Thursday, July 23, 2015

Cryptome torrents draw concerns

Those following Cryptome on Twitter saw some messages that were a little nerve-wracking yesterday.

A similar warning was posted to the front page of Cryptome's website:

Cryptome josh wieder torrent warning

The link in Cryptome's message led me to a Kickass Torrents user account that had been opened ~3 weeks previously under the name Cryptome. The account uses the Cryptome website logo. Similar accounts were created on Monova and Lime Torrents.

Cryptome Josh Wieder kickasstorrents user

Putting together an archive for a website you aren't affiliated with, whose content is already free and widely available and has been for many years, isn't necessarily unheard of (?). But doing so while ostensibly posing as that website is ... fishy.

Cryptome Joshua Wieder cool guy torrents
The person circulating these files very likely looks like this.
I decided to check it out. Starting at Kickass Torrents, I looked through the list of uploads; the user had posted somewhere in the neighborhood of 146 files. The torrents had been generated over time, with the most recent one posted only about 20 minutes ago. I thought I might luck out and identify the source of the torrent; 20 minutes wasn't long enough for the torrent to be widely distributed, especially since this isn't exactly a cracked copy of Computer Dinosaurs 4, Talking Yellow Sex Toys 4, Elderly Former Governor Pretending to be a Naked Robot 5, Male Stripper 2 or Fifty-Year-Old Comic Book Characters that Never Should Have Been a Movie 12.

I am fairly certain that I was successful in tracking down the uploader. Somewhat.

The vast majority of IPs that seed torrents can be broken down into three groups:

- Residential and corporate ISPs
- Data center netblocks hosting VPN services
- Tor

First, there are just standard corporate and residential ISPs. These are the poor suckers you see on the receiving end of RIAA lawsuits. They also encompass the s***heads at work who make sure your office internet is consistently garbage. Every once in a while, it also includes the teenagers stealing wifi from their neighbors.

The second and third groups include 133t h@xx0rs (obviously). Some VPN companies and the good people of Tor will banhammer you if hey find you sharing internet pornography with your peers, but that doesn't mean the traffic isn't there.

Of the dozens of trackers I looked at, there were 8 connections. Of those connections, one stood straight out from all the others. This connection was coming from a Leaseweb data center, on a server that did not look even remotely like a VPN server according to nmap:

PORT      STATE    SERVICE      VERSION

21/tcp    open     ftp          Pure-FTPd
25/tcp    filtered smtp
80/tcp    open     http         Apache httpd 2.4.10 ((Red Hat) mpm-itk/2.4.7-02 OpenSSL/1.0.1e-fips mod_fastcgi/mod_fastcgi-SNAP-0910052141)
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
443/tcp   open     ssl/http     Apache httpd 2.4.10 ((Red Hat) mpm-itk/2.4.7-02 OpenSSL/1.0.1e-fips mod_fastcgi/mod_fastcgi-SNAP-0910052141)
445/tcp   filtered microsoft-ds
1031/tcp  open     http         nginx 1.0.15
2702/tcp  open     sms-xfer?
16012/tcp open     ssh          OpenSSH 5.3 (protocol 2.0)
16080/tcp open     ssl/http     Apache httpd 2.4.10 ((Red Hat) mpm-itk/2.4.7-02 OpenSSL/1.0.1e-fips mod_fastcgi/mod_fastcgi-SNAP-0910052141)
18040/tcp open     ssl/http     Apache httpd 2.4.10 ((Red Hat) mpm-itk/2.4.7-02 OpenSSL/1.0.1e-fips mod_fastcgi/mod_fastcgi-SNAP-0910052141)

The presence of mpm-itk (which allows an admin to segment vhosts to processor cores), the confluence of Microsoft services and OpenSSH all reeks of VPS. Sure enough, connecting to this IP address using a browser provided some very straight-forward information:


So we have a VPS hosting company, and we have an account associated with the IP address under the name Continental title `jeromelitaud`. There are a few forward DNS entries associated with the IP also - soucy666.srv.sn and moussor.srv.sn.

UPDATE: I received an anonymous email pointing me in the direction of an online profile for a person whose government name resembles the username. I find it very unlikely that whoever went through the trouble of hosting a VPS to seed these files would use his or her actual name for their (very public) username. If `jeromelitaud` represents an actual name and not merely a pseudo-random nomme de guerre, it is almost certainly because someone by that name has had their identity stolen, not because they are part of some conspiracy to track Cryptome users. So please, I would greatly appreciate it readers would leave people whose name resembles that username alone.

I reached out to the VPS hosting company, the Essex-based Seedboxes (a d/b/a for Cylo Tech Ltd). To their credit, I received a response from an actual human being. Unlike a lot of abuse@ types of contacts, this issue was very much in the immediate self interest of the hosting company to deal with. After all, it very much appeared to be the case that their resources were being stolen by a user whose account had been terminated. Seedboxes manually deleted the VPS account; a software glitch had allowed it to survive an automated account termination process. Such problems are common.

Within an hour or two of the server being taken offline, the phony Cryptome account on Kickass Torrents also appears to have been disabled. This is what a Kickass Torrents user account page typically looks like:


That is what the phony Cryptome account's page looked like when I started looking into this. Here is what the phony account page looks like now:


Im not sure if this change is due to whoever is behind the account attempting to cancel the account, of if Kickass Torrents received a complaint and terminated it. I haven't spoken to anyone at Kickass Torrents regarding this issue. Accounts using the same name circulating the same files remain active on Monova and Lime Torrent.

Cryptome suspected that this may have been an attempt to circulate malicious software among their users. I was not able to download all of the torrents that were being circulated. Of the few I was able to retrieve, I did not identify any malware. However, the files I retrieved were merely flat text files. Other torrents containing PDF files would be much more likely to contain malicious scripts. The only difference I identifies between the index files I retrieved and the current copies of the same files directly on the Cryptome website was the use of non-SSL URLs for the torrents. Thats a lot of effort to go through for the remote hope of getting people to use a non-SSL version of Cryptome; particularly when non-SSL versions of Cryptome are regularly indexed in Google, and Cryptome does not redirect to SSL pages:


If someone reading this retrieved these files and is no longer seeding them, contact me! I would be very interested in reviewing the files.

Why publish this if no malware was identified? The posting of Cryptome's concerns on their website and social media is bound to draw concerns from users. Those users deserve to have the most comprehensive information available. Given the sorts of files Cryptome distributes, the threat of tracking software being used to infect their readers should not be considered outlandish. For the time being, we don't have enough information to draw many conclusions about this event quite yet.

If you are reading this, and you created these torrents, I encourage you to come forward. What did you hope to accomplish with these torrents? Let us know.

UPDATE: Some 36 hours after I had the compromised host noted above taken offline, the Kickass Torrents fake Cryptome account was re-activated and uploaded new files, as shown below. I have contacted Kickass Torrents on email and Twitter.


RAT Bastard

Earlier this week, several servers I maintain were targeted by automated attempts to upload a remote access trojan (RAT). The RAT is a simpl...