.192.0.0/10"     or     "172.16.0.0/12".      The     default
              VirtualAddrNetwork   address  range  on  a  properly  configured
              machine will route to the loopback interface.  For local use, no
              change to the default VirtualAddrNetwork setting is needed.

       AllowNonRFC953Hostnames 0|1
              When  this  option  is disabled, Tor blocks hostnames containing
              illegal characters (like @ and :) rather than sending them to an
              exit  node  to be resolved.  This helps trap accidental attempts
              to resolve URLs and so on.  (Default: 0)

       FastFirstHopPK 0|1
              When this option is enabled and we aren’t running as  a  server,
              Tor  skips  the  public  key  step for the first hop of creating
              circuits.  This is safe  since  we  have  already  used  TLS  to
              authenticate  the  server  and to establish forward-secure keys.
              Turning  this  option  off  makes   circuit   building   slower.
              (Default: 1)

       TransPort PORT
              If  non-zero,  enables  transparent  proxy  support  on PORT (by
              convention, 9040).  Requires OS support for transparent proxies,
              such as BSDs’ pf or Linux’s IPTables.  If you’re planning to use
              Tor as a transparent proxy for a network, you’ll want to examine
              and  change  VirtualAddrNetwork from the default setting. You’ll
              also want to set the TransListenAddress option for  the  network
              you’d like to proxy.  (Default: 0).

       TransListenAddress IP[:PORT]
              Bind   to   this   address   to  listen  for  transparent  proxy
              connections.   (Default:  127.0.0.1).   This   is   useful   for
              exporting a transparent proxy server to an entire network.

       NATDPort PORT
              Allow  old  versions  of  ipfw  (as  included in old versions of
              FreeBSD, etc.) to send connections through Tor  using  the  NATD
              protocol.   This  option  is  only  for  people  who  cannot use
              TransPort.

       NATDListenAddress IP[:PORT]
              Bind to this address to listen for NATD connections.   (Default:
              127.0.0.1).

       SERVER OPTIONS

       The  following  options are useful only for servers (that is, if ORPort
       is non-zero):

       Address address
              The IP or fqdn of this  server  (e.g.  moria.mit.edu).  You  can
              leave this unset, and Tor will guess your IP.

       AssumeReachable 0|1
              This option is used when bootstrapping a new Tor network. If set
              to 1, don’t  do  self-reachability  testing;  just  upload  your
              server descriptor immediately. If AuthoritativeDirectory is also
              set, this  option  instructs  the  dirserver  to  bypass  remote
              reachability  testing  too  and  list  all  connected servers as
              running.

       ContactInfo email_address
              Administrative contact information for server. This  line  might
              get picked up by spam harvesters, so you may want to obscure the
              fact that it’s an email address.

       ExitPolicy policy,policy,...
              Set an exit policy for this server. Each policy is of  the  form
              "accept|reject  ADDR[/MASK][:PORT]".   If  /MASK is omitted then
              this policy just applies to the host given.  Instead of giving a
              host  or  network  you  can  also use "*" to denote the universe
              (0.0.0.0/0).  PORT can be a single port number, an  interval  of
              ports  "FROM_PORT-TO_PORT",  or  "*".   If PORT is omitted, that
              means "*".

              For  example,  "accept  18.7.22.69:*,reject  18.0.0.0/8:*,accept
              *:*"  would  reject  any  traffic  destined  for  MIT except for
              web.mit.edu, and accept anything else.

              To specify  all  internal  and  link-local  networks  (including
              0.0.0.0/8,    169.254.0.0/16,    127.0.0.0/8,    192.168.0.0/16,
              10.0.0.0/8, and 172.16.0.0/12), you can use the "private"  alias
              instead  of an address.  These addresses are rejected by default
              (at the beginning of your exit policy), along with  your  public
              IP  address,  unless  you set the ExitPolicyRejectPrivate config
              option to 0. For example, once you’ve done that, you could allow
              HTTP  to  127.0.0.1  and block all other connections to internal
              networks with  "accept  127.0.0.1:80,reject  private:*",  though
              that  may  also  allow connections to your own computer that are
              addressed to its public (external) IP address. See RFC 1918  and
              RFC 3330 for more details about internal and reserved IP address
              space.

              This directive can be specified multiple times so you don’t have
              to put it all on one line.

              Policies are considered first to last, and the first match wins.
              If you want to _replace_ the default exit policy, end your  exit
              policy  with  either  a  reject *:* or an accept *:*. Otherwise,
              you’re _augmenting_ (prepending to) the default exit policy. The
              default exit policy is:
                   reject *:25
                   reject *:119
                   reject *:135-139
                   reject *:445
                   reject *:465
                   reject *:563
                   reject *:587
                   reject *:1214
                   reject *:4661-4666
                   reject *:6346-6429
                   reject *:6699
                   reject *:6881-6999
                   accept *:*

       ExitPolicyRejectPrivate 0|1
              Reject  all private (local) networks, along with your own public
              IP address, at the beginning of  your  exit  policy.  See  above
              entry on ExitPolicy. (Default: 1)

       MaxOnionsPending NUM
              If  you  have  more  than  this  number of onionskins queued for
              decrypt, reject new ones. (Default: 100)

       MyFamily nickname,nickname,...
              Declare that this Tor server is controlled or administered by  a
              group  or organization identical or similar to that of the other
              named servers.  When two servers both declare that they  are  in
              the  same  ’family’,  Tor  clients will not use them in the same
              circuit.  (Each server only needs to list the other  servers  in
              its  family; it doesn’t need to list itself, but it won’t hurt.)

       Nickname name
              Set the server’s nickname to ’name’. Nicknames must be between 1
              and   19   characters  inclusive,  and  must  contain  only  the
              characters [a-zA-Z0-9].

       NumCPUs num
              How many processes to use at  once  for  decrypting  onionskins.
              (Default: 1)

       ORPort PORT
              Advertise  this  port to listen for connections from Tor clients
              and servers.

       ORListenAddress IP[:PORT]
              Bind to this IP address  to  listen  for  connections  from  Tor
              clients  and  servers.  If you specify a port, bind to this port
              rather than the one specified in ORPort. (Default: 0.0.0.0) This
              directive  can  be  specified multiple times to bind to multiple
              addresses/ports.

       PublishServerDescriptor 0|1
              If set to 0, Tor will act as a server  if  you  have  an  ORPort
              defined,   but  it  will  not  publish  its  descriptor  to  the
              dirservers. This option is useful if  you’re  testing  out  your
              server,  or  if  you’re  using  a  Tor  controller  that handles
              directory publishing for you.  (Default: 1)

       RedirectExit pattern target
              Whenever an outgoing connection tries to connect  to  one  of  a
              given set of addresses, connect to target (an address:port pair)
              instead.  The address pattern is given in the same format as for
              an  exit  policy.   The  address  translation applies after exit
              policies are applied.   Multiple  RedirectExit  options  can  be
              used: once any one has matched successfully, no subsequent rules
              are considered.  You can specify that no redirection  is  to  be
              performed  on  a  given  set  of  addresses by using the special
              target string "pass", which prevents subsequent rules from being
              considered.

       ShutdownWaitLength NUM
              When we get a SIGINT and we’re a server, we begin shutting down:
              we close listeners and start refusing new  circuits.  After  NUM
              seconds,   we   exit.  If  we  get  a  second  SIGINT,  we  exit
              immediately.  (Default: 30 seconds)

       AccountingMax N bytes|KB|MB|GB|TB
              Never send more than the specified number of bytes  in  a  given
              accounting  period,  or  receive  more  than  that number in the
              period.  For example, with AccountingMax set to 1 GB,  a  server
              could  send  900  MB and receive 800 MB and continue running. It
              will only hibernate once one of the two reaches 1 GB.  When  the
              number of bytes is exhausted, Tor will hibernate until some time
              in the next accounting period.   To  prevent  all  servers  from
              waking at the same time, Tor will also wait until a random point
              in each period before waking up.  If  you  have  bandwidth  cost
              issues,  enabling  hibernation  is  preferable  to setting a low
              bandwidth, since it provides users with  a  collection  of  fast
              servers  that are up some of the time, which is more useful than
              a set of slow servers that are always "available".

       AccountingStart day|week|month [day] HH:MM
              Specify how long accounting periods last.  If  month  is  given,
              each accounting period runs from the time HH:MM on the dayth day
              of one month to the same day and time of  the  next.   (The  day
              must  be  between  1 and 28.)  If week is given, each accounting
              period runs from the time HH:MM of the dayth day of one week  to
              the same day and time of the next week, with Monday as day 1 and
              Sunday as day 7.  If day is given, each accounting  period  runs
              from  the  time HH:MM each day to the same time on the next day.
              All times are local, and given in 24-hour  time.   (Defaults  to
              "month 1 0:00".)

       ServerDNSResolvConfFile filename
              Overrides  the  default DNS configuration with the configuration
              in filename.  The file format is the same as the  standard  Unix
              "resolv.conf"  file  (7).  This option, like all other ServerDNS
              options, only affects name  lookup  that  your  server  does  on
              behalf  of clients.  Also, it only takes effect if Tor was built
              with  eventdns  support.   (Defaults  to  use  the  system   DNS
              configuration.)

       ServerDNSSearchDomains 0|1
              If  set  to  1,  then  we will search for addresses in the local
              search domain.  For example, if this  system  is  configured  to
              believe it is in "example.com", and a client tries to connect to
              "www", the client will be connected to "www.example.com".   This
              option  only affects name lookup that your server does on behalf
              of clients, and only takes effect if Tor was build with eventdns
              support.  (Defaults to "0".)

       ServerDNSDetectHijacking 0|1
              When  this  option  is  set  to  1, we will test periodically to
              determine whether our local nameservers have been configured  to
              hijack  failing  DNS  requests (usually to an advertising site).
              If they are, we will attempt to correct this.  This option  only
              affects  name lookup that your server does on behalf of clients,
              and only takes effect if Tor was build  with  eventdns  support.
              (Defaults to "1".)

       ServerDNSTestAddresses address,address,...
              When  we’re  detecting DNS hijacking, make sure that these valid
              addresses aren’t getting redirected.  If they are, then our  DNS
              is  completely  useless,  and  we’ll  reset  our  exit policy to
              "reject *:*".  This option only affects name  lookup  that  your
              server  does  on behalf of clients, and only takes effect if Tor
              was build with eventdns support.  (Defaults to  "www.google.com,
              www.mit.edu, www.yahoo.com, www.slashdot.org".)

       ServerDNSAllowNonRFC953Hostnames 0|1
              When  this  option  is  disabled,  Tor  does  not try to resolve
              hostnames containing illegal characters (like @  and  :)  rather
              than  sending  them  to an exit node to be resolved.  This helps
              trap accidental attempts to resolve URLs and so on.  This option
              only  affects  name  lookup  that  your server does on behalf of
              clients, and only takes effect if Tor was  build  with  eventdns
              support.  (Default: 0)

DIRECTORY SERVER OPTIONS

       The  following  options are useful only for directory servers (that is,
       if DirPort is non-zero):

       AuthoritativeDirectory 0|1
              When this option is set to 1, Tor operates as  an  authoritative
              directory   server.    Instead  of  caching  the  directory,  it
              generates its own list of good servers, signs it, and sends that
              to the clients.  Unless the clients already have you listed as a
              trusted directory, you probably do not want to set this  option.
              Please coordinate with the other admins at tor-ops@freehaven.net
              if you think you should be a directory.

       V1AuthoritativeDirectory 0|1
              When this option is set in addition  to  AuthoritativeDirectory,
              Tor  also generates a version 1 directory (for Tor clients up to
              0.1.0.x).   (As  of  Tor  0.1.1.12  every   (v2)   authoritative
              directory still provides most of the v1 directory functionality,
              even without this option set to 1.  This however is expected  to
              change in the future.)

       VersioningAuthoritativeDirectory 0|1
              When  this  option  is  set  to 1, Tor adds information on which
              versions of Tor are still believed safe for use to the published
              directory.    Each   version  1  authority  is  automatically  a
              versioning authority; version 2 authorities provide this service
              optionally.  See RecommendedVersions, RecommendedClientVersions,
              and RecommendedServerVersions.

       NamingAuthoritativeDirectory 0|1
              When this option is set to 1, then the server advertises that it
              has  opinions  about  nickname-to-fingerprint bindings.  It will
              include these opinions in its published network-status pages, by
              listing  servers  with  the  flag  "Named"  if a correct binding
              between that nickname and fingerprint has been  registered  with
              the  dirserver.   Naming  dirservers  will  refuse  to accept or
              publish descriptors that contradict a registered  binding.   See
              approved-routers in the FILES section below.

       HSAuthoritativeDir 0|1
              When  this  option is set in addition to AuthoritativeDirectory,
              Tor  also  accepts  and  serves  hidden   service   descriptors.
              (Default: 0)

       DirPort PORT
              Advertise the directory service on this port.

       DirListenAddress IP[:PORT]
              Bind  the  directory  service  to this address. If you specify a
              port, bind to  this  port  rather  than  the  one  specified  in
              DirPort.  (Default:  0.0.0.0)  This  directive  can be specified
              multiple times to bind to multiple addresses/ports.

       DirPolicy policy,policy,...
              Set an entrance policy for this server, to limit who can connect
              to the directory ports.  The policies have the same form as exit
              policies above.

       RecommendedVersions STRING
              STRING is a  comma-separated  list  of  Tor  versions  currently
              believed to be safe. The list is included in each directory, and
              nodes which pull down the directory learn whether they  need  to
              upgrade.  This option can appear multiple times: the values from
              multiple lines are spliced together.   When  this  is  set  then
              VersioningAuthoritativeDirectory should be set too.

       RecommendedClientVersions STRING
              STRING  is  a  comma-separated  list  of  Tor versions currently
              believed to be safe for clients to  use.   This  information  is
              included  in version 2 directories.  If this is not set then the
              value of RecommendedVersions is used.  When  this  is  set  then
              VersioningAuthoritativeDirectory should be set too.

       RecommendedServerVersions STRING
              STRING  is  a  comma-separated  list  of  Tor versions currently
              believed to be safe for servers to  use.   This  information  is
              included  in version 2 directories.  If this is not set then the
              value of RecommendedVersions is used.  When  this  is  set  then
              VersioningAuthoritativeDirectory should be set too.

       DirAllowPrivateAddresses 0|1
              If  set  to 1, Tor will accept router descriptors with arbitrary
              "Address" elements. Otherwise, if the address is not an IP or is
              a  private IP, it will reject the router descriptor. Defaults to
              0.

       AuthDirBadExit AddressPattern...
              Authoritative directories only.  A set of address  patterns  for
              servers  that  will be listed as bad exits in any network status
              document this authority  publishes,  if  AuthDirListBadExits  is
              set.

       AuthDirInvalid AddressPattern...
              Authoritative  directories  only.  A set of address patterns for
              servers that will never be listed  as  "valid"  in  any  network
              status document that this authority publishes.

       AuthDirReject AddressPattern...
              Authoritative  directories  only.  A set of address patterns for
              servers that will never be listed at all in any  network  status
              document  that  this  authority  publishes, or accepted as an OR
              address in any descriptor  submitted  for  publication  by  this
              authority.

       AuthDirListBadExits 0|1
              Authoritative directories only.  If set to 1, this directory has
              some opinion about which nodes are  unsuitable  as  exit  nodes.
              (Do  not  set  this  to 1 unless you plan to list nonfunctioning
              exits as bad; otherwise, you are effectively voting in favor  of
              every declared exit as an exit.)

       AuthDirRejectUnlisted 0|1
              Authoritative  directories  only.   If  set  to 1, the directory
              server rejects  all  uploaded  server  descriptors  that  aren’t
              explicitly  listed  in  the  fingerprints  file.  This acts as a
              "panic button" if we get Sybiled. (Default: 0)

HIDDEN SERVICE OPTIONS

       The following options are used to configure a hidden service.

       HiddenServiceDir DIRECTORY
              Store data files for  a  hidden  service  in  DIRECTORY.   Every
              hidden service must have a separate directory.  You may use this
              option multiple times to specify multiple services.

       HiddenServicePort VIRTPORT [TARGET]
              Configure a virtual port VIRTPORT for a hidden service.  You may
              use this option multiple times; each time applies to the service
              using the most recent hiddenservicedir.  By default, this option
              maps  the  virtual  port to the same port on 127.0.0.1.  You may
              override the target port,  address,  or  both  by  specifying  a
              target of addr, port, or addr:port.

       HiddenServiceNodes nickname,nickname,...
              If  possible, use the specified nodes as introduction points for
              the hidden service. If this is left unset, Tor will be smart and
              pick some reasonable ones; most people can leave this unset.

       HiddenServiceExcludeNodes nickname,nickname,...
              Do  not  use  the specified nodes as introduction points for the
              hidden service. In normal use there is no reason to set this.

       PublishHidServDescriptors 0|1
              If set to 0, Tor will run any hidden services you configure, but
              it won’t advertise them to the rendezvous directory. This option
              is only useful if you’re using a  Tor  controller  that  handles
              hidserv publishing for you.  (Default: 1)

       RendPostPeriod N seconds|minutes|hours|days|weeks
              Every  time  the  specified  period  elapses,  Tor  uploads  any
              rendezvous service descriptors to the directory  servers.   This
              information  is also uploaded whenever it changes.  (Default: 20
              minutes)

SIGNALS

       Tor catches the following signals:

       SIGTERM
              Tor will catch this, clean up and sync to disk if necessary, and
              exit.

       SIGINT Tor  clients  behave  as with SIGTERM; but Tor servers will do a
              controlled slow  shutdown,  closing  listeners  and  waiting  30
              seconds  before  exiting.  (The delay can be configured with the
              ShutdownWaitLength config option.)

       SIGHUP The signal instructs Tor to reload its configuration  (including
              closing and reopening logs), fetch a new directory, and kill and
              restart its helper processes if applicable.

       SIGUSR1
              Log statistics about current connections, past connections,  and
              throughput.

       SIGUSR2
              Switch  all  logs  to loglevel debug. You can go back to the old
              loglevels by sending a SIGHUP.

