TOR, I2P, FREENET… FOR WHAT?

DEANONYMIZATOR… THE END OF ANONYMITY ON ANONYMOUS NETWORKS

Denis Makrushin (@difezza), Maria GarnaevaGlobal Research and Analysis Team

«I KNOW WHAT YOU DID LAST SUMMER»

… BUT HOW?!

EXPLOITS, FINGERPRINTING… YEP-YEP.

FLASH, HTML5, ENTRY-NODE DETECTION… YEP-YEP.

BUT HOW …

… did they found my mega-private-0day-forum?!

… did the found me?!

PASSIVE DATA COLLECTION SYSTEM… OR HOW DID THE FOUND MY MEGA-PRIVATE-0DAY-FORUM?!

>> EXITPOLICY ACCEPT *:*

>>TSHARK –I 1 –W DUMP.PCAP

TOR-USER’S PSYCHOLOGICAL PORTRAIT

PSYCHOLOGICAL PORTRAIT. PART TWO.

BlackMarket; 14.32

DDoS-campaign; 3.03

Finan-cialServices; 2.82

Dark-netHoste

r; 1.86

Russian; 1.70

Leaks&Services;

1.70

Pe-dophile;

1.65

Asian; 0.85

Pornographie; 0.85

Hacker&Malicious; 0.80 Search Engines; 0.64Gambling; 0.53Arabic; 0.11

Other19%

Common59%

No Content22%

ACTIVE DATA COLLECTION SYSTEM… OR KNOCK-KNOCK, DUDE!

TRAFFIC INJECTION… YEP-YEP.

TELL ME, WHO ARE YOU?

SO DIFFERENT COOKIES

MEANWHILE, IN TOR BROWSER

LET ME MEASURE YOUR TEXT

GETBOUNDINGCLIENTRECT()

FONT VALUE

Impact 3409372

Georgia 3344049

Courier New 3430809

Consolas 3392005

MS Gothic 3383290

“YEP-YEP, WE KNOW” – TOR PROJECT

PROOF-OF-CONCEPT: PREPARING PATIENT

PROOF-OF-CONCEPT: INJECT IT!

PROOF-OF-CONCEPT: ANALYZE IT!

XSS IS A PAIN OF ONION

VECTOR OF ATTACK

I KNOW YOU BY THE FONTS

THANK YOU! QUESTIONS?denis.makrushin@kaspersky.commaria.garnaeva@kaspersky.comhttp://twitter.com/difezza