The End of Anonymity on Anonymous Networks

TOR, I2P, FREENET… FOR WHAT?

DEANONYMIZATOR… THE END OF ANONYMITY ON ANONYMOUS NETWORKS

Denis Makrushin (@difezza), Maria GarnaevaGlobal Research and Analysis Team

«I KNOW WHAT YOU DID LAST SUMMER»

… BUT HOW?!

EXPLOITS, FINGERPRINTING… YEP-YEP.

FLASH, HTML5, ENTRY-NODE DETECTION… YEP-YEP.

BUT HOW …

… did they found my mega-private-0day-forum?!

… did the found me?!

PASSIVE DATA COLLECTION SYSTEM… OR HOW DID THE FOUND MY MEGA-PRIVATE-0DAY-FORUM?!

>> EXITPOLICY ACCEPT *:*

>>TSHARK –I 1 –W DUMP.PCAP

TOR-USER’S PSYCHOLOGICAL PORTRAIT

PSYCHOLOGICAL PORTRAIT. PART TWO.

BlackMarket; 14.32

DDoS-campaign; 3.03

Finan-cialServices; 2.82

Dark-netHoste

r; 1.86

Russian; 1.70

Leaks&Services;

1.70

Pe-dophile;

1.65

Asian; 0.85

Pornographie; 0.85

Hacker&Malicious; 0.80 Search Engines; 0.64Gambling; 0.53Arabic; 0.11

Other19%

Common59%

No Content22%

ACTIVE DATA COLLECTION SYSTEM… OR KNOCK-KNOCK, DUDE!

TRAFFIC INJECTION… YEP-YEP.

TELL ME, WHO ARE YOU?

SO DIFFERENT COOKIES

MEANWHILE, IN TOR BROWSER

LET ME MEASURE YOUR TEXT

GETBOUNDINGCLIENTRECT()

FONT VALUE

Impact 3409372Georgia 3344049Courier New 3430809Consolas 3392005MS Gothic 3383290

“YEP-YEP, WE KNOW” – TOR PROJECT

PROOF-OF-CONCEPT: PREPARING PATIENT

PROOF-OF-CONCEPT: INJECT IT!

PROOF-OF-CONCEPT: ANALYZE IT!

XSS IS A PAIN OF ONION

VECTOR OF ATTACK

I KNOW YOU BY THE FONTS

THANK YOU! QUESTIONS?denis.makrushin@kaspersky.commaria.garnaeva@kaspersky.comhttp://twitter.com/difezza