       SIGCHLD
              Tor receives this signal when one of its  helper  processes  has
              exited, so it can clean up.

       SIGPIPE
              Tor catches this signal and ignores it.

       SIGXFSZ
              If  this signal exists on your platform, Tor catches and ignores
              it.

FILES

       /etc/tor/torrc
              The configuration file, which contains "option value" pairs.

       /var/lib/tor/
              The tor process stores keys and other data here.

       DataDirectory/cached-status/*
              The most recently downloaded network status  document  for  each
              authority.  Each file holds one such document; the filenames are
              the hexadecimal  identity  key  fingerprints  of  the  directory
              authorities.

       DataDirectory/cached-routers and cached-routers.new
              These  files  hold downloaded router statuses.  Some routers may
              appear more than  once;  if  so,  the  most  recently  published
              descriptor  is used.  The ".new" file is an append-only journal;
              when it gets too large,  all  entries  are  merged  into  a  new
              cached-routers file.

       DataDirectory/state
              A set of persistent key-value mappings.  These are documented in
              the file.  These include:
            - The current entry guards and their status.
            - The current bandwidth accounting  values  (unused  so  far;  see
            below).
            - When the file was last written
            - What version of Tor generated the state file
            - A short history of bandwidth usage, as produced  in  the  router
            descriptors.

       DataDirectory/bw_accounting
              Used to track bandwidth  accounting  values  (when  the  current
              period  starts  and  ends; how much has been read and written so
              far this period).  This file is obsolete, and the  data  is  now
              stored  in  the  ’state’ file as well.  Only used when bandwidth
              accounting is enabled.

       DataDirectory/control_auth_cookie
              Used for cookie authentication with the controller.  Regenerated
              on  startup.   See control-spec.txt for details.  Only used when
              cookie authentication is enabled.

       DataDirectory/keys/*
              Only used by servers.  Holds identity keys and onion keys.

       DataDirectory/fingerprint
              Only used by servers.  Holds the  fingerprint  of  the  server’s
              identity key.

       DataDirectory/approved-routers
              Only   for   naming   authoritative   directory   servers   (see
              NamingAuthoritativeDirectory).   This  file  lists  nickname  to
              identity bindings.  Each line lists a nickname and a fingerprint
              separated by whitespace.   See  your  fingerprint  file  in  the
              DataDirectory  for  an example line.  If the nickname is !reject
              then descriptors  from  the  given  identity  (fingerprint)  are
              rejected  by this server. If it is !invalid then descriptors are
              accepted but marked in the directory as not valid, that is,  not
              recommended.

       HiddenServiceDirectory/hostname
              The  <base32-encoded-fingerprint>.onion  domain  name  for  this
              hidden service.

       HiddenServiceDirectory/private_key
              The private key for this hidden service.

SEE ALSO

       privoxy(1), tsocks(1), torify(1)

       https://www.torproject.org/

BUGS

       Plenty, probably. Tor is still in development. Please report them.

AUTHORS

       Roger Dingledine <arma@mit.edu>, Nick Mathewson <nickm@alum.mit.edu>.
09/23/12

Free Bot-Nets Anyone

gAtO wAs - looking for code for bot’s to see how they work and I want to tell you it’s been kinda easy to find lots of bots…bots, code and DIY kits./ OK [1] below is the list of the Bots I found downloaded and playing with them to see how they work. Another part of this problem is it’s not just code and DIY kits, but code_mixer is a library that allows you to generate new Virus, undetectable to AV software. I also found different versions of Bots and different type of networks, IRC bots, http_bots, p2p_bots and on top of all this I found all kinds of discussions about how to make them ToR enable which has been going on for a while. Hiding a sophisticated c&c Bot-Master server in ToR ONION NETWORK IS EASY.

gAtOs –/ bot-net collection /–

I also wanted to know if these bot’s and code was not just old code stuff- well some is old by Internet years 2009 – that’s a long time in cyber pirate years but polymorphing code works no matter when it was created and it hides virus and worms really easy from AV systems especially if it’s a new version of the bots . Another thing I wanted to find is STUXNET, DUQU, FLAME SkyWriter and other famous Bots. Well I found samples of these — not just one but hundreds of version of these bot’s- and it was easy I included a list of some of the more newer bot codes.[2]…//

Oh I forgot ToR and Bots including  STUXNET, DUQU, FLAME SkyWriter and others do run in Tor onion network just check out the – insert date – First seen – Last seen – dates on this list . you may also check out —https://zeustracker.abuse.ch/statistic.php  — I found that my builder version showed that I had found Zeus 2.0.8.9 and is the number one version of zeus bot-net.  

One easy bot design is to use Tor2Web as a way to access a c&c server in Tor without running Tor on the infected client. The Tor network is getting more popular and people see that they can’t be caught in Tor so they are building lot’s of new Bots that run all over Tor – p2p and http and they are starting also new places like i2p networks and running bots—/   -gAtO oUt

[1] the list of Bots and code 

  1. _blackShades_4.8 Net -
  2. Black Pro _LostDoor v5.1
  3. BlackShade 4.8
  4. Blackshades NET v4.2
  5. Blackshades NET v3.8.1
  6. Blackshades_Archive
  7. Botnet Packet
  8. dark_Comet_1342319517
  9. ebookskayla-1
  10. G-Bot_1.7
  11. INCREDULiTY – ClientMesh
  12. ISR Stealer 0.4
  13. KnollKeylogger-1
  14. LostDoor Black Pro v5.1
  15. open source Exploit Pack
  16. optima10_ddos
  17. ProRat_v1.9 SE
  18. Spy-Net v2.7 Final
  19. SpyEye 1.3.45 Loader
  20. spyeye_tutorial
  21. Stuxnet_Laurelai-decompile-dump-2e11313
  22. Ultimate_Spy-Net v2.7 Final
  23. x_1ST-SECTION FILE INFECTOR, library+example,
  24. x_007
  25. x_arclib
  26. x_avp_troj
  27. x_code_mixer
  28. x_dscript
  29. x_eicar
  30. x_http ASM
  31. x_infecting *.HLP files (example/description)
  32. x_m1
  33. x_mistfall
  34. x_Mistfall.ZOMBIE-z10d
  35. x_pgpmorf1
  36. x_pgpmorf2
  37. x_tp_com
  38. x_zhello
  39. ZeuS 2.0.8-1.9
  40. Zeus collection
  41. ZBOT
  42. zeus 1.2.7.19
  43. ZeuS 2.0.8.9 – experimental
  44. Zeus Analysis Website

—[2] STUXNET, DUQU, FLAME SkyWriter and a few more bots in the wild check out the last seen date…

 

 

 

 

 

 

Flamer Bots  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
d73fe5f9f8dc2fc68aea57ba5c0353f4 2012-07-16 2012-06-07 09:11:15 2012-06-19 20:28:53 Win32/Flamer.A Win32:Skywiper- N [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Trojan:Win32/Fl ame.A!cert
06a84ad28bbc9365eb9e08c697555154 2012-06-26 2012-06-05 11:24:36 2012-06-08 12:08:30 Win32/Flamer.A Win32:Skywiper- K [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!D Armadillo v1.71
0a17040c18a6646d485bde9ce899789f 2012-06-20 2012-05-30 12:45:05 2012-06-29 21:10:27 a variant of Win32/Flamer.A Win32:Skywiper- H [Trj] HEUR:Worm.Win32 .Flame.gen Trojan.Flame.A Worm:Win32/Flam e.gen!A
581f2ef2e3ba164281b562e435882eb5 2012-06-20 2012-06-01 06:09:15 2012-06-08 21:49:22 Win32/Flamer.A Win32:Skywiper- E [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!A
5a002eb0491ff2b5f275a73f43edf19e 2012-06-20 2012-06-01 08:13:39 2012-06-29 21:15:07 Win32/Flamer.A Win32:Skywiper- E [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!A
7551635b101b63b215512b00d60e00f3 2012-06-20 2006-07-18 04:31:57 2012-06-20 04:19:30 probably a variant of Win32/Agent.IGOUUZX Win32:Trojan-ge n Backdoor.Win32. Bifrose.cgfb Trojan.DialUpPa sswordMailer.A Trojan:Win32/Du twiper Aspack ASPack v1.08.03
75de82289ac8c816e27f3215a4613698 2012-06-20 2012-06-01 06:17:01 2012-06-21 06:36:16 Win32/Flamer.A Win32:Skywiper- L [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!A
8ed3846d189c51c6a0d69bdc4e66c1a5 2012-06-20 2010-10-05 03:56:52 2012-06-21 06:21:20 Win32/Flamer.A Win32:Malware-g en Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!A
bddbc6974eb8279613b833804eda12f9 2012-06-20 2012-06-01 03:37:00 2012-06-21 06:23:32 Win32/Flamer.A Win32:Skywiper- K [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!D Armadillo v1.71
c09306141c326ce96d39532c9388d764 2012-06-20 2012-06-01 08:09:24 2012-06-21 06:43:33 Win32/Flamer.A Win32:Skywiper- L [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!A
cc54006c114d51ec47c173baea51213d 2012-06-20 2012-06-01 08:13:46 2012-06-01 10:05:08 Win32/Flamer.A Win32:Skywiper- E [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!C
e5a49547191e16b0a69f633e16b96560 2012-06-20 2012-05-30 14:22:32 2012-06-28 00:41:49 a variant of Win32/Flamer.A Win32:Skywiper- H [Trj] HEUR:Worm.Win32 .Flame.gen Trojan.Flame.A Worm:Win32/Flam e.gen!A
f0a654f7c485ae195ccf81a72fe083a2 2012-06-20 2012-05-28 14:37:54 2012-06-24 11:31:16 Win32/Flamer.A Win32:Skywiper- A [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!B
cb5 2012-06-19 2010-07-20 13:41:34 2012-06-24 11:30:50 Win32/Flamer.A Win32:Skywiper- I [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!A
0464e1fabcf2ef8b24d6fb63b19f1064 2012-06-18 2012-06-11 08:06:23 2012-06-11 08:06:23 Win32:Skywiper- A [Trj]
09d6740fd9be06cbb5182d02a851807d 2012-06-18 2012-06-11 08:14:24 2012-06-11 08:14:24 Win32:Skywiper- C [Trj]
780c5bc598054a365a75d10ac05a3157 2012-06-18 2012-06-11 07:50:56 2012-06-11 07:50:56 Win32:Skywiper- D [Trj]
cb98cca16865aa2330d2cf93fd6886ff 2012-06-18 2012-06-11 07:41:19 2012-06-11 07:41:19 Win32:Skywiper- E [Trj]
fac96cf0f5a43980635f6a6017a5edb0 2012-06-18 2012-08-04 06:42:23 2012-08-04 06:42:23 Win32:Skywiper- F [Trj]
bb4bf0681a582245bd379e4ace30274b 2012-06-16 2012-05-28 14:37:53 2012-07-25 19:03:03 Win32:Skywiper- D [Trj] Trojan.Generic. KDV.641104
Checked on VT at 2012-07-25 02:22:38

—DUQU Bot  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
2f5a23b67e6928d58df136fb3431c1a2 2012-08-27 2012-06-27 09:06:34 2012-06-27 09:06:34 Win32/Packed.ASProtect.CEC Win32:Duqu-L [Rtk] Trojan.Win32.Ge nome.fxan Backdoor.PCClie nt.1 Armadillo v1.xx – v2.xx
362b306967fa08fa204e968613c48b54 2012-08-27 2012-06-25 19:17:57 2012-06-25 19:17:57 a variant of Win32/PcClient.NDO Win32:Duqu-L [Rtk] Trojan.Win32.Ge nome.cfwz Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient Themida Xtreme-Protecto r v1.05
5a8b8b55e7d12bcaee50af462d70e4f1 2012-08-27 2012-03-23 03:56:59 2012-03-24 06:50:48 a variant of Win32/TrojanDropper.Delf.NXY Win32:Duqu-I [Rtk] Trojan-Dropper. Win32.Agent.wzj Trojan.Generic. 2087186 Backdoor:Win32/ Delf.RAN
71c91c34ef08b0222a7385a9fc91a156 2012-08-27 2010-01-07 16:30:15 2012-08-01 21:30:31 Win32:Duqu-L [Rtk] Trojan.Win32.Ge nome.ptdr Backdoor.PCClie nt.1 NSPack NsPacK V3.7 -> LiuXingPing
78efa3d89fa835c2d841ca021ba04f9a 2012-08-27 2012-06-20 16:29:55 2012-06-20 16:29:55 Win32/PcClient Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.akqr Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient NSPack
7e995e30b3c752d55708ba70b64c576d 2012-08-27 2012-07-01 03:18:29 2012-07-01 03:18:29 a variant of Win32/PcClient.NEK Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.eld Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient Malware_Prot.AJ
8fb8994eb25f35d1e4f62ab00871170b 2012-08-27 2011-11-30 06:35:32 2011-11-30 06:35:32 Win32/PcClient.NCD Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.eld Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient Malware_Prot.AJ
90fc2ddf9985d14d4252b016018852af 2012-08-27 2012-06-27 06:46:46 2012-06-27 06:46:46 a variant of Win32/PcClient Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.dire Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient
9a9e77d2b7792fbbddcd7ce05a4eb26e 2012-08-27 2011-11-02 03:07:36 2011-11-02 03:16:28 Win32/Duqu.A Win32:Malware-g en Trojan.Win32.In ject.bjyg Trojan.Generic. 6658401 Trojan:Win32/Hi deproc.G UPX_LZMA
9d00bebb4be61eb425ef8adfa05968fd 2012-08-27 2012-05-23 12:23:42 2012-05-27 21:59:18 a variant of Win32/PcClient.NBG Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.hnp Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient ASPack v2.12
9dc323e0595caf5e5152b6353c6c7b58 2012-08-27 2012-07-01 09:01:29 2012-07-01 09:01:29 a variant of Win32/PcClient.NEK Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.eld Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient Malware_Prot.AJ
b25cc61de1a0d2086356d7757b26e2ef 2012-08-27 2012-06-23 15:43:36 2012-06-23 15:43:36 Win32/PcClient.NBI Win32:Duqu-L [Rtk] Backdoor.Win32. Hupigon.bxjm Backdoor.PCClie nt.1 Backdoor:Win32/ Hupigon.ZQ.dll Aspack ASPack v2.12
bb9c97fe54b85179f9a83ca4cfdd24f3 2012-08-27 2012-07-02 11:06:55 2012-07-02 11:06:55 a variant of Win32/PcClient.NEK Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.eld Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient Malware_Prot.AJ
ca7b6963a5b45b67e1bfa1a0f415eb24 2012-08-27 2012-06-29 01:20:37 2012-06-29 01:20:37 Win32/PcClient.NCD Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.eld Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient Malware_Prot.AJ
5d8932237d14019ae81e97c5b8951ef8 2012-08-15 2012-08-18 11:59:04 2012-08-18 11:59:04 Win32:Duqu-L [Rtk] HEUR:Trojan.Win 32.Generic Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient NSPack
6416039108bd666f073d51db5328f6c9 2012-08-15 2012-08-18 14:07:59 2012-08-18 14:07:59 Win32:Duqu-L [Rtk] HEUR:Backdoor.W in32.Generic Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient ASPack v2.12
774c19f455cff3a443e7f3a58983a12b 2012-08-15 2012-08-18 18:18:21 2012-08-18 18:18:21 Win32:Duqu-I [Rtk] Backdoor.Win32. Hupigon2.ja Trojan.Generic. 826880 Backdoor:Win32/ Delf.RAN
b19fe4b53d01d2746eb83e9fddd1eb67 2012-08-15 2012-07-16 12:33:52 2012-07-16 12:33:52 Win32:Duqu-L [Rtk] HEUR:Backdoor.W in32.Generic Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient ASPack v2.12
f41b0a33d2ca4ba05a95b1a9a40e7e28 2012-08-15 2012-08-19 15:09:26 2012-08-19 15:09:26 Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.agyu Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient
2f4e30a497ae6183aabfe8ba23068c1b 2012-06-20 2012-06-11 17:02:50 2012-07-15 11:59:26 Win32/Stuxnet.A Win32:Malware-g en Worm.Win32.Stux net.v Win32.Worm.Stux net.E embedded  

 

 

 

 

the

 

