DeepWeb and Darknet — Part -3
As I mentioned in my first two parts on the same topic, DeepWeb and DarkNet form a large part of the internet websites and they are not all illegal. Many of the websites in DarkNet can be accessed through TOR and similar browsers, which offer the browsing functionalities.
Pirate Box
Pirate box is a simple online file sharing system created for people who wants to communicate anonymously. It consists of a WiFi adapter, a LAN and a storage server large enough to serve the needs of the users, in order to upload the files and also to download if needed. The number of users who can plug in to this file sharing can vary depending on the type of files uploaded, type of technology used and also the type of business which is using the same. Most people use a mobile micro SD card to download the files. For simplicity, it can be visualized as a node in a LAN with special benefits. But in a detailed way, it can be added with sophisticated features such as web browsers, chat room, image and video uploads capabilities etc., The two main benefits of it are wireless server and anonymity. The LAN can hide from the outside world as it is not connected to the known internet but only to each other user who wants to upload and download and hence the IP addresses can be completely hidden. Though many Deepweb and Darknet users build their own pirate box, the best known one is ‘Raspberry Pi’. It is built with plenty of free software and highly affordable off the shelf commercial software and it’s available in different models. It is easy to install and highly secure and as many models allow the SSL (Communication/ encryption between the browser and the server using port 443, used by many websites used in applications such as banking, e- trade, healthcare, online shopping etc., ) and SSH ( communication and encryption between two internal devices inside the LAN using port 22, used by network devices) protocol connections, besides working without any protocols or login credentials, thus allowing security inside the LAN and anonymity outside. The best way to get into this LAN is to get an invite from one of the users who has something to share or sell and a password. All you have to do is install a pirate box such as raspberry pi or any other DIY made. Most pirate boxes do not come with an API and hence need to be accessed from the root directory. The best part of it is the connectivity happens through a WiFi adapter chip and hence any one with the invitation and the setup can access those files without connecting to the internet through an ISP, though more secure. A web site such as below can help to install a ‘Raspberry Pi’.
Osiris
In 2018, Osiris, created a stir as it bypassed Windows security and affected many local and federal government and banking sites. Osiris is a banking Trojan, similar to Kronos, its predecessor, written in C++, is a file-less malware which infects the memory directly through administrative tools as ‘Powershell’ and spreads from there, making it extremely difficult to clean the system after securing the files. It uses two major file-less techniques, as per FBI released reports on this malware -1) Process Hollowing is when the process is created in the suspended state and its memory mapping is replaced with the malicious code, intended to infect all the process it interacts with or all the processes running at the same time 2) Process doppleganging is a technique where the malicious code impersonates a legitimate process and runs in the memory undetected by any commercial or customized anti-virus scans. The second technique is the one which bypassed the Microsoft’s windows system as it pretended like an original process written for Windows Vista. While the first technique is a self-injective malicious code loader which releases the Osiris bot, the second technique is the one which finds the path to the CPU, enabling the self- injective action. (slide 3). Most Osiris code is found to work around the NTFS, thus increasing the infection rate as NTFS is made to completely close the process once the transaction starts, till the transaction is completed. Thus the malicious code can infect as many files as possible during the transaction without any detection, through creation of two elements in the process — 1) The original executable code 2) The malicious code injected into payload through transaction. While the original executable code runs the process (and all is well for the other administrative tools and the user as they do not detect anything untoward), the injected malicious code redirects the process to a different point thus making the process slow and ensuring the malware is not detected. The only way Osiris can be detected is through using AI incident monitoring techniques which can easily find the delay in the process before the malicious injection and after the injection and raise an alert. SIEM technologies which offers memory scanning, boot sector protection and behavior monitoring were extensively used by many private and public organizations to look out for Osiris.
