Sponsored by..

Monday, 5 August 2013

Torsploit: is 65.222.202.53 the NSA?

There has been a lot of chatter in the past day or so about the takedown of an Irish outfit called Freedom Hosting which hosted a number of "hidden services" on Tor, ranging from Tormail (which allows anonymous email communication) to.. well, Really Bad Stuff that you don't want to know about. Basically.. Law Enforcement (LE) appear to have discovered the real-world location of these servers on the other side of Tor and have busted the alleged operator.

What gets interesting is that some of these Tor services were infected with an injection script that attempted to reveal the real IP address of the the visitor through a security flaw in the version of Firefox in the Tor Bundle. There's an interesting analysis of the script here and the long and the short of it is that the injected code attempt to call back to 65.222.202.53, in order to track the Tor users involved.

So.. who is 65.222.202.53? Well, it seems to be a Verizon Business IP (part of a "ghost block" of 65.222.202.48/29) in the Washington DC area. You know.. the home of several government agencies or branches thereof. But now the Internet is awash with rumours that this IP address belongs to the NSA. But what evidence is there?

A lot of the fuss seems to have happened because of this tweet from Baneki Privacy Labs.

What Baneki are saying is that the whole 65.222.202.0/24 block (the "C block" in classful parlance) is owned by a government contractor called SAIC (apparently not the SAIC who own MG Motors!) and that SAIC are connected to the DoD. Although SAIC are certainly a military contractor, the error that they are making is to believe the report from DomainTools which appears to be misinterpreting the allocations in that particular block.


So, does SAIC (listed here as SCIENCE APPLICATIONS INT) own the whole /24? No. Verizon has simply allocated the first /28 in that block to SAIC, and it appears the DomainTools is misinterpreting that data.

NetRange:       65.222.202.0 - 65.222.202.15
CIDR:           65.222.202.0/28
OriginAS:   
NetName:        UU-65-222-202-D4
NetHandle:      NET-65-222-202-0-1
Parent:         NET-65-192-0-0-1
NetType:        Reassigned
Comment:        Addresses within this block are non-portable.
RegDate:        2006-09-14
Updated:        2006-09-14
Ref:            http://whois.arin.net/rest/net/NET-65-222-202-0-1

CustName:       SCIENCE APPLICATIONS INT
Address:        47332 EAGAN MCALLISTER LN
Address:        RM 1112 1st fl
City:           LEXINGTON PARK
StateProv:      MD
PostalCode:     20653-2461
Country:        US
RegDate:        2006-09-14
Updated:        2011-03-19
Ref:            http://whois.arin.net/rest/customer/C01446299


Other suballocations is that block do include government agencies, but just a couple of IPs away from the mystery IP is 65.222.202.56/29 which belongs to an industrial supply company called Universal Machines. Whoever uses 65.222.202.53 is very likely to be a corporate or government entity, but really that's pretty much all you can tell from the Verizon Business IP. DomainTools is great but as with any automated tool.. sometimes you need to double-check what it reports back.

But then Baneki make another claim.. that obviously 65.222.202.53 belongs to the NSA, because the NSA controls the entire 65.192.0.0/11 range (65.192.0.1 to 65.223.255.254) which is about 2 million IPs.
 This is what they were referring to:

Umm, well.. no. That's just another block allocated to Verizon Business. You may as well argue that everything in 0.0.0.0/0 belongs to the NSA on the same principle. Actually.. maybe it does, but that's another matter entirely. Again.. Robtex is a great tool but you sometimes need to sanity-check the output.

It may surprise you to learn that law enforcement officers and intelligence agencies are not normally complete fucking idiots when it comes to guarding their IP addresses. They do not (for example) sign up to Silk Road with their @fbi.gov email addresses or poke around the underweb from an NSA IP address range. Well, not normally..

I am not saying that the injection wasn't the work of the NSA. Or the CIA, FBI, DOD, IRS or another other Alphabet Soup Agency. But let's see some real evidence first, eh?

UPDATE: I had a closer look at the users of the /24 here. It's a mix of businesses and government organisations and contractors, not surprising given the physical location of the /24.

4 comments:

Unknown said...

To be clear, nobody has claimed that this IP address is somehow a "stupid error" on the part of... whatever spook agency is behind the torsploit attack. Baneki quickly proposed a game-theoretic analysis as to why this IP is so publicly visible.

They're not fucking idiots, the spooks, and anyone who behaves as if they are is going to have a very bad time of things. None of the researchers involved in this analysis have made such a claim, so that's a bit of a straw man to beat on.

As to whether the individual IP in that C block is "only" allocated to Verizon, or is more broadly allocated, Baneki has been quite clear all day that such a conclusion requires expertise from folks with firsthand, deep experience in this specific sort of network analysis - which they stated was not their role. Indeed, they noted the nsa.gov connection after seeking information from independent malware analysis experts.

The research team has posted, via Ars, their Monte Carlo-style scenario analysis as to what are the most likely explanations for this IP address appearing as it does. As they say, it might just be some pizza shop doing some malware moonlighting on the side... but is that really a viable explanation?

This is LEO, clearly. That it's not domestic LEO, and likely involves non-domestic resources and organizations, is - if not demonstrated at this point via simple IP analysis - very difficult to wave away on simple logical terms.

So that settles it: the only real way to know is for someone to root the box in question, pcap everything coming and going, and post it publicly - it's the only way to be sure! :-P

Unknown said...

Ah, well, the Ars comment link would be useful. Apologies, here goes:

http://www.cryptocloud.org/viewtopic.php?f=14&t=2951&start=10#p3867

Conrad Longmore said...

@Crypto: didn't mean to cause offence, sorry! My point is that LE and intel agencies make at least a little effort to hide their traces, just to support that this isn't a large block controlled by the NSA.

However, there's a ghost block in that range of 65.222.202.48/29 which is obviously in use, but isn't listed as a suballocation from the parent Verizon Business range.

Here's a scenario though - some government agency that happens to be a Verizon Business customer simply rented a new IP address range from them. Note (for example) who owns 65.222.202.47 - "FTS2001/US Government".

unixfreaxjp said...

Your link is broken for the analysis that lead to suspicious IP backdoored to visited of the mentioned Tor site, feel free to use this analysis instead https://pastebin.com/bu2Ya0n6 .
Or see the proof in screenshot here http://i.imgur.com/45fQLcL.png

Anyone who uses malware just sucks. No matter who you are.

#MalwareMustDie!