—zeus  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
0a295bb2cbb44d9ba2e18bbfeb511d1d 2012-08-27 2011-02-24 10:59:09 2012-05-12 09:37:44 WinCE/Zbot.A Win32:Malware-g en Trojan-Spy.WinC E.Zitmo.a Backdoor.Bot.13 4855 Trojan:WinCE/Zi tmo.A
2b2dcecfd882efb2100ce28d09c89f75 2012-08-27 2009-01-30 05:49:27 2009-07-02 06:23:46 a variant of Win32/Spy.Zbot.JF Win32:Zbot-BCW Trojan.Spy.Zeus .C PWS:Win32/Zbot
33a6fef6d2487a95af539e532be424b2 2012-08-27 2011-09-03 03:28:17 2012-02-21 21:41:11 a variant of Win32/Zeus.B Win32:Malware-g en Backdoor.Win32. BotNet.ac Gen:Variant.Kaz y.8986 PWS:Win32/Zbot. TV UPX UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
4153a07347b3bdf74b527e51cc63a843 2012-08-27 2010-05-16 15:01:27 2010-05-18 21:58:47 a variant of Win32/Spy.Agent.PZ Win32:Zbot-gen Trojan-Spy.Win3 2.Zbot.myj Trojan.Spy.Zeus .1.Gen PWS:Win32/Zbot. gen!A
4fe9b3febda0dd9e8f89ed29b1a39560 2012-08-27 2012-03-27 07:25:01 2012-03-28 09:48:26 a variant of Win32/Spy.Agent.PZ Win32:Susn-G [Trj] Trojan-Spy.Win3 2.Zbot.roh Trojan.Spy.Zeus .1.Gen PWS:Win32/Zbot. GA
7b470095ce2887377e6f9e37fd0471dc 2012-08-27 2012-06-30 09:12:53 2012-06-30 09:12:53 a variant of Win32/Spy.Agent.PZ Win32:Zbot-gen [Trj] Trojan-Spy.Win3 2.Zbot.roh Trojan.Spy.Zeus .1.Gen PWS:Win32/Zbot. GA
831d2fdb9ad258f68ce5924b1feac10a 2012-08-27 2011-10-17 02:49:20 2012-04-30 22:09:54 a variant of Win32/Spy.Agent.PZ Win32:Susn-G [Trj] Trojan-Spy.Win3 2.Zbot.roh Trojan.Spy.Zeus .1.Gen PWS:Win32/Zbot. GA
9eb88298f93809ea7d733e29bb3d466b 2012-08-27 2007-11-16 20:51:16 2011-08-09 00:18:04 a variant of Win32/Spy.Agent.PZ Win32:Tibs-BND [Trj] Trojan-Spy.Win3 2.Zbot.adj Trojan.Spy.Zeus .2.Gen PWS:Win32/Zbot. gen!B
9faf0c526795ee01839ecb51074dd7ae 2012-08-27 2012-06-23 06:47:46 2012-06-23 06:47:46 a variant of Win32/Spy.Agent.PZ Win32:Tibs-BNF [Trj] Trojan-Spy.Win3 2.Zbot.adj Trojan.Spy.Zeus .2.Gen PWS:Win32/Zbot. gen!B
a05211df243da8a9e628b4767aafc989 2012-08-27 2007-11-17 13:55:10 2011-08-08 23:43:09 Win32/Spy.Agent.NDY Win32:Zbot-AG [Trj] Trojan-Spy.Win3 2.Zbot.po Trojan.Spy.Zeus .2.Gen PWS:Win32/Zbot. gen!B
aa874f7c37962240569ff35a030c2e71 2012-08-27 2012-06-26 08:59:57 2012-06-26 08:59:57 a variant of Win32/Kryptik.OV Win32:Zbot-FS [Trj] Trojan-Spy.Win3 2.Zbot.xw Trojan.Spy.Zeus .1.Gen PWS:Win32/Zbot. gen!B
b484264bca4286f65d5cb68efefa9dc4 2012-08-27 2008-08-22 19:29:43 2009-01-08 08:22:34 Trojan.Spy.Zeus .1.Gen TrojanSpy:Win32 /Zbot.gen!C
c38412218981ddc0cd93d5d98971a781 2012-08-27 2009-12-19 06:17:33 2009-12-31 15:13:34 a variant of Win32/Spy.Zbot.UN Win32:Zbot-BCW Trojan-Spy.Win3 2.Zbot.aadb Trojan.Spy.Zeus .C PWS:Win32/Zbot. gen!R
c4905c4610b9c2992bc395429b7365ab 2012-08-27 2009-09-04 15:24:05 2009-09-04 15:24:05 Win32:Zbot-BCW Heur.Trojan.Gen eric Trojan.Spy.Zeus .C PWS:Win32/Zbot. gen!R
c70db2b312a23e11b5e671cac70db98f 2012-08-27 2008-02-19 12:29:14 2012-02-19 14:34:25 PS/MPC-Zeus-753 Virus.DOS.PS-MP C-based PS-MPC.0753.DN. Gen Virus:DOS/PSMPC .753
d16a1870603a0f7111c64584e6eb5deb 2012-08-27 2012-02-20 19:36:30 2012-03-02 01:50:10 Win32/PSW.Agent.NTM Win32:Zeus-A [Trj] Trojan.Win32.Ag ent2.fadw Gen:Variant.Zlo b.1 PWS:Win32/Farei t.gen!C
d1db75d0b93b0f1bda856242c8ab1264 2012-08-27 2009-10-15 20:31:08 2009-10-17 14:14:20 a variant of Win32/Spy.Zbot.UN Win32:Zbot-BCW Heur.Trojan.Gen eric Trojan.Spy.Zeus .C PWS:Win32/Zbot. QA
d5a75c535b33fc09f1ab6e181d59fc84 2012-08-27 2011-06-18 10:59:14 2011-12-09 01:49:01 a variant of Win32/Spy.Zbot.XO Win32:Zbot-ATL [Trj] Trojan-Spy.Win3 2.Zbot.roh Trojan.Spy.Zeus .1.Gen PWS:Win32/Zbot. C
e806cfe7d3257bf61f5b95215e3ec23e 2012-08-27 2012-06-23 03:56:28 2012-06-23 03:56:28 a variant of Win32/Spy.Agent.PZ Trojan-Spy.Win3 2.Zbot.adj Trojan.Spy.Zeus .2.Gen PWS:Win32/Zbot. gen!B
078b7684cbc5cd14770fb2c842ece7e4 2012-08-15 2012-08-04 03:55:52 2012-08-09 17:09:00 Win32:Susn-G [Trj] Trojan-Spy.Win3 2.Zbot.roh

—gBot  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
0017c17069fcd00a8c13e2e1bb955494 2012-08-27 2011-11-16 12:17:45 2011-12-14 17:33:12 a variant of Win32/Kryptik.VNB Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.rtt Trojan.Generic. 6903230 Backdoor:Win32/ Cycbot.G
0033496f9baa6c05dc709db64a7b8cef 2012-08-27 2011-11-19 12:30:08 2011-12-16 01:08:42 a variant of Win32/Kryptik.VZB Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.rwf Trojan.Generic. 6914846 Backdoor:Win32/ Cycbot.G
00392a6a7919d425e512c4466984f8f3 2012-08-27 2011-10-05 04:29:14 2011-11-29 18:00:26 a variant of Win32/Kryptik.TEV Win32:Cybota [Trj] Backdoor.Win32. Gbot.osk Gen:Variant.Kaz y.38517 Backdoor:Win32/ Cycbot.G
004ed94e35b42f7b76fb4b729573a123 2012-08-27 2012-01-13 03:41:13 2012-02-11 12:53:50 a variant of Win32/Kryptik.YBH Win32:Cybota [Trj] Backdoor.Win32. Gbot.qwk Gen:Variant.Kaz y.50582 Backdoor:Win32/ Cycbot.G
00b66b966778139c0b83721c5e307695 2012-08-27 2011-11-24 01:24:42 2012-01-02 23:04:36 Win32/Cycbot.AF Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.qwn Gen:Heur.Kelios .1 Backdoor:Win32/ Cycbot.G
00c789e5ae793c6be65482d4b472f0f0 2012-08-27 2011-11-18 16:42:21 2011-12-15 14:43:24 Win32/Cycbot.AK Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.rvk Backdoor.Bot.14 6893 Backdoor:Win32/ Cycbot.G
00daf7e9577d84c5949439b02f11af74 2012-08-27 2011-03-23 02:31:51 2011-07-20 22:11:40 Win32/Cycbot.AF Win32:Cybota [Trj] Backdoor.Win32. Gbot.aed Gen:Trojan.Heur .KS.1 Backdoor:Win32/ Cycbot.B
00ddbd4723ec6394f278fd5d3275a952 2012-08-27 2012-02-02 18:46:53 2012-03-29 17:13:40 Win32/Cycbot.AK Win32:Cybota [Trj] Backdoor.Win32. Gbot.qwt Gen:Variant.Kaz y.53272 Backdoor:Win32/ Cycbot.G
00deb18fb207bc020a30ff7b7550f279 2012-08-27 2011-03-19 21:01:29 2011-07-12 08:53:49 a variant of Win32/Kryptik.LOJ Win32:Cybota [Trj] Backdoor.Win32. Gbot.adk Gen:Trojan.Heur .KS.1 Backdoor:Win32/ Cycbot.B
00e762e7fe180b096207c7b72f608cc3 2012-08-27 2012-06-20 11:30:59 2012-06-20 11:30:59 a variant of Win32/AGbot.V Win32:SdBot-FJH [Trj] Backdoor.Win32. SdBot.ozd Gen:Win32.IRC-B ackdoor.fmW@aih z9oj Backdoor:Win32/ Gaertob.A Armadillo v1.71
00f3359898621f36a5251759a3a89495 2012-08-27 2011-11-11 20:35:02 2011-11-16 04:05:08 Win32/Adware.WinAntiVirus.AD Win32:Gbot-M [Trj] Trojan-Download er.Win32.Fdvm.b Application.Gen eric.386031 Trojan:Win32/Si refef.P
00f83d49831dc202e04478f670b96d50 2012-08-27 2011-12-14 07:28:20 2011-12-14 07:28:20 Win32/Cycbot.AF Win32:Cybota [Trj] Backdoor.Win32. Gbot.qmi Backdoor.Gbot.I Backdoor:Win32/ Cycbot.G
00fc1e69ca9031e5c47dfcde78dc0537 2012-08-27 2011-09-09 05:34:05 2012-02-11 20:04:14 a variant of Win32/Kryptik.RWA Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.iag Gen:Variant.Kaz y.34336 Backdoor:Win32/ Cycbot.G
0117b98cb2114c51c4d51831820cc8e4 2012-08-27 2011-04-02 06:56:59 2011-07-21 00:22:16 Win32/Cycbot.AF Win32:Cybota [Trj] Backdoor.Win32. Gbot.ahq Trojan.Generic. KD.163287 Backdoor:Win32/ Cycbot.B
016d69d4cbd779b63bb6927fa9c19730 2012-08-27 2012-03-10 20:03:49 2012-04-30 20:29:18 a variant of Win32/Kryptik.SUP Win32:Cybota [Trj] Backdoor.Win32. Gbot.oep Gen:Heur.Conjar .5 Backdoor:Win32/ Cycbot.G
0189fd7b339df01d4a4be1113520ad46 2012-08-27 2010-02-19 22:20:06 2012-06-09 04:12:35 a variant of MSIL/TrojanDropper.Agent.JF Win32:Malware-g en Trojan-Dropper. MSIL.Agent.fws Trojan.Generic. 3812196 VirTool:Win32/O bfuscator.NC
01e118c11c4145710ff1801f34a44bc7 2012-08-27 2012-07-05 15:25:49 2012-07-05 15:25:49 a variant of Win32/Kryptik.ACYA Win32:MalOb-IF [Cryp] Backdoor.Win32. Gbot.wkt Gen:Variant.Bar ys.3481 TrojanDownloade r:Win32/Carberp .C
021817e91793fa15bee2937fe2befddd 2012-08-27 2011-12-06 03:55:36 2012-01-03 16:39:38 a variant of Win32/Kryptik.VCE Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.qxq Gen:Variant.Kaz y.42337 Backdoor:Win32/ Cycbot.G
0229d3256bd2309f1d581533febdc1e7 2012-08-27 2012-01-31 17:40:43 2012-02-21 13:59:28 a variant of Win32/Kryptik.UVF Win32:KadrBot [Trj] Trojan.Win32.Jo rik.ZAccess.no Gen:Variant.Kaz y.41897 Trojan:Win32/Si refef.J
0296357c2952eafb29b2edeaf776a787 2012-08-27 2011-09-13 21:55:14 2012-02-12 16:34:09 a variant of Win32/Kryptik.RLK Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.epv Gen:Variant.Kaz y.33354 Backdoor:Win32/ Cycbot.G

 

—spyeye  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
004df992aa00f6a83388aeb55cf806bb 2012-08-27 2012-03-17 18:33:21 2012-04-25 11:55:35 a variant of Win32/Kryptik.VMB Win32:MalOb-IV [Cryp] HEUR:Trojan.Win 32.Generic Gen:Variant.Kaz y.43891 Trojan:Win32/Dy namer!dtc
0050771f197d912b1fd2767c9b07b0d9 2012-08-27 2012-01-22 05:30:06 2012-01-22 05:30:06 Win32:MalOb-IJ [Cryp] HEUR:Trojan.Win 32.Generic Gen:Variant.Kaz y.46466
0055add5c7c8778b1e97e0bc2cdb34fd 2012-08-27 2011-04-05 09:52:34 2012-08-17 14:32:46 Win32:Karagany- E [Trj] Trojan-Spy.Win3 2.SpyEyes.gaf Gen:Variant.Kaz y.154 TrojanDownloade r:Win32/Karagan y.A
00881bfd664c40bd17f00da4e2b1707e 2012-08-27 2012-01-30 20:45:05 2012-03-25 16:25:27 Win32/Ramnit.A Win32:Vitro HEUR:Trojan.Win 32.Generic Gen:Heur.FKP.1 Trojan:Win32/Ra mnit.A
009f01b994bd6211d8b79775decc5854 2012-08-27 2012-06-25 07:23:14 2012-06-25 07:23:14 Win32/Spy.SpyEye.CA Win32:Regrun-JI [Trj] Trojan.Win32.Me nti.kxpm Trojan.Generic. 6382824 Trojan:Win32/Ey eStye.N Armadillo v1.71
00bbce9dac6dec8f16547da20c09594c 2012-08-27 2011-11-11 04:55:40 2011-11-11 04:55:40 a variant of Win32/AutoRun.Injector.AM Win32:Spyeye-ZL [Trj] HEUR:Trojan.Win 32.Generic Worm.Generic.35 0922 Armadillo v1.71
00db3ed3ba79dcc6627b13f5c0557f46 2012-08-27 2012-06-25 13:26:56 2012-06-25 13:26:56 a variant of Win32/Kryptik.HJW Win32:Zbot-MVW [Trj] Trojan-Download er.Win32.Piker. cqy Gen:Variant.Kaz y.1690 TrojanDownloade r:Win32/Bredola b.AC
00ffd9a941c6fe8d57210bf82c674943 2012-08-27 2011-06-26 15:23:06 2011-07-19 07:46:49 Win32/Bamital.FA Win32:Trojan-ge n Trojan.Win32.Of icla.nbt Trojan.Generic. KD.225389 Trojan:Win32/Me redrop UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
012cca77918ab828662e9b726c97319c 2012-08-27 2011-11-03 13:55:46 2012-01-28 16:05:29 a variant of Win32/Injector.KLZ Win32:Spyeye-YV [Trj] Trojan.Win32.In ject.bpoa Gen:Variant.Gra ftor.3243 VirTool:Win32/D elfInject.gen!C M
01341c165ed887fa134250750b2218c4 2012-08-27 2011-12-15 08:45:54 2012-01-19 04:40:25 Win32/AutoRun.Spy.Banker.M Win32:Spyware-g en [Spy] Trojan-Dropper. Win32.Dapato.sd d Trojan.Generic. KDV.479801 Worm:Win32/Crid ex.B Armadillo v1.71
014e076ae37f2e5e612ae748dd9e4177 2012-08-27 2011-11-11 03:24:24 2011-11-24 20:34:32 a variant of Win32/Injector.JMN Win32:Crypt-KLY [Trj] Trojan.Win32.Bu zus.iofc Trojan.Generic. 6686401 TrojanDropper:W in32/Sirefef.B
01525755f4b3c800560bdc4ac3c80cbd 2012-08-27 2011-03-09 19:58:13 2011-03-19 04:41:56 a variant of Win32/Injector.FBK Win32:Spyware-g en Trojan-Spy.Win3 2.SpyEyes.fqu Trojan.Generic. KDV.152375
019f9a5668d3de770f4c0a741a4f0c4a 2012-08-27 2012-03-28 01:18:38 2012-03-28 05:03:51 a variant of Win32/Injector.KCP Win32:Regrun-JI [Trj] HEUR:Trojan.Win 32.Generic Gen:Variant.Gra ftor.1584 Armadillo v1.71
01b36ef0ca621293f6c74c7b2950946a 2012-08-27 2012-01-06 23:55:08 2012-06-07 08:19:28 Win32/AutoRun.IRCBot.HO Win32:Malware-g en Trojan-Dropper. Win32.Injector. boyd Backdoor.Agent. ABAV Worm:Win32/Phor piex.B
01ceff3646dd40eaa11ed4cf7a75d495 2012-08-27 2012-03-21 00:04:37 2012-03-22 04:53:17 a variant of Win32/Kryptik.ACTR Win32:Spyeye-AC T [Trj] Trojan-FakeAV.W in32.Agent.dks Gen:Variant.Bre do.21 Rogue:Win32/Win websec
01d1d9f8c314a19e9f5cc7dc06693ea5 2012-08-27 2012-06-20 01:29:52 2012-06-20 01:29:52 Win32:Spyeye-WC [Trj] Trojan.Win32.Ge nome.acnzw Gen:Variant.Kaz y.37631 VirTool:Win32/O bfuscator.TT
01ef0b349a8b2c598f24fad77bb7d506 2012-08-27 2012-06-27 04:01:59 2012-06-27 04:01:59 a variant of Win32/Kryptik.HCV Win32:Malware-g en Trojan-Spy.Win3 2.SpyEyes.evw Trojan.Generic. KD.45757 Rogue:Win32/Win websec
02084edaa51e7bd688fc95c0ae86a29a 2012-08-27 2011-11-18 19:01:09 2011-11-21 15:55:16 a variant of Win32/Injector.KTW Win32:Spyeye-ZI [Trj] Trojan-Spy.Win3 2.SpyEyes.qmg Trojan.Generic. KDV.399472 Trojan:Win32/Or sam!rts
022abced09dc8142069c88ce2ee06e55 2012-08-27 2012-06-22 23:18:26 2012-06-22 23:18:26 Win32/Spy.SpyEye.CA Win32:Zbot-NES [Trj] Net-Worm.Win32. Koobface.jcb Gen:Variant.Kaz y.25416
0234f794047645d090a47550cf229bd4 2012-08-27 2012-04-08 05:38:21 2012-06-13 10:50:56 probably a variant of Win32/Injector.KNA Win32:Malware-g en HEUR:Trojan.Win 32.Generic Gen:Trojan.Heur .VP2.eu0baiVzqp ii VirTool:Win32/V BInject.UG ASPack v2.12

 

