Scanning The Dark Web

So what did Wanna Cry connect to? Well once installed on a machine (through unpatched SMB shares on Windows), the ransomware first…
Photo by Jefferson Santos on Unsplash

Scanning The Dark Web

So what did Wanna Cry connect to? Well once installed on a machine (through unpatched SMB shares on Windows), the ransomware first downloaded the Tor program, and then connected directly to five addresses:

gx7ekbenv2riucmf.onion
57g7spgrzlojinas.onion
xxlvbrloxvriy2c5.onion
76jdd2ir2embyv47.onion
cwwnhwhlz52maqm7.onion

Increasingly we see applications and, especially, malware, connecting directly to the Dark Web (which is basically the Tor network). Within the Tor network, data is encrypted at its core, and will travel over the network from an entry node to an exit gateway. This allows traffic to travel across the Internet in a secure way. Increasingly, though, we now see a complete end-to-end connection from a host into the Dark Web.

So how do we find out the systems that are there, as we can’t search for them on Google? Well luckily there’s a great little application called onionscanning, and which communicates through the Tor service, and dumps a JSON file based on the results. Our first task is to download the complete list of onion site [link]:

1muta.3535663776646657.onion
2222222222hofxwd.onion
2222222223myexge.onion
22222222266i2kbs.onion
222222222c7r2gdj.onion
222222222g4bgdec.onion
222222222hldsq4k.onion
222222222nykzrsh.onion
22222222ay7mhtbs.onion
22222222bxxurr35.onion
22222222cjqiit46.onion
22222222hkqnx4ec.onion
22222222juzrxryi.onion
22222222m4cetz5t.onion
22222222mmqrbyaf.onion
22222222n77jskuw.onion
22222222ozmawqkq.onion
22222222pwxzali2.onion
22222222qca6aead.onion
...

Once we’ve downloaded the Tor program, we start it as a service for onionscanning to use [Download here]:

Next we can run a basic Python script to read this file in, and then call onionscanning to produce a report [Python code]:

[*] Total onions for scanning: 8593
[*] Running 0 of 8593.
[*] Onionscanning 7ln4cubdfhs7tvtz.onion
onion_scanner.py:159: UnicodeWarning: Unicode equal comparison failed to convert
 both arguments to Unicode - interpreting them as being unequal
  if linked_onion not in onions and linked_onion.endswith(".onion"):
[++] Discovered new .onion => torimageboen6yyy.onion
[++] Storing torimageboen6yyy.onion in master list.
[++] Discovered new .onion => kpvzqvzyooocvs7u.onion
[++] Storing kpvzqvzyooocvs7u.onion in master list.
[*] Running 1 of 8595.
[*] Onionscanning 6eoidnylfm6223wq.onion
[*] Running 2 of 8595.
[*] Onionscanning zjt3hdcatvm3dcpm.onion

The scanning takes a while, and many of the .onion sites are not online, but we can parse the JSON files produce:

import glob
import json
file_list = glob.glob("onionscan_results/*.json")
for json_file in file_list:
    
    with open(json_file,"rb") as fd:
        scan = json.load(fd)
        print '%40s %5s %5s %5s' % (json_file, scan['webDetected'],
           scan['vncDetected'],scan['bitcoinDetected'])

To give the results of:

web   vnc   Bitcoin
onionscan_results\2222222iqv7qzecz.onion.json False False False
onionscan_results\2222222jnjbt53uo.onion.json False False False
onionscan_results\2222222vuvz6z5jk.onion.json False False False
onionscan_results\222222u2yo6k75ap.onion.json False False False
onionscan_results\24hoursmlmohtx7r.onion.json  True False False
onionscan_results\2f3omrnmbcgyjv7f.onion.json False False False
onionscan_results\2p4cnrv7xdnltfs7.onion.json False False False
onionscan_results\3htfwd2shbx6vjzq.onion.json False False False
onionscan_results\44skw7aj6mho2pt6.onion.json  True False False
onionscan_results\4fvfozz6g3zmvf76.onion.json False False False
onionscan_results\4jdcngjg366q6agp.onion.json False False False
onionscan_results\57g7spgrzlojinas.onion.json False False False
onionscan_results\5uy4y46mutfhzvu4.onion.json False False False
onionscan_results\5zf5yc2vwcnxgugv.onion.json  True False False

So let’s look at one (yllornhy7glid3ks.onion):