BlackThrow
Also known as the ‘Kamikaze box’, it is a hidden system which functions as a base station for many DarkNet users. When hidden inside any government or public organizations’ file system, they can release the SSH information of the system, about their network to the TOR browser users, thus opening the secure system to anyone who uses a TOR browser and helps them stay anonymous while they scan through the documents and other files inside the system. BlackThrow sandboxes the TOR users from the other security software which clearly are meant to hunt such anonymous users. In many ways, BlackThrow acts as a bridge node by relaying to the servers in the Deep Web which are not available in the directory services. The idea of Bridge Nodes, is just as the name suggests. Say for example, the TOR browser is hunted by a government as they are baiting all the TOR users. Then using a bridge node (Bridge Relay), a TOR user can get access to the websites, which is not accessible otherwise from a TOR browser. Most bridges are provided by TOR browser by default. These default bridges are publicly distributed to any TOR user. Currently there are 7000 bridge nodes publicly available for the TOR users. So it’s lot easier to block some bridges by anyone, who uses a TOR browser and who works for the local government (From 2014 to 2019, Russian and Chinese Governments’ have worked really hard to break TOR network and succeeded a little too by blocking a good percentage of TOR bridge nodes from its internet users). Hence it was found to be essential to think of methods like BlackThrow to keep TOR Network safe from anyone with malicious intent to shut it down. The image shown above in the TOR circuit is a client Server format of a typical internet communication. The Hidden middle nodes are the bridges whose IP addresses are not known even to TOR users, but those hidden nodes can be used by the TOR users, to reach the client and still surf the DeepWeb anonymously.
OnionCat
As number of TOR users increased, TOR security also became a concern, as the vulnerabilities of the network was exploited and new threats kept rising every now and then. So many TOR users wanted to be anonymous, even while inside a TOR circuit. Thus, in 2006, ‘OnionCat’ was released. It’s a VPN adapter with an IPv6 address and uses layer 3 protocols (OSI layers). ‘OnionCat’ is a standalone application software, which acts an intermediate between the OS of the device and the TOR browser, and communicates using anonymous networks such as ToR and I2P. The application software used calculates and assign distinct IPv6 address to the intermediate tunnel point or virtual tunnel device (The IPv6 addresses are derived using the address of the VPN adapted mathematically), which in turn becomes the client thus hiding the IPv6 address of the original device, from which the TOR browser is used. ( Slide 5) Thus MiTM attacks on the original device using the TOR circuit of communication can be easily prevented, because the VPN adapter is connected to the TOR Browser through a secure home network and hence stays anonymous, as the MiTM attacker might get hold of only the IP addresses B and C and not A, unless the mathematical function is known, which changes periodically. Though I have mentioned IPv6, OnionCat is quite capable of doing IPv4 addresses too. In simple words, OnionCat is a virtual network which creates a virtual node with a different IP address, in order to secure the hidden client-server communication. The VPN address will appear as the original device address, while the server will appear as the virtual node for the MiTM attackers.
The Benefits and Drawbacks of using ToR
I will complete this 3 part series on deepWeb and Darknet by listing one advantage and one disadvantage of using TOR overlay networks.
Benefits: Anonymous
Drawbacks: Not completely secure, as subject to many attacks such as plug-in ( Plug- in software can be commercial off the shelf software such as Flash — adobe or customized software) based browser attacks, Torben attacks ( user is manipulated to visit unwanted websites where cookie like software are used to learn more about the user which in turn comprises the anonymity, in long term), data leakage attacks etc.,
Conclusion
I have tried my best to introduce ‘DeepWeb’ and ‘DarkNet’, accessible using TOR network browser to my audience in this three-part series. My concluding words are, “Do not use TOR Browser for regular browsing activity like e-shopping or downloading or streaming regular content for two reasons:
1) The speed is extremely low compared to normal chrome and edge browsers as the data jumps from one relay to another situated wide apart.
2) Your ISP can monitor your browsing activity and hence it is possible for your ISP to gain knowledge of your TOR browser, usage. Though ISPs cannot find out what websites are being visited using TOR browser, the mere information of TOR usage is enough to trigger those traps set up by US government Surveillance agencies such as NSA to watch your internet activities and tag you as TOR user.
References
· https://github.com/rahra/onioncat
https://threatpost.com/osiris-banking-trojan-displays-modern-malware-innovation/137393/