—AVP  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
00ada89f87db0db0f3939271c34f865e 2012-08-27 2008-09-18 18:15:52 2009-04-27 12:34:23 probably a variant of Win32/Adware.RogueApp Win32:Adware-ge n not-a-virus:Fra udTool.Win32.Ag ent.r Adware.AntivirP rotection.A Program:Win32/A ntivirusProtect ion
0106605d11d29384522bfa17164fd943 2012-08-27 2012-03-22 10:32:32 2012-03-22 21:11:40 Win32:Dialer-AV P [Trj] Trojan.Win32.Di aler.qn Trojan.Mezzia.G en Trojan:Win32/Ad ialer.OP
014596c2ff3198b690bf2f3debcb0711 2012-08-27 2011-12-03 03:58:24 2011-12-05 21:04:13 Win32/Spy.Zbot.YW Win32:Trojan-ge n Trojan-Spy.Win3 2.Zbot.coxf Trojan.Spy.Zbot .ETB PWS:Win32/Zbot UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
01b37e56720a5bf5a85c103878100388 2012-08-27 2012-06-11 04:52:22 2012-06-11 04:52:22 Win32/Kryptik.AGSY Win32:Kryptik-I XH [Trj] Trojan-Spy.Win3 2.Zbot.dyuc Trojan.Agent.AV PE
01cd13a561ff5396604b8718e911b49f 2012-08-27 2011-11-17 13:29:53 2012-07-25 21:46:15 Win32:Trojan-ge n Trojan-Spy.Win3 2.Zbot.coxf Trojan.Spy.Zbot .ETB PWS:Win32/Zbot UPX UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
01f699ef8a648642084f7d665c3c265e 2012-08-27 2011-10-15 19:56:04 2011-10-25 08:10:00 Win32/Olmarik.AVP Win32:Alureon-A FI [Trj] HEUR:Trojan.Win 32.Generic Gen:Variant.Kaz y.27650 Trojan:Win32/Al ureon.DX
0267027dd9091a7054ff9c46384c6654 2012-08-27 2012-02-04 10:24:19 2012-03-31 17:43:08 a variant of Win32/Kryptik.YVK Win32:MalOb-JA [Cryp] Gen:Variant.Kaz y.52638 Rogue:Win32/Fak eRean
03ceb31131f1a47c1388e9c8a53feca0 2012-08-27 2010-08-10 20:27:10 2011-02-05 09:10:23 a variant of Win32/Injector.CLG Win32:Malware-g en Trojan-Download er.Win32.Banloa d.bekw Worm.Generic.27 2239 TrojanSpy:Win32 /Swisyn.B
05740edf8ef59dfdcb3660b35e76052c 2012-08-27 2010-06-02 22:16:22 2012-08-01 23:09:46 Win32:Rootkit-g en [Rtk] Trojan.Win32.Sw isyn.avpt Trojan.Generic. KD.14612 Trojan:Win32/Tr ufip!rts Armadillo v1.71
06daf98aa5504f124d1f19bb23d8aa2b 2012-08-27 2012-02-20 01:00:55 2012-02-20 01:00:55 a variant of Win32/Kryptik.YMJ Win32:MalOb-IG [Cryp] Trojan.Win32.Fa keAV.kbsd Gen:Variant.Kaz y.51804 Rogue:Win32/Fak eRean
07837d8689d093ddfb90e0e873a40403 2012-08-27 2012-02-06 12:01:38 2012-08-04 03:14:45 Win32:FakeAlert -EM [Trj] Trojan-FakeAV.W in32.VirusDocto r.v Gen:Variant.Urs nif.2 Rogue:Win32/Fak eVimes
07ca5974da6c583b74870b97ca4418ba 2012-08-27 2011-02-04 10:40:03 2012-05-10 04:07:38 a variant of Win32/Spy.VB.NJM Win32:VB-QXQ [Spy] Trojan.Win32.VB Krypt.bavp Gen:Trojan.Heur .fm0@s5JEYbfih Trojan:Win32/Bu mat!rts
087347abfd1f071bcbd9ed2cd83742c3 2012-08-27 2011-11-15 22:10:35 2011-12-16 17:26:10 a variant of Win32/Agent.TCI Win32:Crypt-KWZ [Trj] HEUR:Trojan.Win 32.Generic Gen:Variant.Buz y.4378 Trojan:Win32/In ject.AL
089204eee8ae33f0301b90c43c55aef4 2012-08-27 2011-11-15 12:43:41 2011-12-06 23:11:43 a variant of Win32/Kryptik.VPK Win32:Gbot-M [Trj] Trojan-FakeAV.W in32.OpenCloud. p Trojan.Generic. 6850089 Rogue:Win32/Fak eScanti
09ee083b59b68fa0807dde46be7938a4 2012-08-27 2011-03-19 05:31:23 2011-03-20 00:07:52 Win32/Sirefef.C Win32:Delf-OHT Trojan.Win32.Fa keAV.avpj Trojan.Generic. KD.138388 Worm:Win32/Sire fef.gen!A
0a58fdc81e8bb0e2be92c805846f082e 2012-08-27 2012-01-28 19:43:01 2012-01-28 19:43:01 a variant of Win32/Kryptik.ZAZ Win32:ZAccess-E F [Trj] HEUR:Trojan.Win 32.Generic Gen:Variant.Kaz y.53282 Rogue:Win32/Fak eRean
0aa08ce7021f950a13167728fe7386a6 2012-08-27 2012-03-24 13:06:08 2012-05-30 19:28:26 a variant of Win32/Injector.PLK Win32:Crypt-MCG [Trj] HEUR:Trojan.Win 32.Generic Trojan.Generic. 7394229 Worm:Win32/Nayr abot.gen!A
0b3daa6dcf816fa34179197d6be16c21 2012-08-27 2012-01-17 00:16:22 2012-02-01 14:32:17 a variant of Win32/Kryptik.ZAZ Win32:ZAccess-E F [Trj] Trojan.Win32.Fa keAV.kmpm Gen:Variant.Kaz y.53282 Rogue:Win32/Fak eRean
0ce67f90dd1a936cbc08a6dea0e4d8ae 2012-08-27 2011-11-17 02:06:29 2012-02-09 06:37:16 a variant of Win32/Agent.TCI Win32:Crypt-KWZ [Trj] HEUR:Trojan.Win 32.Generic Gen:Variant.Buz y.4378 Trojan:Win32/In ject.AL
0cf1f914d2805a4cafa33ba9088424a2 2012-08-27 2012-01-17 13:30:31 2012-01-17 13:30:31 a variant of Win32/Kryptik.YWV Win32:Downloade r-MHD [Trj] Trojan.Win32.Fa keAV.kjsd Gen:Variant.Gra ftor.12856 Rogue:Win32/Fak eRean

 

—EICAR  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
14eb13beba07c82ba1851bce503cb034 2012-08-27 2011-09-06 11:15:30 2011-12-17 19:44:11 Eicar test file EICAR Test-NOT virus!!! EICAR-Test-File EICAR-Test-File (not a virus) Virus:DOS/EICAR _Test_File
16f8c3d67250837bc2e400ad19e0b72a 2012-08-27 2012-08-10 18:19:02 2012-08-15 16:50:23 BV:BVCK-gen3 P2P-Worm.BAT.Co pybat.ag UPX, PKLITE
2c64f48e5135fbaa944172202d236c7d 2012-08-27 2006-06-01 07:00:05 2012-08-20 00:47:44 EICAR Test-NOT virus!!! EICAR-Test-File EICAR-Test-File (not a virus) Virus:DOS/EICAR _Test_File
317c6356b04926b4cf107df145289435 2012-08-27 2010-12-14 12:22:14 2012-08-12 02:15:31 AntiAVP-Avbad [Trj] Trojan.DOS.Avba d Trojan.Avbad.A Trojan:DOS/Avba d LZEXE, PKLITE
5c770e1490835247d0a541474ee51c50 2012-08-27 2012-07-26 12:10:50 2012-07-27 20:06:32 EICAR Test-NOT virus!!! EICAR-Test-File
5e67103aa3baadde488fc8a66915610e 2012-08-27 2012-02-07 23:35:55 2012-04-07 06:45:15 EICAR-Test-File Virus:DOS/EICAR _Test_File
613a4ae52be7190a18c340f0ffa78fbd 2012-08-27 2012-07-21 14:15:28 2012-07-24 20:16:28 EICAR Test-NOT virus!!! EICAR-Test-File
67cafd0c5fb22dc93815700230d368c3 2012-08-27 2012-07-26 12:19:57 2012-07-27 20:06:19 EICAR Test-NOT virus!!! EICAR-Test-File
72015abc47f25b8f624a0b1b2eb3ebe0 2012-08-27 2012-01-30 00:23:27 2012-04-18 14:37:09 EICAR Test-NOT virus!!! HEUR:Trojan.Win 32.Generic Trojan.Generic. 7358064 Virus:DOS/EICAR _Test_File
79449529d738e9a3ef5893efaf048da5 2012-08-27 2012-07-26 12:27:02 2012-07-27 20:05:41 EICAR Test-NOT virus!!! EICAR-Test-File
82a83e6e1799f3886123614014ef07f4 2012-08-27 2012-07-21 15:02:40 2012-07-24 19:45:51 EICAR Test-NOT virus!!! EICAR-Test-File
934162a08d4a38711083345ef0b57d14 2012-08-27 2008-03-22 05:39:27 2012-05-16 01:40:33 EICAR-Test-File Virus:DOS/EICAR _Test_File
9590348417ce24e4c1d0e1d8af4c4939 2012-08-27 2012-08-04 04:10:00 2012-08-09 00:43:00 EICAR Test-NOT virus!!! EICAR-Test-File Virus:BAT/Mouse Disable.D
96cb4955ea6bab5f3c8524528401413c 2012-08-27 2009-11-30 16:14:16 2011-09-07 03:48:37 probably a variant of Win32/Agent.XRUNPA Win32:Malware-g en Trojan.Win32.Ge nome.qcad Trojan.Generic. 3199186 Trojan:Win32/Me redrop
a27ee916c22a51179c9e2f1ae67aa7eb 2012-08-27 2012-07-21 16:02:15 2012-07-24 19:45:21 EICAR Test-NOT virus!!! EICAR-Test-File
a911a87a26153abe77c3b25c28615218 2012-08-27 2010-09-02 12:41:52 2010-09-02 23:44:58 Win32:Malware-g en Trojan.Win32.Co smu.dry Dropped:EICAR-T est-File (not a virus)
ac2ff734c993884834c5bb820d21f3f1 2012-08-27 2011-11-19 09:10:49 2012-07-30 18:46:08 EICAR Test-NOT virus!!! EICAR-Test-File
b07e6f95ddf91415897164d7b3eb4736 2012-08-27 2011-10-05 23:16:00 2011-10-05 23:16:00 Trojan.Script.7 133
c29bc4713727d469886ea655115dd177 2012-08-27 2012-08-04 04:28:58 2012-08-08 21:33:18 BV:Malware-gen IRC-Worm.BAT.Ge neric Trojan.Batzz99. A Virus:BAT/Adiou s.A embedded
c9357c00c4da9e9fd8add93e917c57c6 2012-08-27 2012-07-21 17:35:39 2012-07-26 20:06:19 EICAR Test-NOT virus!!!

 

 

—mistfall  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
31484725213be800bc1d69cb0ece77aa 2012-08-27 2012-08-10 18:00:33 2012-08-13 13:48:27 Win32:Mistfall [Tool] VirTool.Win32.M istfall VirTool:Win32/M istfall
50e4913a0d73f61279101d08a6e983a5 1970-01-01 2006-06-11 16:14:34 2012-04-15 22:14:43 Win32/VirTool.Mistfall Win32:Mistfall [Tool] VirTool.Win32.M istfall VirTool:Win32/M istfall

 

 

 

 

 

—rBot =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
2af4783aba321f53082085e8937b2567 2012-08-28 2012-07-11 23:52:26 2012-08-26 04:26:41 Win32:Virtob Backdoor.Win32. Rbot.adqd Trojan.Generic. 5333379 Virus:Win32/Vir ut.AC
865915650a85e7c27cdd11850a13f86e 2012-08-28 2006-09-03 07:01:30 2012-06-17 17:26:56 Win32/Rbot Win32:Rbot-GKN [Trj] Net-Worm.Win32. Kolab.aefe IRC-Worm.Generi c.22084 Backdoor:Win32/ Rbot
00157f6de1c95255bb781e45088d9a21 2012-08-27 2012-06-24 18:13:49 2012-06-24 18:13:49 Win32/Rbot.YM Trojan.Win32.Ge nome.dnsq IRC-Worm.Generi c.15028 Backdoor:Win32/ Rbot
0024542e9282e2fe0c0ca9b0c0b6f43a 2012-08-27 2012-02-18 10:11:27 2012-04-16 16:12:13 Win32/Virut.NBP Win32:Rbot-GQG [Trj] Backdoor.Win32. LolBot.xzd Worm.Generic.29 8540 Trojan:Win32/Fa kefolder.B
002984263e0d36042f0a4e613f9b9b46 2012-08-27 2009-02-24 07:24:34 2009-02-24 07:24:34 probably a variant of Win32/Rbot Win32:Trojan-ge n {Other} Backdoor.Win32. Rbot.fat Backdoor.Bot.17 676 ASProtect v1.23 RC1
002d88dc3184ac1cc52018a4a34d02c4 2012-08-27 2011-09-15 04:06:24 2011-09-15 04:06:24 a variant of Win32/Injector.IIQ Win32:Sality Worm.Win32.Ngrb ot.cnh Trojan.Generic. KDV.304762 Worm:Win32/Dork bot.gen!A Armadillo v1.71
00423373be53630ab1ceea85fa574939 2012-08-27 2011-04-02 04:52:43 2012-08-17 14:22:42 Trojan.Generic. 6907346 Backdoor:Win32/ Rbot.gen!G
00492917b6eb3d9c6d62f86f9acc6bce 2012-08-27 2012-06-25 00:19:05 2012-06-25 00:19:05 Backdoor.Win32. Rbot.umw Backdoor.Bot.60 974 Dev-C++ 4.9.9.2 -> Bloodshed Software
0052a28dc60cac68b54ddf8f02d5aa5d 2012-08-27 2010-07-18 23:41:47 2010-07-18 23:41:47 a variant of Win32/Packed.Themida Gen:Trojan.Heur .RqX@5Gy!Zup Backdoor:Win32/ Bifrose.gen!C
0066ad4c5a1206fb6563a285f2ce14a0 2012-08-27 2012-06-22 19:57:07 2012-06-22 19:57:07 a variant of Win32/Packed.Themida Backdoor.Win32. Rbot.akio Trojan.Generic. 7352279 Themida
006e7190f10953306ba5846d272af457 2012-08-27 2011-03-13 17:31:06 2012-02-11 09:09:57 probably a variant of Win32/Agent.COLWWTQ Win32:Spyware-g en [Spy] Backdoor.Win32. Rbot.alyk Gen:Trojan.Heur .GM.0140430082 Backdoor:Win32/ Ursap!rts
006f203bee46359995b68b8f0f95dea1 2012-08-27 2011-12-03 11:22:06 2012-02-11 09:20:43 Win32/TrojanDropper.Delf.NJH Win32:Bifrose-D YN [Trj] Backdoor.Win32. Rbot.hyj Trojan.Keylogge r.ADY TrojanDropper:W in32/Agent.BAD
008e7e1d54316b2f2e6aebd0861a37fe 2012-08-27 2012-06-24 02:14:52 2012-06-24 02:14:52 a variant of Win32/Rbot Win32:EggDrop-A C [Trj] Backdoor.Win32. Rbot.boz Backdoor.Rbot.E UT Backdoor:Win32/ Rbot.gen!F
00a649781cf7d8153bd9af03d0ce5cd9 2012-08-27 2012-06-25 01:54:32 2012-06-25 01:54:32 a variant of Win32/Injector.OI Win32:Rbot-GLC [Trj] Trojan.Win32.Bu zus.bnsz Trojan.Generic. 1809892 VirTool:Win32/I njector.gen!B Armadillo v1.71
00ad7e4470086e1345b017876fd41619 2012-08-27 2011-09-11 16:46:41 2011-11-14 20:47:48 a variant of Win32/Packed.MoleboxUltra Win32:Malware-g en Backdoor.Win32. Rbot.hyj Trojan.Generic. 4200368 TrojanDropper:W in32/Agent.BAD
00d753fcbad0dc47101d3818d491a7e7 2012-08-27 2012-06-21 13:36:05 2012-06-21 13:36:05 Win32/TrojanDownloader.Agent.OST Win32:Trojan-ge n not-a-virus:AdW are.Win32.ZenoS earch.ky Trojan.Generic. 1385769 Trojan:Win32/Vu ndo
00e9816f69922b9c43f89dc0a92a99d1 2012-08-27 2008-12-27 13:34:07 2010-01-22 01:10:12 Backdoor.Bot.89 803 Xtreme-Protecto r v1.05
00eee20b71e92f57ded4b497e5dbdaf1 2012-08-27 2008-05-05 22:13:17 2008-05-05 22:13:17 Win32:Small-BHA Backdoor.Prorat .C Armadillo v1.71
00fc84692d5b22e4ecb3d8022ea86698 2012-08-27 2012-06-27 09:22:01 2012-06-27 09:22:01 a variant of Win32/Spy.Delf.NLM Win32:Agent-ACQ U [Trj] Backdoor.Win32. Rbot.agyp Gen:Trojan.Heur .PT.ei4abKk10V Trojan:Win32/De lf.EZ Malware_Prot.AJ themida 1.0.0.5 -> http://www.orea ns.com
00fc850b10d54e404cc1ff521ad10ea6 2012-08-27 2008-04-28 16:59:58 2008-05-06 12:24:21 Xtreme-Protecto r v1.05
Checked on VT at 2012-09-10 12:39:43
Scanned at 2012-08-26 04:26:41
Fi

 