{"hiddenService":"yllornhy7glid3ks.onion",
"dateScanned":"2017-05-28T10:24:50.2466462+01:00",
"online":false,"performedScans":["web","tls","ssh",
"irc","ricochet","ftp","smtp","mongodb","vnc","xmpp",
"bitcoin","bitcoin_test","litecoin","dogecoin"],
"webDetected":true,"tlsDetected":false,"sshDetected":false,
"ricochetDetected":false,"ircDetected":false,"ftpDetected":false,
"smtpDetected":false,"bitcoinDetected":false,"mongodbDetected":false,
"vncDetected":false,"xmppDetected":false,"skynetDetected":false,
"crawls":{"http://yllornhy7glid3ks.onion/":6329667490382684397,
"http://yllornhy7glid3ks.onion/javascript":8363645181049909250,
"http://yllornhy7glid3ks.onion/javascript/libs":2878855960383760365,
"http://yllornhy7glid3ks.onion/javascript/libs/bootstrap-lightbox.min.js":1762306089084359393,
"http://yllornhy7glid3ks.onion/javascript/libs/bootstrap-wysihtml5.js":2967920598091598850,
"http://yllornhy7glid3ks.onion/javascript/libs/jquery-spin.js":174069532058144669,
"http://yllornhy7glid3ks.onion/javascript/libs/jquery.easydate-0.2.4.min.js":911683749319216363,
"http://yllornhy7glid3ks.onion/javascript/libs/oauth.min.js":3581540000759955260,
"http://yllornhy7glid3ks.onion/javascript/libs/sha1.min.js":8372376906579552966,
"http://yllornhy7glid3ks.onion/main":7393288195471817752,
"http://yllornhy7glid3ks.onion/main/login":752350630313337344,
"http://yllornhy7glid3ks.onion/private_key":2178377475803840446,
"http://yllornhy7glid3ks.onion/server-status":4992889571784672250,
"http://yllornhy7glid3ks.onion/stylesheet":6841420532813919408,
"http://yllornhy7glid3ks.onion/stylesheet/bootstrap-lightbox.min.css":4787556079706294251,
"http://yllornhy7glid3ks.onion/stylesheet/bootstrap-wysihtml5.css":4350743326790348987,
"http://yllornhy7glid3ks.onion/stylesheet/pumpio.css":5444166912470982031},
"pgpKeys":null,"certificates":null,
"bitcoinServices":{"bitcoin":{"detected":false,
"userAgent":"","prototocolVersion":0,"onionPeers":null},"bitcoin_test":{"detected":false,
"userAgent":"","prototocolVersion":0,"onionPeers":null},"dogecoin":{"detected":false,"userAgent":"",
"prototocolVersion":0,"onionPeers":null},"litecoin":{"detected":false,"userAgent":"",
"prototocolVersion":0,"onionPeers":null}},"sshKey":"","sshBanner":"","ftpFingerprint":"",
"ftpBanner":"","smtpFingerprint":"","smtpBanner":"","lastAction":"dogecoin","timedOut":false,
"error":null,"identifierReport":{"privateKeyDetected":false,"foundApacheModStatus":false,
"serverVersion":"","relatedOnionServices":null,"relatedOnionDomains":null,"ipAddresses":null,
"emailAddresses":null,"analyticsIDs":null,"bitcoinAddresses":null,"linkedOnions":null,
"openDirectories":null,"exifImages":null},"simpleReport":{"hiddenService":"yllornhy7glid3ks.onion","risks":null}}

We can see, in this case, that it supports a Web connection, but there’s no integration with bitcoins. If we open the site in the Tor browser we get:

With the UK looking at banning end-to-end encryption, you must wonder if the application of the Tor network will also increasingly see applications integrate with it.

Here is a bit of background on the Tor network:

Tor Analysis
The trace of users access Web servers is thus confused with non-traceable accesses. This has caused a range of defence…asecuritysite.com

So what about the Onion server that Wanna Cry connected to? Let’s scan gx7ekbenv2riucmf.onion:

{"hiddenService":"gx7ekbenv2riucmf.onion",
"dateScanned":"2017-05-28T22:32:55.591305+01:00",
"online":false,"performedScans":["web","tls","ssh","irc","ricochet","ftp"
,"smtp","mongodb","vnc","xmpp","bitcoin","bitcoin_test","litecoin",
"dogecoin"],"webDetected":true,"tlsDetected":false,
"sshDetected":false,"ricochetDetected":false,"ircDetected":false,
"ftpDetected":false,"smtpDetected":false,"bitcoinDetected":false,
"mongodbDetected":false,"vncDetected":false,"xmppDetected":false,
"skynetDetected":false,
"crawls":{"http://gx7ekbenv2riucmf.onion/":5076691641330869498,
"http://gx7ekbenv2riucmf.onion/private_key":3271659558775744760,
"http://gx7ekbenv2riucmf.onion/server-status":240869346166992088},
"pgpKeys":null,"certificates":null,
"bitcoinServices":{"bitcoin":{"detected":false,"userAgent":"",
"prototocolVersion":0,"onionPeers":null},
"bitcoin_test":{"detected":false,"userAgent":"",
"prototocolVersion":0,"onionPeers":null},
"dogecoin":{"detected":false,"userAgent":"",
"prototocolVersion":0,"onionPeers":null},
"litecoin":{"detected":false,"userAgent":"",
"prototocolVersion":0,"onionPeers":null}},
"sshKey":"","sshBanner":"","ftpFingerprint":"",
"ftpBanner":"","smtpFingerprint":"","smtpBanner":"",
"lastAction":"dogecoin","timedOut":false,"error":null,
"identifierReport":{"privateKeyDetected":false,
"foundApacheModStatus":false,"serverVersion":"",
"relatedOnionServices":null,"relatedOnionDomains":null,
"ipAddresses":null,"emailAddresses":null,"analyticsIDs":null,
"bitcoinAddresses":null,"linkedOnions":null,"openDirectories":null,
"exifImages":null},"simpleReport":
{"hiddenService":"gx7ekbenv2riucmf.onion","risks":null}}

We can see it has Web enabled, but it is a bit of a disappointment: