Retrieving malware over Tor on Windows

Published: 2018-02-25. Last Updated: 2018-02-25 23:14:33 UTC
by Didier Stevens (Version: 1)
7 comment(s)

I found an easier way to retrieve malware over Tor on Windows, using free open-source software.

Tallow uses Tor and WinDivert to redirect network connections over the Tor network.

After starting Tallow, press the Tor button:

Then you can use wget on Windows:

DEBUG output created by Wget 1.11.4 on Windows-MSVC.

--2018-02-25 23:56:22--  http://example.com/
Resolving example.com... seconds 0.00, 44.223.23.63
Caching example.com => 44.223.23.63
Connecting to example.com|44.223.23.63|:80... seconds 0.00, connected.
Created socket 300.
Releasing 0x0142ea78 (new refcount 1).

---request begin---
GET / HTTP/1.0

User-Agent: Wget/1.11.4

Accept: */*

Host: example.com

Connection: Keep-Alive

 

---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.0 200 OK

Cache-Control: max-age=604800

Content-Type: text/html

Date: Sun, 25 Feb 2018 22:56:24 GMT

Etag: "1541025663+gzip+ident"

Expires: Sun, 04 Mar 2018 22:56:24 GMT

Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT

Server: ECS (lga/1386)

Vary: Accept-Encoding

X-Cache: HIT

Content-Length: 1270

Connection: keep-alive

 

---response end---
200 OK
Registered socket 300 for persistent reuse.
Length: 1270 (1.2K) [text/html]
Saving to: `index.html'

     0K .                                                     100% 32.1M=0s

2018-02-25 23:56:23 (32.1 MB/s) - `index.html' saved [1270/1270]

Onion services can be accessed too:

By default, Tallow only allows TCP connections on port 80 and 443 (Force web-only). Disable this toggle if you need to access other ports.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: malware tor wget
7 comment(s)

Comments

[quote]DEBUG output created by Wget 1.11.4 on Windows-MSVC.[/quote]

Only fools use a completely outdated and vulnerable version of wget to retrieve malware.
Complete fools let their vulnerable version of wget send its version per "User-Agent:" to servers which may take advantage of its vulnerabilities.
And an ultra fool believes (because it's not thinking) that User Agent is the straw that broke the camel's back. Happy fooling.
sorry
any explanation for this: https://www.virustotal.com/en/file/e89cd0892cb9375aec69c0099f3adee38183623c78ee134ec245b315397bbd87/analysis/1519661994/
https://reqrypt.org/download/TallowBundle-1.0-install.exe ??????
[quote=comment#41027]any explanation for this: https://www.virustotal.com/en/file/e89cd0892cb9375aec69c0099f3adee38183623c78ee134ec245b315397bbd87/analysis/1519661994/
https://reqrypt.org/download/TallowBundle-1.0-install.exe ??????[/quote]

Not "any", but "many" explanations:
1. the executable installer is vulnerable, it allows escalation of privilege;
2. the PE checksum stored in the header differs from the actual checksum;
3. no authenticode signature, so no proof of authenticity possible.

Stay far away from such crap!
[quote=comment#41019]And an ultra fool believes (because it's not thinking) that User Agent is the straw that broke the camel's back. Happy fooling.[/quote]
Except for complete idiots straw does not replace an argument; not even a full-grown strawmen does, although these are routinely used to brake camels backs.
Never seen quite such a pissing match in the diaries before.

I'm pretty sure most people coding malware sites are one of several things:

A. Lazy
B. Not as smart as you give them credit for.
C. 85% cut and paste
D. Did I say lazy?

Yes they are mainly just that lazy. Hardly doubt that the sheeple they are hoarding in, or planning on give them cause to write a header user agent directive and/or subroutine



Besides.... From https://www.gnu.org/software/wget/manual/wget.html


‘-U agent-string’
‘--user-agent=agent-string’
Identify as agent-string to the HTTP server.

The HTTP protocol allows the clients to identify themselves using a User-Agent header field. This enables distinguishing the WWW software, usually for statistical purposes or for tracing of protocol violations. Wget normally identifies as ‘Wget/version’, version being the current version number of Wget.

However, some sites have been known to impose the policy of tailoring the output according to the User-Agent-supplied information. While this is not such a bad idea in theory, it has been abused by servers denying information to clients other than (historically) Netscape or, more frequently, Microsoft Internet Explorer. This option allows you to change the User-Agent line issued by Wget. Use of this option is discouraged, unless you really know what you are doing.

Specifying empty user agent with ‘--user-agent=""’ instructs Wget not to send the User-Agent header in HTTP requests.

Diary Archives