—proRAT  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
0023b2d76c606328688afa5ade9c0acf 2012-08-27 2009-10-25 02:21:28 2009-10-25 02:21:28 a variant of Win32/Packed.Themida Win32:Bifrose-D RI Gen:Trojan.Heur .dvXarDpNMyoi Backdoor:Win32/ Prorat.AH
0043b0517c628ef897f477e4345fd7a3 2012-08-27 2010-07-02 02:34:55 2012-02-11 12:45:38 a variant of Win32/Packed.Themida Win32:Malware-g en Backdoor.Win32. Prorat.uft Backdoor:Win32/ Ursap!rts
0054c6b833c013f32bced841e1e6739d 2012-08-27 2009-10-19 17:19:55 2009-10-19 17:19:55 probably unknown NewHeur_PE Win32:Trojan-ge n MemScan:Backdoo r.Agent.ZNH Backdoor:Win32/ Prorat.AM
0073d646cf945a4b5b3ba513b87a3c60 2012-08-27 2012-06-20 00:16:55 2012-06-20 00:16:55 a variant of Win32/Prorat.19.NAC Win32:Malware-g en Backdoor.Win32. Prorat.efu MemScan:Backdoo r.Delf.HBZ Backdoor:Win32/ Prorat.AM Obsidium V1.3.0.4 -> Obsidium Software
008e37fd9125255f6a25e19fc7640bea 2012-08-27 2012-06-05 10:42:20 2012-06-05 10:42:20 Win32:Spyware-g en [Spy] Backdoor.Win32. Prorat.het Trojan.Generic. 4484805
0090c0275880256778d156f7b08e8f03 2012-08-27 2011-03-15 10:52:42 2011-04-13 18:37:22 Backdoor.Win32. Prorat.rft Gen:Trojan.Heur .dr3a4ScZqsdi
00a490a8595793e54caa7e9a38768891 2012-08-27 2008-10-01 16:13:23 2008-10-01 16:13:23 probably unknown NewHeur_PE Win32:Agent-ONW MemScan:Backdoo r.Agent.ZNH ASProtect v1.23 RC1
00eee20b71e92f57ded4b497e5dbdaf1 2012-08-27 2008-05-05 22:13:17 2008-05-05 22:13:17 Win32:Small-BHA Backdoor.Prorat .C Armadillo v1.71
00fc839a3e3d2986cceca58ae900ce13 2012-08-27 2010-08-18 21:00:24 2010-08-24 10:54:38 Win32/Packed.Themida.A Win32:Malware-g en Backdoor.Win32. Prorat.19.dht Trojan.Packed.L ibix.Gen.2 VirTool:Win32/O bfuscator.XX
0100ca070eda3acfbdfbf2424612cc5f 2012-08-27 2010-12-14 03:58:20 2012-06-07 07:22:17 a variant of Win32/Injector.BLB Win32:VB-PJN [Drp] Backdoor.Win32. Prorat.hhw Backdoor.Generi c.319260 Trojan:Win32/VB Inject.E
0121a89cb657a11e5dd092883bfd7825 2012-08-27 2010-07-17 07:37:48 2010-07-17 07:37:48 a variant of Win32/TrojanDropper.Delf.NFK Win32:Prorat-JE Gen:Trojan.Heur .GM.0408470024
017d509b8598921ed40744e0ca829db6 2012-08-27 2009-06-22 12:28:25 2009-06-22 12:28:25 Win32:Trojan-ge n {Other} Gen:Trojan.Heur .VB.1025DA9A9A Trojan:Win32/Ma lat
01e7cbd34f8bd3cf5fa608baf2fa6d60 2012-08-27 2011-11-15 13:23:32 2012-02-12 07:10:28 Win32/Prorat.NAH Win32:Prorat-FE [Trj] Backdoor.Win32. Prorat.dz Backdoor.Generi c.21020 Backdoor:Win32/ Prorat.K
01e93b84d7df6bac7cde630ffffd043f 2012-08-27 2010-05-20 13:53:52 2012-06-09 12:47:16 a variant of Win32/RemoteAnything.AA Win32:Trojan-ge n Backdoor.Win32. Prorat.hoj Packer.Malware. NSAnti.1 Backdoor:Win32/ VB.OF
01ea64f575a9f95563ffeef45fb09ca2 2012-08-27 2012-06-27 09:46:59 2012-06-27 09:46:59 Win32/Prorat.19 Win32:Prorat-BH [Trj] Backdoor.Win32. Prorat.kcm Backdoor.Prorat .19.I Backdoor:Win32/ Prorat.Z ASPack v2.12
02119a21b4b339dd367769c2aebd622c 2012-08-27 2008-11-04 18:23:06 2009-12-05 01:59:16 probably a variant of Win32/Agent Win32:Trojan-ge n Backdoor.Win32. ProRat.cqf Trojan.Generic. 1859606
022cb4ec9e03596701cdc5252c09d0e9 2012-08-27 2012-06-25 18:49:03 2012-06-25 18:49:03 a variant of Win32/Injector.EJM Win32:Trojan-ge n Backdoor.Win32. Prorat.efy Gen:Trojan.Heur .Dropper.bm0@aa gNUVni VirTool:Win32/V BInject.AZ
0247d8561b2a3b8338aa2eff5632f212 2012-08-27 2009-10-13 11:06:04 2009-11-08 22:05:55 Win32:Prorat-IR Backdoor.Win32. ProRat.fns MemScan:Backdoo r.Agent.ZNH Backdoor:Win32/ Prorat
0248b3729a47c970cbd5c43e7298d3dc 2012-08-27 2012-06-21 15:25:52 2012-06-21 15:25:52 a variant of Win32/GameHack.AL Win32:Trojan-ge n Backdoor.Win32. Prorat.fwr Backdoor.Turkoj an.AF Backdoor:Win32/ Turkojan.AI
024c8882871ba3921c2f243ad96e3956 2012-08-27 2012-06-19 17:50:01 2012-06-19 17:50:01 probably a variant of Win32/Agent.LTWPXFW Win32:Trojan-ge n Backdoor.Win32. Prorat.evo MemScan:Backdoo r.ProRat.TG Backdoor:Win32/ Prorat.U

—lostDoor – proRAT kinda  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
cb5c84f6f7e682d9cba2ecba677336c4 1970-01-01 2010-12-04 10:25:27 2012-04-04 22:06:55 a variant of Win32/Spy.KeyLogger.NHM Win32:Agent-ABM I [Trj] Trojan-Spy.Win3 2.VBChuchelo.ah Trojan.Generic. 161562 TrojanSpy:Win32 /Choochie.K

 

 

—Ultimate_Spy-Net  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
0058368c1856f88556e881d203441805 2012-08-27 2012-06-24 11:10:36 2012-06-24 11:10:36 a variant of Win32/TrojanDownloader.FakeAlert.NQ Win32:Lighty-B [Cryp] Trojan.Win32.Vi lsel.mfb Packer.Malware. Lighty.I TrojanDownloade r:Win32/Renos
00adc990cbf1e4733fdf3afbdf54938a 2012-08-27 2012-06-23 11:17:18 2012-06-23 11:17:18 a variant of Win32/TrojanDownloader.FakeAlert.NQ Win32:Lighty-B [Cryp] Backdoor.Win32. UltimateDefende r.hiw Packer.Malware. Lighty.I Trojan:Win32/Wa ntvi.I
00c547fb1918bcef0a864161b33f0ead 2012-08-27 2010-12-30 22:38:00 2012-02-11 06:34:55 a variant of Win32/Adware.Antivirus2008 Win32:FakeAV-M [Trj] Trojan-FakeAV.W in32.UltimateAn tivirus.g Trojan.Generic. 365345 Rogue:Win32/Fak eSecSen ASPack v2.12
00cbcdff13e5c710341393a19d260da6 2012-08-27 2008-07-28 12:42:05 2009-10-16 10:45:20 probably a variant of Win32/Adware.Antivirus2008 Win32:Trojan-ge n not-a-virus:Fra udTool.Win32.Ul timateAntivirus .ag Trojan.Generic. 669380 Trojan:Win32/Fa keSecSen ASProtect v1.23 RC1
0279f3e2593cb0130e2616de1e4ebb76 2012-08-27 2008-06-18 11:50:19 2012-02-12 23:45:25 Win32/Adware.WinAntiVirus Win32:FakeAV-M [Trj] Trojan-FakeAV.W in32.UltimateAn tivirus.cl Adware.Rogue.Ad vancedAntivirus .A Rogue:Win32/Fak eSecSen Armadillo v1.xx – v2.xx
029eea83722c549f099d423418b8a54a 2012-08-27 2008-10-17 23:58:48 2011-02-26 10:22:25 a variant of Win32/TrojanDownloader.FakeAlert.NQ Win32:Lighty-B Trojan-Dropper. Win32.Wlord.ahu Packer.Malware. Lighty.I TrojanDropper:W in32/Rooter.B
0305fbcff971eabd81d5ddadd29e6ec1 2012-08-27 2008-08-22 16:42:43 2011-07-18 05:11:41 probably a variant of Win32/Adware.Antivirus2008 Win32:Neptunia- AGB [Trj] not-a-virus:Fra udTool.Win32.Ul timateAntivirus .bi Trojan.Fakeav.B C Rogue:Win32/Fak eSecSen ASPack v2.12
0358ecdc802150626cec39052e43132b 2012-08-27 2008-11-03 08:08:58 2011-08-26 21:27:41 Win32/TrojanDownloader.FakeAlert.PL.Gen Win32:Lighty-D [Cryp] Backdoor.Win32. UltimateDefende r.gsv Trojan.FakeAler t.ANE TrojanDownloade r:Win32/Renos.F J
0452ca3a273127a940c491a87806b047 2012-08-27 2008-08-28 06:23:10 2008-10-22 05:12:57 not-a-virus:Fra udTool.Win32.Ul timateAntivirus .bu Program:Win32/A ntivirus2008 ASPack v2.12
057abdd8f6d1f61eef9434b5e7daa4c6 2012-08-27 2011-07-27 19:30:35 2011-10-20 22:26:38 Win32/Adware.UltimateDefender Win32:FraudTool -GY [Tool] Backdoor.Win32. UltimateDefende r.pq Trojan.Generic. 6410781 Trojan:Win32/An omaly.gen!A UPX UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
06fbf01caa783f46421a0bbedf97719e 2012-08-27 2012-06-19 23:11:45 2012-06-19 23:11:45 probably a variant of Win32/Kryptik.FD Win32:Lighty-E [Cryp] Backdoor.Win32. UltimateDefende r.hwp Trojan.FakeAler t.ANE Trojan:Win32/Wa ntvi.I
08226ab7f48461cb78d33b985ec2fa4f 2012-08-27 2008-08-25 12:55:04 2009-05-01 22:36:49 Win32/Adware.Antivirus2008 Win32:Neptunia- AGB not-a-virus:Fra udTool.Win32.Ul timateAntivirus .bq Trojan.Fakealer t.ALL Trojan:Win32/Fa keSecSen ASPack v2.12
085381cd16ef4f9c6cf03ce79f77b35f 2012-08-27 2009-04-16 21:00:47 2009-04-16 21:00:47 probably a variant of Win32/Adware.Antivirus2008 Win32:Neptunia- AGB not-a-virus:Fra udTool.Win32.Ul timateAntivirus .by Trojan.Fakeav.B C Trojan:Win32/Fa keSecSen ASPack v2.12
09cb0a224418027c40f9552c56180750 2012-08-27 2008-12-02 10:46:37 2009-09-12 07:57:49 a variant of Win32/Kryptik.CH Win32:Lighty-H Backdoor.Win32. UltimateDefende r.hki Trojan.Generic. 1730997 TrojanDownloade r:Win32/Renos.F J
0b55b43d8ec5898f408707ac069300b6 2012-08-27 2008-07-10 12:31:24 2011-08-15 04:38:12 Win32/Adware.Antivirus2008 Win32:FakeAlert -S [Trj] Trojan-FakeAV.W in32.UltimateAn tivirus.dp Trojan.FakeAv.B U Rogue:Win32/Fak eSecSen ASProtect v1.23 RC1
0c243bffc29aab2ea6e4abb65319f33c 2012-08-27 2008-09-19 14:03:15 2012-02-09 08:34:42 Win32/Adware.Antivirus2008 Win32:Neptunia- AGB [Trj] Trojan-FakeAV.W in32.UltimateAn tivirus.cp Trojan.Fakeav.B C Rogue:Win32/Fak eSecSen ASPack v2.12
0e4eaff4a610c160e9cfbe4b01463295 2012-08-27 2009-07-21 00:34:56 2009-11-15 11:49:01 probably a variant of Win32/UltimateDefender.A Win32:Agent-QNI Backdoor.Win32. UltimateDefende r.ieq Generic.Malware .P!.6473D4B8 VirTool:WinNT/X antvi.gen!A
0f27d07f89550dcae7050f3c100137f3 2012-08-27 2008-03-29 22:49:29 2008-10-29 15:07:04 not-a-virus:Fra udTool.Win32.Ul timateDefender. cm Trojan.Crypt.AN Trojan:Win32/Ti bs.gen!H
0f388783e9960156399c343ea7a70e24 2012-08-27 2008-11-03 20:53:28 2009-05-26 21:41:40 Win32/TrojanDownloader.FakeAlert.PL.Gen Win32:Lighty-D Backdoor.Win32. UltimateDefende r.gky Trojan.FakeAler t.ANE TrojanClicker:W in32/Klik
102009d4b848bd264753f877dae939a4 2012-08-27 2008-08-27 07:34:09 2012-01-24 08:11:37 probably a variant of Win32/Adware.Antivirus2008 Win32:Neptunia- AGB [Trj] Trojan-FakeAV.W in32.UltimateAn tivirus.bw Trojan.Fakeav.B C Rogue:Win32/Fak eSecSen ASPack v2.12

 

 

07/27/12

gAtO interview -Botnet’s in Tor -sI -Si

gAtO jUsT – finished an interview with Bill Donato from BotRevolt.com. I wanted to post this because these were good questions. My answers were a little lOcO gAtO but I tried anyway here is the Interview, at the bottom I included a conversation about Tor Controlled Botnet I found in HackBB in onion land, all I can tell you the code and how-to are out there -gAtO oUt

 

LinkedInMr Bill Donato has sent you a message.

Date: 7/26/2012

Subject: RE: Bot Revolt Blog

Hi Richard,
Here are 5 general questions we think our readers would find interesting. We greatly appreciate your feedback!

First Thank you Bill for this opportunity. I have 35 years in IT-and a little security goes with the territory but I’m no expert. I’m retired so I have the freedom to say what I want and I have chosen to support Freedom of Speech in cyberspace. You can find my rants and rages about security at http://uscyberlabs.com/blog I go by twitter @gAtOmAlO2 after my lionhearted cat “named- gato”. my 2 cents “be a critical reader, thinker and cyber user”. truet but verify

• We see a lot of cybercrime targeted at large companies, but how vulnerable is the average consumer in today’s cyber environment?

In todays economic climate cyber criminals see mass unemployment and use that to recruit shipping mules and money mules. Financial desperation and greed is a driving force in recruitment and the FBI is well aware of this a good money mule is hard to find and trust. Also Infection points for zombie computers to do the dirty work goes up and up with every new exploit. Last people don’t know how much information they leak out. With metadata just from the pictures in Facebook a criminal can gleam lot’s of information from the average Facebook update???.//

So to answer your question yes the average consumer needs to be very careful and have common sense. That lost Uncle from Nigeria did not leave you a billion dollars, trust me on this one.

• At the current level of cybercrime’s growth, if it is possible how long before the internet crashes?

Cyber crime is growing but CISPA is not the answer. PII (Personal Identifiable Information) that the government say’s it will not gather just your shopping and search cyber habits, nothing identifiable until you type in the wrong keyword, then your monitored. Then your footsteps in cyberspace will be monitored a bit more closely. The Judicial system now added the cyber forensic phycologist that can produce “minority reports- remember the movie – the though police…”. That’s scary..

Where were you last Tuesday @ 9:37 PM… they know, we are being monitored by the good guy in todays Internet. It’s normal to update my Facebook page or my Linkined profile, leaking data with the metadata from our pictures of our visit to the new office overseas. Can give criminals information for APT attacks.

As to the Internet crashing, I think it’s just beginning. We have Criminals after our data, government after our habits and we have ourself leaking information for everyone to know about me, me, me…. but it’s not crashing —> we have too many me..me..me..

• Cyber warfare is a hot topic, how will a cyber-war affect the countries average citizen?

Have you ever watch your daughter lose her cell phone 5 times in one year, 5 times not one backup. The effects of a cyber kinetic event in the US will happen. I see open scada system in the wild with no protection. Try and report this information that’s a joke and impossible. So many miss-configured scada all running windows OS, with no patch updates or management..// so they become more vulnerable everyday that they don’t upgrade.

Oh make that a tested Update because we (admin type) all stayed up late at nights un-installing an upgrade for -Windows OS- that made the Payroll system -Oracle- not work so NO paychecks….

In other words it will happened because we have a pretty bad security system built into these devices and they are to expensive to replace it’s worth the risk from a financial side so companies ROI return on investment… they did the cost analysis of an attack -they know they will get hacked…Power grid YeaH Baby and we have no backup — but we still come back… the average citizen has to ride it out we have no choice in warfare.
• You talk on your website, uscyberlabs.com, about the rise of botnets running on the tor .onion network, is the tor network a threat to people who do not access it? If so how do users protect themselves?


Botnets in Tor on Yeah! I’m doing some research into botnets in the Tor Black Market and it’s alive and kicking. The Tor hidden service and C&C servers goes hand in hand. You can’t find it, and it can’t be found. We also have i2p as an up and coming secure anonymized network so expect more and more from this area.

I included a post from HackBB-website in the onion network this discussion is about “Tor-Controlled Botnets” I included the code so in Tor there is talk from the hacker world on how to guides to Tor & bonnets. and it’s has a current timestamp.

I’t not just the code it’s also the infrastructure design.

Got to Tor HackBB [1]-  — http://clsvtzwzdgzkjda7.onion/

• On your blog titled “Online Security Basic -should I use encryption” you give some great information. What encryption programs, methods or tips do your recommend for some of the less computer savvy users?

Well first of all here [below] is my public key if you want to send me a message. I use FireVault and encrypt my hard drive, but I forgot my password – that’s my story and I’m sticking to it..;) I use GnuPG. Since I’m not doing skunk work, and I’m not a spy, I try to go open-source type programs, yes they are a little harder to learn but I feel safer with the open aspect of it. In security we have a motto – trust but verify – I can verify these open source program…./

One thing that the average user needs to do is to make their privacy a key part in their cyber life. When you start down the security rabbit hole it’s an active step in your cyber lifestyle.

Privacy is a personal thing, when I’m looking for Preperation H I don’t want Google, Yahoo or Amazon to know about this medical problem, it’s kinda personal, private. But when I’m trolling on Huffington Post it’s another world.

 

 

[1] Conversation online in HACKBB website.. about Tor Botnets

 

[1] Tor-controlled botnet

Re: Tor-controlled botnet

by BotCoder » Fri May 18, 2012 5:50 pm

Good news! I compiled TOR from source and there is no GUI or tray icon if you skip the installer step.

Here are the info to compile from source (you can skip the installer part and build a silent one yourself):

CODE

##

## Instructions for building Tor with MinGW (http://www.mingw.org/)

##

Stage One:  Download and Install MinGW.

—————————————

Download mingw:

http://prdownloads.sf.net/mingw/MinGW-5.1.6.exe?download

Download msys:

http://prdownloads.sf.net/ming/MSYS-1.0.11.exe?download

Download msysDTK:

http://sourceforge.net/projects/mingw/files/MSYS%20Supplementary%20Tools/msysDTK-1.0.1/msysDTK-1.0.1.exe/download

Install MinGW, msysDTK, and MSYS in that order.

Make sure your PATH includes C:\MinGW\bin.  You can verify this by right

clicking on “My Computer”, choose “Properties”, choose “Advanced”,

choose “Environment Variables”, select PATH.

Start MSYS(rxvt).

Create a directory called “tor-mingw”.

Stage Two:  Download, extract, compile openssl

———————————————-

Download openssl:

http://www.openssl.org/source/openssl-0.9.8l.tar.gz

Extract openssl:

Copy the openssl tarball into the “tor-mingw” directory.

Type “cd tor-mingw/”

Type “tar zxf openssl-0.9.8l.tar.gz”

(Note:  There are many symlink errors because Windows doesn’t support

symlinks.  You can ignore these errors.)

Make openssl libraries:

Type “cd tor-mingw/openssl-0.9.8l/”

Type “./Configure -no-idea -no-rc5 -no-mdc2 mingw”

Edit Makefile and remove the “test:” and “tests:” sections.

Type “rm -rf ./test”

Type “cd crypto/”

Type “find ./ -name “*.h” -exec cp {} ../include/openssl/ \;”

Type “cd ../ssl/”

Type “find ./ -name “*.h” -exec cp {} ../include/openssl/ \;”

Type “cd ..”

Type “cp *.h include/openssl/”

Type “find ./fips -type f -name “*.h” -exec cp {} include/openssl/ \;”

# The next steps can take up to 30 minutes to complete.

Type “make”

Type “make install”

 

Stage Three:  Download, extract, compile zlib

———————————————

Download zlib source:

http://www.zlib.net/zlib-1.2.3.tar.gz

Extract zlib:

Copy the zlib tarball into the “tor-mingw” directory

Type “cd tor-mingw/”

Type “tar zxf zlib-1.2.3.tar.gz”

CHOICE:

Make zlib.a:

Type “cd tor-mingw/zlib-1.2.3/”

Type “./configure”

Type “make”

Type “make install”

Done.

 

Stage Four: Download, extract, and compile libevent

——————————————————

Download the latest libevent release:

http://www.monkey.org/~provos/libevent/

Copy the libevent tarball into the “tor-mingw” directory.

Type “cd tor-mingw”

Extract libevent.

Type “./configure –enable-static –disable-shared”

Type “make”

Type “make install”

 

Stage FiveBuild Tor

———————-

Download the current Tor alpha release source code from https://torproject.org/download.html.

Copy the Tor tarball into the “tor-mingw” directory.

Extract Tor:

Type “tar zxf latest-tor-alpha.tar.gz”

cd tor-<version>

Type “./configure”

Type “make”

You now have a tor.exe in src/or/.  This is Tor.

You now have a tor-resolve.exe in src/tools/.

 

Stage Six:  Build the installer

——————————-

Install the latest NSIS:

http://nsis.sourceforge.net/Download

Run the package script in contrib:

From the Tor build directory above, run:

“./contrib/package_nsis-mingw.sh”

The resulting Tor installer executable is in ./win_tmp/.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

gAtOmAlO Public Key-

—–BEGIN PGP PUBLIC KEY BLOCK—–

Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

Comment: GPGTools – http://gpgtools.org

 

mQENBFAGzo8BCAC7Sg4uz5lQVrAPVe+BlMMGKjnLJwQvBy6V29CfPlws3/7b0Ryd

Th9CerSYt49Pt98iPNNZm38rtiKgABXp2jzTrpZDJsnxN+XCg0sdr/NZb6esP7Ck

hE77VSvTr0khFM1w7ZS3tf/1q6e9iqUovzPS4kBwSL7TMJgoQY0EJ9WAvLDeNrpO

P/JEBsawMH2q4Xd/i4QzirQf3fxVofOcwicSks9HI7LnSkiZu+rZTHo0yzdk/Sc6

SJqrFVplsUsSvESRdVLOEU4WVb7YpWGk3wBXgSSOvD+f2LVAgT40T4rGE15ZX3ou

Z/GEXCAy3Z+uVPPdiOPJRF71qmkRe0Um6yiNABEBAAG0I2dhdG8tbGFiIDxnYXRv

bWFsb0B1c2N5YmVybGFicy5jb20+iQE+BBMBAgAoBQJQBs6PAhsvBQkHhh+ABgsJ

CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRA1tzvyZQcKfrmLB/96RHvWFhzsfHWc

5YmW12vZf6cEbR0qgp1Z4LeERpuv/K96NSrXM81CMmi5F0l/m6ui/cEh0nwVM+EA

RD8MhJwRIhz3QOi6I5DBwM5YkKQNPgSPJegu27+96WXS4eNalQGZizBnbNO4SkdI

W2sH5L85z+uveZkKsGix9B8vLP9wcKMRP+5QEMVqetJ9+8njgfS4cmDrAnQyEfbs

dX5/P110a1rlPVK4vxiBGkikW4K3gmwMgNlRvQcLjlGjGpzon5a/Y9ve9WySSa8v

AMBZS5y6k6dkXXrakpBESkwJrYJDU16vlafL4C3lEP+Ce3foTTIWuHRAnJZnza4R

D0xX4C/6uQENBFAGzo8BCAC4odhP/am4dRMfJzJRIaCEzP+hs6pNOAcrHdychB5M

9z3ym6ddI0EEsI63xbYNmv+RJRxO6ZMY7P0R4CgUFPdjzmTbnPZ01J99QiPXUfd4

8+n4sCUvbEFCPSORnAPiKmWJbNrGsG7vXVTHCRgLUFIV9GAhBdK8ajn+UCZRR7Gf

Zr4qQ68cO+zS3rE4DeYgMpq9c4BYIbaRyjTTj9bwAEjr7gb7pyYGinyXtgz07/cK

hBgXmJf7zJ1s9kYMpeFqXAtd51fPcqCt0liutzyW/+YAIqAXP2WBNgZvDbfhd/5U

Od3aP1DeqJJOec3XcuLvts6rodWMSrb7remJQkkv5dftABEBAAGJAkQEGAECAA8F

AlAGzo8CGy4FCQeGH4ABKQkQNbc78mUHCn7AXSAEGQECAAYFAlAGzo8ACgkQkjHj

5gQjJYAL/Af+J5ZeEUNpbV96CUTVeSrT6hDrdkvU5NnPFUZmlVfhh+xrtRsHTJ9K

Ujcd5yAlLI38tr4A3hhuX1OToroEVRFKhTq+XpaKSBtdOeauCJeDY0NiKMJCBDue

+2CiqwIWR4tOfIFHPE/+F1STPgCxCFNfMouHqe+tI9+rqkJ11nPrUGCAzwmPcfK4

oKGWg1sbFKjyTN1XnVuzT3X/13DcZxFA9eDD2VAqlujBtifJJdYRd+hoBdoAjfXZ

OJJaYhvhj0CWWAv69Xpj1DyDA84ZcX5aanVRIhTLHgPhdJQ+jnxXYjrzE1RS+F2C

waXI7skjL/WWhey2YCFTMsY285TQbfBPn4t3B/4k35sqsb7FEd3au97AbJ1s1BWK

ZTSn6cEY9ZjB3exDsG/XQY522bdq+PxbSt8WKPlaEhEP0kjNOfl2UsBzNISL0f6s

hvwDR0Pov07W8t0O4Nz1v07AXDDxKvcgjPGTwknmjg2ny/ToEAbiacP7cXHuCOnw

A2e3l9C8Loluhvt3zgQVsv4E19KUT3a9SIYzIazQ+qbYAbbZszvjWMbBHroVviLj

9ImVWPh6lFARRKvmDTYk6RxAEKLPiYtcgtCUU34vJu+XBJchn4ua+Soney7ZIeyU

9D0mW4dFCYrdyTpbnK9vlYnzwhmT5ggTNGZu5t8PJLMW/qgwiCroXG6i3x58

=lYdL

—–END PGP PUBLIC KEY BLOCK—–

 

07/11/12

CyberPeace -not- CyberWar

gAtO sEe - In the last couple of days Gen. Keith Alexander has been pushing the Cyber War agenda. -The issues around warfare are very different in cyberspace than in the physical world, and the United States is looking into “alternative strategies,” said Alexander, while not offering further details. In another place he was telling us that the CIA will not use the new cyber laws to spy on our email. Ok so you gonna be a sheep and follow the word of the government. We won’t spy on you.

Alexander said “civil liberties and privacy can work harmoniously with cybersecurity”. Come on General your a nice guy, gAtO met you —/ you have a passion but every time you bring out —/ Oops there went the Power Grid, Oops.. there went the financial sector, scare me, scare me. I know it’s your job to secure our country to protect our nation cyber infrastructure. Don’t trample on our cyber right any more please.

Hay here is a solution for you use a Tor-.onion network-(any anonymized network) to tie your power grid, and/or your financial services. If you can’t close down Silk Road in onion-land your C&C for your power grid and financial services should be invisible to everyone except on a need to know. gAtO just save you 14 trillion in R&D…//

gAtO has not heard one word about Cyber Peace from any responsible government in the world. Everyone is looking for their own cyber posture, their own cyber weapons/ budget/ programs/ money// , but not one has said let’s work together to make it better for peace, guess there is no money in Cyber Peace. Espionage, spying is the job of governments why would they destroy their own tools, weapons and just tweak our cyber-rights a wee bit, for our cyber freedoms and safety, to protect our government and you -lol.

Here is a simple idea crowd-source our problems. The one major resource in cyber-space is number of people that can see the same message. In crowd-source we can give the facts and ask anyone to help solve city budgets, ways to harvest more vegetable/per vertical/ sq.ft. Ask people how would you protect our electric grid // you be surprised by the creative answers you get, OK some may be crazy but…//. It may not be the right solution, but the power of the minds of people collaborating is what this new technology is built for. FaceBook is about ME- Twitter is about the rest of the world- but the new winner is —/ Comments /— have become more important than the article-subject itself because the conversation within in the comments shows social communication and problem solving by the masses.

Let’s change the message to CyberPeace, everyone has a solution, but remember that all your comments are the new gold so watch what you say to that troll on huffpost— gAtO oUt

 

Read more: Alexander: U.S. looking for offensive alternatives in cyberspace – FierceGovernmentIT http://www.fiercegovernmentit.com/story/alexander-us-looking-offensive-alternatives-cyberspace/2012-07-11#ixzz20KW1Lcf2

07/7/12

Cyber Jihad Intelligence last 6 months in 2012

Jihad Intelligence last 6 months in 2012

gAtO found the International Institute for Counter Terrorist pretty good site


 

Periodical Review: Summary of Information from Jihadi Forums

The Second Half of May 2012

This report summarizes notable events discussed on jhadist Web forums during the second half of May 2012. Following are the main points covered in the report:

  • Sheikh Ayman Al-Zawahiri calls on the residents of Saudi Arabia to organizemass protests to overthrow the Saudi regime.
  • The Pakistani Taliban publish a video of the storming of Bannu Prison, duringwhich nearly 400 Muslim prisoners were freed, among them Taliban involvedin an attempted assassination of the former president of Pakistan.
  • The Islamic State of Iraq exhorts Sunnis to realize that it is protecting theirinterests, while the Shiites are the real enemy, and must be fought.
  • Al-Qaeda in the Arabian Peninsula (AQAP) takes responsibility for an attack against Yemen’s minister of defense and US military officers at a military basenear Sana’a.
  • Ansar Al-Din and the National Movement for the Liberation of Azawad jointlyagree to establishment an Islamic state in Azawad, northern Mali.
  • A new Libyan Salafi-jihadist group, “The Imprisoned Sheikh Omar Abd Al-Rahman Brigades”, publishes its first announcement.
  • The Islamic Emirate of Afghanistan publishes the second issue of the Urdu-

language magazine Shariat.


Fatwas, March-April 2012

This review reports the main fatwas [religious-legal rulings] appearing in March and April 2012 on Minbar Al-Tawhid wal-Jihad, a Web site
run by the Salafist ideologue Abu Muhammad Al-
Maqdisi.1 The fatwas are issued by the prominent

Salafists who comprise the site’s Sharia Committee, in
response to Web surfers’ questions.
Among those we have chosen to highlight in this review
are fatwas covering the following: the religious-legal
obligation of every Muslim to join jihad in Syria;
affiliation with a Salafist political party; enlisting in an infidel army for the purpose of espionage; involvement in Libya’s National Transitional Council; and the status of the Free Syrian Army vis a vis the Salafist-jihadist Front for the Defense of the Syrian People.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Jihad Intelligence last 6 months in 2012

28/6/2012 Periodical Review: Summary from the Jihadi Forums – The Second Half of May 2012

ICT’s Jihadi Websites Monitoring GroupThis report summarizes the most prominent events brought up in the Jihadi online forums in the second half of May 2012. Following are the main issues raised in this report:   
• Sheikh Ayman Al-Zawahiri calls on the residents of Saudi Arabia to organize mass protests to overthrow the Saudi regime.
• The Pakistani Taliban publish a video of the storming of Bannu Prison, during which nearly 400 Muslim prisoners were freed, among them Taliban involved in an attempted assassination of the former president of Pakistan.
• The Islamic State of Iraq exhorts Sunnis to realize that it is protecting their interests, while the Shiites are the real enemy, and must be fought.
• Al-Qaeda in the Arabian Peninsula (AQAP) takes responsibility for an attack against Yemen’s minister of defense and US military officers at a military base near Sana’a.
• Ansar Al-Din and the National Movement for the Liberation of Azawad jointly agree to establishment an Islamic state in Azawad, northern Mali.
• A new Libyan Salafi-jihadist group, “The Imprisoned Sheikh Omar Abd Al- Rahman Brigades”, publishes its first announcement.
• The Islamic Emirate of Afghanistan publishes the second issue of the Urdulanguage magazine Shariat.


14/6/2012 Periodical Review: Summary from the Jihadi Forums – The First Half of May 2012

This report summarizes the most prominent events brought up in the Jihadi online forums in the first half of May 2012. Following are the main issues raised in this report:   
• Ayman Al-Zawahiri calls on the Muslims of Afghanistan, Somalia and Yemen to fight Western forces in the lands of Islam and revolt against “collaborator” regimes.
• Al-Qaeda again threatens to execute American-Jewish hostage Warren Weinstein.
• The Shura Council of the Islamic Emirate of Afghanistan declares “open season” against occupation forces in Afghanistan.
• Sheikh Fahd Al-Quso Al-Awlaki, a senior military leader of Ansar Al-Sharia, has been assassinated.
• The English-language jihadist magazine Inspire resumes publication after a hiatus with two issues on individual jihad.
• A new jihadist magazine about efforts to free Muslim women prisoners has hit the cyber newsstand: Majalat Al-Asirah [The Woman Prisoner].
• The second issue of the jihadist magazine Al-Qaeda Airlines appears.

ICT’s Jihadi Websites Monitoring Group26/5/2012 Periodical Review: Summary from the Jihadi Forums – The Second Half of April 2012

ICT’s Jihadi Websites Monitoring GroupThis report summarizes the most prominent events brought up in the Jihadi online forums in the second half of April 2012. Following are the main issues raised in this report:   
• The leader of Al-Qaeda in the Islamic Maghreb (AQIM) calls on the Algerian people to boycott the coming elections in Algeria.
• AQIM threatens to attack Britain following its decision to extradite Abu Qatada Al-Filastini to Jordan.
• The Front for the Defense of the Syrian People steps up terrorist activity against Syrian government forces.
• Abd Al-Ghnai Jawhar, an explosives expert for Fath Al-Islam, is killed in Syria.
• Senior Salafi-jihadists in Egypt increase their propagandizing in Tahrir Square.
• A new series on preparing poisonous substances is published.
• Fursan Al-Balagh, a new jihadist media outlet, appears. 


16/5/2012 Periodical Review: Fatwas – March – April 2012

ICT’s Jihadi Websites Monitoring GroupThis review reports the main fatwas [religious-legal rulings] appearing in March and April 2012 on Minbar Al-Tawhid wal-Jihad, a Web site run by the Salafist ideologue Abu Muhammad Al- Maqdisi. The fatwas are issued by the prominent Salafists who comprise the site’s Sharia Committee, in response to Web surfers’ questions. Among those we have chosen to highlight in this review are fatwas covering the following: the religious-legal obligation of every Muslim to join jihad in Syria; affiliation with a Salafist political party; enlisting in an infidel army for the purpose of espionage; involvement in Libya’s National Transitional Council; and the status of the Free Syrian Army vis a vis the Salafist-jihadist Front for the Defense of the Syrian People.


10/5/2012 Periodical Review: Summary from the Jihadi Forums – The First Half of April 2012

ICT’s Jihadi Websites Monitoring GroupThis report summarizes the most prominent events brought up in the Jihadi online forums in the first half of April 2012. Following are the main issues raised in this report:   
• The leadership of Al-Qaeda and of its Somali affiliate Al-Shabab Al- Mujahideen threaten Britain with retribution for its intention to extradite al- Qaeda spiritual leader Abu Qatadah Al-Filastini to Jordan.
• Waliur Rehman, deputy commander of the Pakistani Taliban, threatens the UK with attack if it refuses to release Islamist prisoners – or at least improve their conditions.
• The Islamic Emirate of Afghanistan takes responsibility for a series of synchronized terrorist attacks against embassies and other targets throughout Afghanistan.
• Sheikh Abu Ubayda Yusuf Al-Annabi expresses solidarity with the Syrian people in their struggle against the regime of Bashar Al-Assad.
• A new jihadist series on military affairs, Al-Qaeda Airlines, is released.
• A new jihadist magazine is issued in Swahili.
• Evidence increases of the involvement of contributors to jihadist Web forums, such as Shumukh Al-Islam, in actual jihad and in terrorist activities.
• Leading jihadist Web forums Shumukh Al-Islam and Al-Fida resume operation after a temporary takedown last month.


21/4/2012 Periodical Review: Summary from the Jihadi Forums – The Second Half of March 2012

ICT’s Jihadi Websites Monitoring GroupThis report summarizes the most prominent events brought up in the Jihadi online forums in the second half of March 2012. Following are the main issues raised in this report:   
• In two separate audio files, Al-Qaeda leader Ayman Al-Zawahiri exhorts the Pakistani people to oppose their army and government, and the Afghani people to join jihad and beware of Muslims who collaborate with the US.
• Muhammad Al-Zawahiri, brother of Ayman Al-Zawahiri, is released from prison in Egypt.
• The Pakistani Taliban will wreak vengeance on the Pakistani regime and gain control of Pakistan’s nuclear weapons, according to top Taliban commander in Mohmand tribal region Sheikh Omar Khaled Al-Khurasani.
• Al-Qaeda in the Islamic Maghreb (AQIM) will strike at the heart of Germany, it says, unless the German government frees a Muslim woman prisoner in exchange for the release of a German hostage being held by AQIM.
• Contributors to jihadist Web forums praise Mohammed Merah, the terrorist from Toulouse, and urge Muslim youth in the West to emulate him.
• Leading jihadist Web forums Al-Fida, Shumukh Al-Islam, and Ansar Al- Mujahideen cease functioning during the latter half of March 2012. Ansar Al- Mujahideen and Shumukh Al-Islam resume activity in early April.


11/4/2012 Periodical Review: Summary from the Jihadi Forums – The First Half of March 2012

ICT’s Jihadi Websites Monitoring GroupThis report summarizes the most prominent events brought up in the Jihadi online forums in the first half of March 2012. Following are the main issues raised in this report:   
• Given what he calls the Iranian-Shiite conspiracy to attack and take over Saudi Arabia, Sheikh Abu Sufyan Al-Azdi Al-Shari, the deputy head of Al- Qaeda in the Arabian Peninsula (AQAP), urges Sunnis to wage jihad against the Shiite population of Saudi Arabia.
• Al-Qaeda in the Arabian Peninsula (AQAP) takes responsibility for assassinating an American military intelligence officer in Aden, Yemen.
• Ansar Al-Sharia declares Shabwa Province the Islamic Emirate of Yemen.
• Ahmad Faruq, Al-Qaeda’s head of the propaganda department of Al-Qaeda in Pakistan, calls for jihad against the Pakistani Army. He confirms the death of Ilyas Kashmiri, the operations officer of Al-Qaeda in Pakistan.
• Al-Balagh, a new jihadist magazine that focuses on events in Syria, is published.
• Majlat Al-Salafiyya, a new electronic Tunisian Salafi-jihadist weekly, is published.
• Leading jihadist forums embark on a massive campaign advocating Ansar Al- Sharia in Yemen.


30/3/2012 Periodical Review: Summary from the Jihadi Forums – The Second Half of February 2012

ICT’s Jihadi Websites Monitoring GroupThis report summarizes the most prominent events brought up in the Jihadi online forums in the second half of February 2012. Following are the main issues raised in this report:   
• A new video clip was issued, in which Ayman Al-Zawahiri calls for the revolution in Egypt to continue until the representatives of the previous regime have been eliminated, ties to the US have been severed, and the peace treaty with Israel has been nullified.
• The Islamic Emirate of Afghanistan encouraged Afghans serving proximate to Western security forces to attack them, and cited the Afghani chef who poisoned American soldiers as an example.
• Propaganda has increased against the Syrian regime, as have appeals to assist the Syrian people in their struggle against the regime.
• Al-Qaeda in the Arabian Peninsula (AQAP) took responsibility for an attack on the presidential palace in Yemen on the eve of the transfer of power from Yemen’s former president, Ali Abdullah Saleh, to its former vice president, Abd-Rabbu Mansour Hadi.
• Two new jihadist media institutions have been established: Al-Tahadi, and Inform Foundation for Media Production.
• A new jihadist Web forum called Al-Qital has been established.


19/3/2012 Periodical Review: Fatwas – January – February 2012

ICT’s Jihadi Websites Monitoring GroupThe following report details the main fatwas published in January and February 2012 on Minbar Al-Tawhid wal- Jihad, a Web site run by the Salafi ideologue Abu Muhammad Al-Maqdisi. Web surfers’ questions are answered by the site’s Sharia Committee, which comprises a number of prominent Salafi sheikhs.This publication presents some of the religious-legal rulings [fatwas] handed down in January and February 2012. Among them, we highlight fatwas concerning the Islamic laws regulating participation in Libya’s National Transitional Council; the status of property looted from the estate of the deposed tyrant Muammar Qadhafi and, similarly, the status of property looted from members of the Syrian regime; the stance one should take toward Sunni soldiers fighting in the Syrian Army; and whether or not it is permissible under Islamic law for a Muslim to work for one of the security forces (police, military, FBI) in the West.


6/3/2012 Periodical Review: Summary from the Jihadi Forums – The First Half of February 2012

ICT’s Jihadi Websites Monitoring GroupThis report summarizes the most prominent events brought up in the Jihadi online forums in the first half of February 2012. Following are the main issues raised in this report:   
• Ayman Al-Zawahiri, the leader of Al-Qaeda, announced that the Somali movement Al-Shabab Al-Mujahideen had officially joined Al-Qaeda.
• Al-Shabab Al-Mujahideen organized a large celebration in honor of its having joined the ranks of Al-Qaeda.
• Ansar Al-Sharia in Yemen executed three Yemeni citizens suspected of collaborating with US forces.
• The Islamic State of Iraq took responsibility for assassinating Mullah Nadim Al-Juburi, a former leader who had left the organization.
• Abu Muhammad Al-Tahawi, an influential Salafi-jihadist in Jordan, called for jihad against the regime of Bashar Al-Assad.
• A new volume was published of Al-Shamikha, a jihadist magazine for women.
• New volumes appeared of three publications that cover the jihad in Afghanistan.
• The Salafi-jihadist media outlet Al-Faroq, which focuses on Egypt, launched a new Facebook page.


28/2/2012 Periodical Review: Summary from the Jihadi Forums – The Second Half of January 2012

ICT’s Jihadi Websites Monitoring GroupThis report summarizes the most prominent events brought up in the Jihadi online forums in the second half of January 2012. Following are the main issues raised in this report:   
• The Nigerian group Boku Haram has taken responsibility for a series of coordinated attacks perpetrated on January 20, 2012, against several police institutions in Kanu, the second-largest city in Nigeria.
• Using a car laden with explosives, the Somali group Al-Shabab Al-Mujahideen carried out a suicide terrorist attack against the regional headquarters of the Ethiopian Army in the city of Beledweyne.
• Ansar Al-Sharia has succeeded in taking over the city of Rada’a in Yemen.
• The Shari’a Council of Al-Qaeda in the Arabian Peninsula (AQAP) has ruled that the faithful may kill the Houthis in Yemen, and stating that, in fact, it is the duty of every Muslim to wage war against the Houthis.
• The spokesman for the Islamic State of Iraq has emphasized that the jihad in Iraq will continue even though the US has withdrawn its troops, and that now the majority of effort will be directed against Iran’s agents in Iraq and their Shi’ite allies.
• A new jihadist group called “The Aid Front for the Syrian People” has been established, with the central goal of overthrowing Bashar Al-Assad.
• A new Salafi group has been established in Egypt named “Followers of the Sunna for the Salvation of Egypt” and headed by Hani Al-Sibai and Tariq Abd Al-Halim.
• A new jihadist Turkish periodical, ?slam Dünyas?, has been published.


12/2/2012 Periodical Review: Summary from the Jihadi Forums – The First Half of January 2012

ICT’s Jihadi Websites Monitoring GroupThis report summarizes the most prominent events brought up in the Jihadi online forums in the first half of January 2012. Following are the main issues raised in this report:  • The Chairman of Al-Qaeda in the Islamic Maghreb’s Political Committee addresses the Algerian people, telling them to bring down the Algerian regime.
• The Emir of the “Al-Tawhid wal-Jihad” Group in western Africa threatens France with war and claims responsibility for the abduction of three Europeans from south Algeria.
• The Emir of the Nigerian “Boko Haram” Group promises to continue with the operations against the Christians.
• The leader of the Kenya branch of the “Al-Shabab Al-Mujahideen” movement stresses that Kenya is a legitimate Jihad arena.
• The “Al-Qayrawan” Tunisian Salafi-Jihadi media institute expands its propaganda activity and is embraced by the “Shumukh Al-Islam” Jihadi forum.
• Three new issues of the Islamic Emirate of Afghanistan.
• A new newsletter called “Shahada”, focusing on the Somali jihadi arena.


22/1/2012 Periodical Review: Fatwas – November – December 2011

ICT’s Jihadi Websites Monitoring GroupThe following report details the main fatwas published in November and December, 2011 on Minbar Al-Tawhid wal-Jihad, a Web site run by the Salafi ideologue Abu Muhammad Al-Maqdisi. Web surfers’ questions are answered by the site’s Sharia Committee, which comprises a number of prominent Salafi sheikhs.This publication presents some of the religious-legal rulings [fatwas] handed down in November and December 2011. Among them, we highlight fatwas concerning joining the Free Syrian Army and the revolutionaries in Libya; participation in protests against the continued rule of the Supreme Council of the Armed Forces in Egypt; participation in demonstrations against the regime in Morocco, alongside elements whose principles contravene those of Islamic religious law [shari’a]; the appropriate response to a French newspaper’s having derided the prophet Muhammad; and the essence of the relationship with the Al-Nahdha Party in Tunisia.


16/1/2012 Periodical Review: Summary from the Jihadi Forums – The Second Half of December 2011

ICT’s Jihadi Websites Monitoring GroupThis report summarizes the most prominent events brought up in the Jihadi online forums in the second half of December 2011. Following are the main issues raised in this report:   • Abu Yahya Al-Libi summarizes the key events of 2011.
• A new video clip in memory of Anwar Al-Awlaki is produced by Al-Qaeda in the Arabian Peninsula (AQAP), and a message is sent to Muslims living in the US to join the battlefields of jihad or to fight the US on its own soil.
• In an audio file, Ibrahim Al-Rubaysh discusses the achievements of the Arab revolutions, especially as reflected in the weakening of the US in the Middle East.
• A new jihadist organization, calling itself Ansar Al-Din, is established in northern Mali.
• Al-Tawhid wal-Jihad in West Africa takes responsibility for abducting three European citizens in Algeria.
• A new jihadist organization calling itself Ansar Al-Mujahideen is established in the Sinai Peninsula.
• Three new jihadist media outlets are established: Al-Ibda, Ibn Taymiyyah (identified with the Palestinian Salafi-jihadist Army of Islam), and Al-Faroq (based in Egypt).

 

References:

read More –>http://www.ict.org.il/

07/6/12

Online Security Basic -should I use encryption

gAto fOuNd - this -/ Basic Security Guide /- a while ago in the .onion and while I don’t agree with everything in this write-up I learned some new things. At the end of the day –/ they can’t take away what’s in your head -always be a critical thinker - gAtO oUt

Online Security Basic - link are .onionLand

Transcribed from http://g7pz322wcy6jnn4r.onion/opensource/generalguide.html on 2011-04-16.

Contents[hide]

Basic F.A.Q.

What is encryption?

Encryption is a method of encoding information in such a way that it is computationally difficult for eavesdroppers to decode, but computationally easy for the intended recipient to decode. In practical terms, encryption makes it almost impossible for you to be successfully wiretapped. Encryption can also make it essentially impossible for computer forensic teams to gather any data from your hard disk drive. Encryption is the process of making information difficult or impossible to recover with out a key. The key is either a passphrase or a huge random number protected by a passphrase. Encryption algorithms fall into two primary categories: communications and storage. If you use a program such as GPG to encrypt your E-mail messages, you are using encryption for communications. If you use a program such as Truecrypt to encrypt your hard disk drive, you are using encryption for storage.

Is there a big difference between storage and communication encryption?

Yes. Data storage encryption often uses only symmetric algorithms. Communication encryption typically uses a combination of asymmetric and symmetric algorithms. Asymmetric algorithms are generally far easier to break than symmetric algorithms. In practice this is not significant as the computing power required to break either strong asymmetric or strong symmetric algorithms is not likely in the grasp of any agency.

Should I use encryption?

Yes! If you participate in the Internet underground it is essential for your continued freedom that you learn how to use encryption programs. All communications should be encrypted as well as all stored data. For real time communication encryption we suggest either Pidgin or Adium instant messages with the OTR plug-in. For non-real time communication encryption we suggest GPG. Truecrypt does a great job of encrypting stored data and can also encrypt the OS partition if you use Windows. Various flavors of Linux and Unix also allow for the OS partition to be encrypted although the particular program used will vary. If an alternative installation CD is used Ubuntu allows for OS partition encryption during the installation process.

What is plausible deniability?

When discussing stored data encryption plausible deniability means that an encrypted container can decrypt into two different sets of data depending on the key used. Plausible deniability allows for you to pretend to cooperate with authorities with out them being able to tell you are not cooperating. For example, perhaps they demand you give up your password so they can decrypt some of your communications or stored data. If you used a system with plausible deniability you would be able to give them a password that would indeed decrypt the encrypted data. However, the decrypted data they can now see will be non-sensitive data you intentionally allowed for them to decrypt. They can not see your sensitive information and they can not prove that you didn’t cooperate.

Do I need plausible deniability?

Possibly. It really depends on where you live. In the U.K. it is a crime to refuse to give law enforcement your encryption keys on demand. Refusal to reveal encryption keys is punishable by several years in prison, but this is quite possibly a lot less time than you would get if you did reveal your encryption keys. In the U.S.A. the issue has not yet gone to the supreme court and lower judges have ruled in both directions. In general it is a good idea to use plausible deniable encryption when possible. Truecrypt supports plausible deniability for all functions under Windows. For Linux there is no current software supporting out-of-the-box plausible deniability of the OS partition. With Linux you may be able to achieve a type of plausible deniability by encrypting your entire drive and putting the bootloader on another device. Then you can argue the drive was freshly wiped with a PRNG and there is no key to decrypt.

Of course the police can break encryption, right?!

If you are using a strong encryption program (such as GPG, OTR, Truecrypt, etc) and a long and random password (or automatically generated session key, such as OTR) the police are not going to be able to directly break the encryption. This is not to say they can not get your key in other ways! For example they could install a keylogger onto your keyboard or use various transient signal attacks to capture your key while you type it. An emerging method of encryption key compromise uses application layer exploits to remotely grab keys from RAM. These ‘side channel’ attacks need to have active measures taken against them (the best of which are using a strong anonymity solution and hardened OS).

What about the NSA?

The NSA is not going to be able to break strong data storage encryption algorithms (symmetric). They are also probably not able to break strong communication encryption algorithms (asymmetric). Very powerful quantum computers can be used to greatly reduce the bit strength of an encryption algorithm. Symmetric algorithms have their bit strength cut in half. Asymmetric algorithms are easily broken by such powerful computers. If you are using AES-256 a powerful quantum computer will reduce its bit strength to the still unbreakable 128. If you are using even a 4,096 bit RSA key with GPG, a powerful quantum computer can break the encryption. However, keep two things in mind; It is not likely that the NSA or anyone else has such a computer, and anyone sane will assure you that unless you are a foreign military or major terrorist the NSA will not act on any intelligence they gather by by breaking your communication encryption.

But anything can be hacked, right? Why not encryption?

Encryption algorithms are not hacked, they are cryptanalyzed. Not every single thing done with a computer can really be considered hacking. Hackers may be able to exploit the implemented code of a program using an encryption algorithm, but even the best hackers tend to know little about encryption. Hacking and cryptography are not the same field and most hackers who think they know a lot about encryption actually know very little about it. Encryption is a field of pure mathematics and good encryption algorithms are based firmly on the laws of mathematics as they are currently understood. Unless there is some very unlikely discovery in the field of mathematics the security claims made about most encryption algorithms will stand firm even if the best hackers (or even more impressively cryptographers) in the world try and attack them.

Note: Some hackers are skilled enough to side channel your encryption with application layer exploits unless you take hardening counter measures. This is not hacking the encryption algorithm although it is using hacking to counter encryption. Following our general security guide (later on this page!) will make it much harder for hackers to do this. To hack you through Open Source the attacker will first have to compromise Open Source, we have taken many security measures to make this very difficult to do.

Using encryption programs myself is difficult, but Hushmail, Safe-Mail or (Insert name here) will manage it for me!

Fully web based services can not really offer you strong encryption. They manage your keys for you and for this reason they have access to your keys. It does not matter what the company is named or what they promise, all of them are liars and some are probably honeypots. These services will not offer you strong encryption and law enforcement will be able to gain access to your communications. If you play with fire you need to learn how to protect yourself or you will be burned. It is not overly difficult to manage your own encryption and it is the only possible way for you to maintain your security.

What exactly is anonymity?

Anonymity is the property of being indistinguishable from a given set size (number of others). In the way the term is commonly used anonymity is the inability to be traced. A trace could mean that an attacker follows your communication stream from you to the end destination you are communicating with. A trace could also mean that an attacker follows a trail of logs from the end destination you communicate with back to your location. Anonymity solutions make it difficult to trace your communications and by doing so also make it harder to map out the networks you participate in. Anonymity can also be used to prevent censorship. If a server is hosted as part of an anonymity network and its location can not be determined then an attacker is incapable of demanding the censorship of the services hosted by the server.

Why do I need anonymity?

If you are not using an anonymity solution your presence on the Internet can be trivially traced back to your presence in real life. If you are participating in activities on the Internet which you would not want to be traced to your real life identity, you need anonymity. If you are participating in a network you need anonymity to protect yourself from network analysis. If no one on your network is using anonymity solutions and the police bust one of them, they will be able to see who all they communicated with as well as who all those people communicated with etc. Very quickly and with high precision the police will be able to map out the entire network, going ‘outward’ to many degrees. This may be useful for evidence (for use in court) and it is certainly useful for intelligence (so they know where to look next).

I already use encryption so there is no need for me to be anonymous!

Although encryption and anonymity highly compliment each other they serve two different goals. Encryption is used to protect your privacy, anonymity is used to hide your location and protect you from network analysis. Strong anonymity requires encryption, and encryption is greatly benefited when combined with anonymity (after all, it is hard to install a keylogger if you don’t know where the target is located!). If you use strong encryption but no anonymity solution the feds may not be able to see what you say but they will know who you are and who you are talking with. Depending on the structure and purpose of your network, a single compromised node may very well remove all benefits of using encrypted communications. Many of the most realistic and devastating attacks on encryption systems require the attacker to gain a physical presence; if you are not using an anonymity solution this is trivial for them to do. If the feds do not know where you are, they can’t bug your keyboard with a keylogger. Anyone who says you do not need anonymity if you use encryption should be looked at with great suspicion.

Tor exit nodes can spy on my communication streams so I should not use it!

If you use Tor to connect to the open Internet (.com instead of .onion) it is true that the exit node can spy on your communications. You can reduce the risk of this by making sure you only connect to SSL websites (https:// instead of http://). You can further reduce the risk of this by always checking the fingerprint of the SSL certificate and making sure it does not change with out an adequate reason being presented by the site administrator. You can eliminate the risk of a spying exit node in some contexts. For example if you encrypt a message yourself with GPG before you send it, the exit node will not be able to break the encryption even if they are spying.

Tor is not meant for privacy (unless you only access .onions) it is meant for anonymity! If you want privacy while using Tor you will need to either only access .onions or you will need to layer it on yourself by using GPG, SSL, OTR or other encryption on top of it. Using Tor to connect to the open Internet with out using any privacy tools yourself can actually reduce your privacy from some attackers. Remember, Tor to the open Internet is for anonymity it is not for privacy. Anonymity is just as important as privacy. Also, networking tools with a larger focus on privacy than anonymity (such as VPNs), will not offer you privacy from law enforcement anymore than Tor will and they also tend to offer substantially worse anonymity!

If I use Tor can I be traced by the feds?

So far, probably not unless you get very unlucky or misconfigure something. The feds are getting better at tracing people faster than Tor is getting better at avoiding a trace. Tor is for low latency (fast) anonymity, and low latency solutions will never have the ability to be as anonymous as high latency (very slow) solutions. As recently as 2008 we have documented proof that FBI working with various other international federal agencies via Interpol could not trace high priority targets using the Tor network. There is a large amount of information indicating that this is still the case. This will not be the case forever and better solutions than Tor are going to be required at some point in the future. This does not mean you should stop using Tor! It is quite possible that no VPN solution offers better anonymity than Tor, and the only low latency network which can be compared to Tor in terms of anonymity is I2P. Freenet is an anonymous datastore which possibly offers better anonymity than Tor or I2P. In the end it is very difficult to say what the best solution is or who it will hold up to, but most people from the academic anonymity circles say Tor, I2P or Freenet are the best three options. JAP is considered worse than the three previously suggested solutions, but better than most VPN services. You should at the very least use an encrypted two hop solution if you want a chance at remaining anonymous from the feds.

Traced is a very particular term. It means that the attacker either can observe your exit traffic and follow it back to your entry point or that the attacker can see your traffic enter a network and follow it to its exit point. Tor does a good job of protecting from this sort of attack, especially if you have not pissed off any signals intelligence agencies. Tor does not protect from membership revealment attacks! It is vital that you understand this attack and take measures to counter it if you are a vendor. To learn more about how to counter this attack keep reading this document, we discuss more in the applied security advice section on this page.

If I use Tor can I be traced by the NSA?

Probably. If you want a chance of being anonymous from the NSA you should research the Mixmaster and Mixminion remailer networks. NSA usually traces people by hacking them and doing a side channel attack. They have dozens of zero day exploits for every major application. This is also how they compromise GPG and FDE. Your best bet to remain anonymous/secure from the NSA is to use ASLR with a 64 bit processor to protect from hacking + Tor + Random WiFi location.Using airgaps can protect from them stealing encryption keys. This would involve using one machine with access to the internet to receive data, transfer the encrypted data to another machine with a CD which you then destroy, and decrypt on a machine with no access to the internet. Don’t reuse transfer devices or else they can act as compromise vectors to communicate between the machine with no internet connection and the machine with internet connection. Mixminion is better than mixmaster.

If I use hacked cable modems am I untraceable?

No, the cable company can trace you and so can the police and feds. However, it will make it more difficult for them to do so. People have been busted using this technique by itself!

If I use hacked or open WiFi am I untraceable?

The degree of untraceability you get by using WiFi access points depends largely on how you are using them. If you always use your neighbors connection, the trace will go to your neighbor before it goes to you. However, if law enforcement make it to your neighbors house before you stop the pattern of behavior, they can use WiFi analysis equipment to trace the wireless signal from your neighbors router and back to you. Many people have been busted this way. Also, if you use many different WiFi access points but they fit into a modus operandi (such as always from a particular type of location, maybe coffee shop) , you can eventually be identified if law enforcement put enough effort into doing so. Some people have been busted using this technique. If you use a brand new random location (harder than it sounds) every time you make a connection your identity can still be compromised, but the amount of effort required increases tremendously (assuming you are protected from side channel attacks anyway, be they CCTV cameras or remote WPS infections). We have not heard of anyone being busted if they used a brand new randomly selected WiFi access point for every connection.

If I send a package domestic to the USA with USPS do they need a warrant to open the package?

Yes, if it is sent in such a way that it could contain communications. For example, a letter will require a warrant but perhaps a very large and heavy box will not. For the most part, they need a warrant. No other mailing company requires a warrant to open any sort of packages. International packages can be inspected by customs with no need for a warrant.

Should I use masking scents, such as perfumes etc?

No, masking scents will not prevent a dog from hitting on the package. Masking scents will however make the package seem more suspicious to humans. Vacuum seal the product and be very careful to not leave any residues.

Applied Security Guide

Step Zero: Encrypt your hosts HDD

If you use Windows this can be done with Truecrypt

If you use Linux there are various ways you can accomplish this, usually an install time option

Step One: Configure the base system, harden OS

Application layer attacks exploit programming or design flaws of the programs you use, in general the goal of such attacks is to take over your system. For a deeper look at application layer exploits please check out the this page. These attacks are very dangerous because they can circumvent a lot of the other security you use, like encryption and anonymity solutions. The good news is that Open Source acts as an application layer firewall between you and everyone you communicate with through Open Source. We have taken great care to harden our server from attack and even if you take no precautions yourself it should not be trivial for you to be hacked through our server. However it is still a good idea for you to harden your own system. You don’t know for sure if you can trust us and there is no reason to be a sitting duck if our server is indeed compromised.

The first step you should take is running the operating system you use to connect to Open Source in a Virtual Machine. We suggest that you use Virtualbox. Virtual machines like Virtualbox create virtual hardware and allow you to run an operating system on this virtual hardware. It sounds complex but you really don’t need to know a lot about the theory, Virtualbox does all the work for you. There are a few reasons why you should use a virtual machine. The primary reason is that if the browser in your virtual machine is hacked the attacker is stuck inside of the virtual machine. The only way they can get to your normal OS is if they find a vulnerability in the virtual machines hypervisor, this adds complexity to their attack. The second reason you should use a virtual machine is because it makes it easier to use Linux if you are used to Windows or Mac OSX. Linux is a lot easier to secure than those operating systems but it is also harder to use. By using a virtual machine you can use your normal OS and Linux at the same time, Linux runs as a guest OS in a window on your normal (host) OS.

It is very simple to set up a virtual machine. Download and install Virtualbox. After launching it you will need to create a new VM. It is pretty simple and the program will walk you through the steps. Make sure to create a large enough virtual drive to install an OS, I suggest around ten gigabytes. You will need an install image so you can put the OS of your choice on the VM. Download the most recent Ubuntu ISO and use this. Remember, it doesn’t really matter if you don’t know how to use Linux. All you are using this VM for is using Firefox to browse Open Source, security comes before ease of use! Now that your virtual machine has been created you need to point it to your Ubuntu install CD. You can do this by going to the machines storage tab in the Virtualbox manager and pointing the CD drive to your install ISO. You will possibly be required to configure your virtual machine to connect to the internet if the default settings do not work for you, but chances are high that they will. Now you need to boot the virtual machine and install Ubuntu. Installing Ubuntu takes a little over half an hour and is very easy, you can simply select to use the default options for almost all of the steps.

Now that Ubuntu has been installed in a virtual machine it is time to start hardening it. The first step is to make sure it is fully patched and up to date. You can do this by going to System -> Administration -> Update manager from the bar on the top of your screen. Make sure you install all new updates because the updates include important security patches. It will take a while to update your system.

Now it is time to do some more advanced hardening steps. These steps may seem to be difficult if you are not very advanced technically, but don’t worry it is all just following instructions and you only have to do it once. Go to Applications -> Accessories -> Terminal from the top bar on your screen. This will launch a command line interface. Now type in the following commands hitting enter after each:

sudo aa-enforce /etc/apparmor.d/*

 

This command enables every AppArmor profile that Ubuntu ships with, including one for Firefox. AppArmor is an application layer firewall and makes it a lot harder for a hacker to compromise an application configured with a profile.

sudo apt-get install bastille

This downloads a generic hardening script that will walk you through some automated steps to make your system more secure.

sudo bastille -c

This launches the bastille hardening script. It will walk you through every step, in general you should select the default option. Make sure you at least read every step, there might be some things you don’t want it to do but in general the default options are good.

Step Two: Configure Tor and GPG, harden Firefox

Follow these simply step by step guides in order

Install TorInstall GPGConfigure Firefox with Tor and Harden it

Although it is not required for customers to know how to use GPG they still should. Our system will protect your communications in some ways. Your messages are stored in encrypted containers set to dismount if an intrusion is detected. Our server is highly hardened and resistant to hackers infiltrating it and spying on your messages. We are also a Tor hidden service and therefor offer encryption from you to us and from us to the people you communicate with. Our server is still the weak point in this system, a particularly skilled hacker could compromise the server and manage to spy on your communications undetected. The server could be traced by an attacker who could then flash freeze the RAM and dump the encrypted container keys. As far as you know we could even be law enforcement, or law enforcement could compromise us at a later date (the first is not true and the second is not likely, but do you really know this?). Our system does not hide your communications from us if we are your adversary, the same is true for Hushmail and Safe-mail. You can protect your communications with high grade encryption algorithms simply by learning to use GPG and it isn’t hard so we highly suggest you do it. Vendors are required to accept GPG encrypted orders!

Step Three: Conceal your membership (VERY IMPORTANT FOR VENDORS)

Using Tor by itself is not enough to protect you, particularly if you are a vendor. Membership revealment attacks combined with rough geolocation intelligence can lead to a compromise! The gist of a membership revealment attack is easy to understand. The attacker merely determines everyone who is connecting to a particular network, even if they are incapable of determining where the traffic being sent through the network is destined for. Tor does a good job of preventing an attacker who can see exit traffic from following the stream back to your location. Unfortunately, if you ship product the attacker can determine your rough geolocation merely by determining where you ship product from. If the attacker already knows your rough geolocation and they are capable of doing a membership revealment attack to determine who all in your area is connected to Tor, they can likely narrow down your possible identity to a very small set size, possibly even a set size of one.

This is not likely to be useful for evidence but it will provide strong intelligence. Intelligence is the first step to gathering evidence. The attacker may put everyone in your area who they detect are connecting to the Tor network under meatspace surveillance looking for evidence of drug trafficking activity. For this reason it is highly important that you protect yourself from membership revealment attacks!

Membership revealment attacks are less a worry for customers (provided financiall intelligence is properly countered to avoid an attacker finding rough customer geolocations!) than they are for vendors. There are a few reasons why this is true. First of all a customer is likely to reveal more about their identity when they place an order than the attacker will be able to determine with a geolocation + membership revealment attack. Secondly, the vendors allowed to operate on Open Source have been highly screened to significantly reduce the probability that any of them are federal agents, but the customers on Open Source are not only anonymous but they are also not screened at all. Third of all, the organizational structure reduces the risk for customers; a customer may work with a few vendors but each vendor is likely to be working with hundreds or thousands of customers. Customers sourcing from Open Source are at minimal risk even if they have products delivered directly to there own residence, vendors working on Open Source at particularly vulnerable to membership revealment attacks due to the open nature of the site.

The primary concern for customers is that they load finances anonymously and the vendor decentralizes their financial network. If a vendor is using a star network (centralized) financial topology there is a risk that an attacker could map out the geographic locations where customers loaded funds. After determining where funding was loaded the attackers could do anonymizer membership revealment attacks in an area around the load point and filter out everyone who is not using an anonymizer. This will likely leave the customer and few others. The attacker may even be able to compare CCTV footage of the load to the users of anonymizers in the area and look for a facial recognition match. To counter this it is important for customers to make use of good financial counter intelligence techniques (E-currency layering being one). Customers may also choose to utilize transients by paying them a fee to load currency, this way the customer avoids being on CCTV at any point. If vendors decentralize funding points (ditch the star network topology) customers will be strongly protected from such attacks, however it is impossible for a customer to ensure that a vendor is using a 1:1 customer to account/pseudonym identification ratio.

There are several ways you can protect yourself from a membership revealment attack, if you are a vendor it would be foolish to not take one of these countermeasures. The primary way to protect from a membership revealment attack is to make sure you do not enter traffic through the same network you exit traffic through. As all traffic to Open Source ‘exits’ through the Tor network, entering your traffic through a VPN first will reduce your vulnerability to membership revealment attacks. The attacker will have to determine who all in your area uses any anonymizing technology and put all of them under meatspace surveillance, there are likely to be far more people in your area using some sort of proxy system than there are people using Tor in particular. This will substantially increase the cost of putting all ‘potential targets’ under surveillance.

Using a VPN is helpful but it is not the most ideal solution. Your crowd space against a membership revealment attack will increase but perhaps not by much depending on the particular area you work out of. Also, a particularly skilled attacker may be able to determine you are using a VPN to connect to Tor by fingerprinting traffic streams. Tor traffic is padded to 512 byte size packets, normal VPN traffic is not. By filtering for 512 byte streams, an attacker can determine who all is using Tor in a given area. VPN’s protect from IP routing based membership revealment attacks but not from traffic fingerprinting membership revealment attacks. However, it is less likely that an attacker will be able to do a traffic fingerprinting membership revealment attack. The Chinese intelligence services apparently are still using IP address based attacks to block access to the Tor network. This is not nearly as effective as traffic fingerprinting based attacks. This could be an indication that traffic fingerprinting membership revealment attacks are more difficult to carry out (likely), however it could also be due to a lack of skill on the part of Chinas intelligence services. It could also be that China is not particularly interested in blocking/detecting all Tor traffic and IP address based attacks meet their requirements.

A better option than using a VPN would be to set up a private VPS and then enter all of your Tor traffic through this. Doing this will make you much more resistant to IP address based membership revealment attacks because now the attacker will not even be able to narrow you down to all people in your area using any anonymity technology. This is still weak to traffic fingerprinting membership revealment attacks!

Perhaps the best option to avoid membership revealment attacks is to use open or cracked WiFi from a different location + Tor every single time you connect. You could even use open Wifi + VPN/VPS + Tor for very high security from membership revealment attacks. Using random (not your neighbors) open/cracked WiFi greatly increaces your resistance to a wide variety of identity revealing attacks. An attacker can still do membership revealment attacks on users of open WiFi but they can no longer gain useful intelligence from the attack. If they detect that an open WiFi connection unrelated to you is using Tor it can not be used to put you under meatspace surveillance unless they manage to identify you (facial recognition from CCTV cameras, etc).

If you are operating as part of a group you can avoid membership revealment attacks via smart organizational policy. The person responsible for communicating with customers should be different from the person shipping orders. Now the customers are incapable of determining where your actual rough geolocation is because product is sent from a different geographic area than you communicate from. Your shipper should be aware that they will potentially come under scrutiny via a geolocation + membership revealment attack, especially if they use Tor to enter traffic.

nother option is to configure Tor to use a bridge. Tor bridges are designed to allow people in nations such as China the ability to connect to the Tor network. China uses IP address based blocking to prevent users from connecting to known Tor nodes. Bridges are Tor entry guards that are not publicly listed and have a limited distribution mechanism. You can get some Tor bridge IP addresses from the Tor website. We do not suggest you use Tor bridges because they replace your entry guard and they are under crowded. This will lead to a lot less multiplexing on your Tor circuit and can hurt your anonymity in other ways, although it will indeed offer some level of protection from membership revealment attacks. China has managed to detect about 80% of Tor bridges, it is likely that NSA knows all of them. Police agencies in the West are probably not yet particularly worried about locating bridge nodes but they can probably do so with near the same accuracy as China. In our opinion it is not smart to rely on a Tor bridge to protect you from membership revealment attacks in most cases.

Step Four: Know how to do safe product transfer, handle finances safe

Note: Although customers sourcing from Open Source are encouraged to take the best security measures they can, it is not likely required for them to utilize advanced operational security regarding mail (such as fake ID boxes, tactical pick utechniques, etc). Because the vendors allowed to be listed here have been highly screened it is likely safe for customers to have product delivered directly to their homes. If you only work with highly trusted and trusted vendors your biggest concern will be a package being intercepted!