Over 100 Snooping Tor Nodes Have Been Spying on Dark Web Sites

Researchers uncovered malicious hidden service directories that uncover meant-to-be-secret dark web sites.

Just like the internet generally, not all of the Tor network is safe. Sometimes, people set up malicious exit nodes—the part of the network where a user's traffic joins the rest of the normal web—in order to spy on what users are up to.

But there are other types of nosy nodes too. Researchers have uncovered over 100 malicious hidden service directories (HSDirs): the relays of the network that allow people to visit dark web sites.

Typically, a Tor user reaches out to these HSDirs, which store descriptors for various hidden services, in order to visit whatever dark web site they're after. At the time of writing, there are over 3,000 nodes with the HSDir flag, according to figures from the Tor Project, the non-profit that maintains the Tor software.

When set up properly, these directories don't record or log the addresses of the services themselves, allowing the dark web sites to, hopefully, remain undiscovered. But sometimes people deliberately modify their HSDir to keep a record of all the sites it spots.

Cops could do this to find new child pornography sites, or hackers to hunt fresh targets

By setting up honeypots in the Tor network, Guevara Noubir, a professor from the College of Computer and Information Science at Northeastern University, and Amirali Sanatinia, a PhD candidate also from Northeastern, discovered an armada of Tor hidden service directories that are spying on dark web sites. These modified nodes allow whoever is behind them—perhaps law enforcement, hackers or other researchers—to find the addresses of sites that are supposed to be secret. The pair will be presenting their research at the Def Con hacking conference in August.

People who want to hunt out dark web sites "go through the code and do the modifications to be able to log the .onions, and then visit them," Noubir told Motherboard in a phone call.

Cops could do this to find new child pornography sites, or hackers to hunt fresh targets. Noubir pointed out that there are plenty of companies that sell dark web intelligence too, so perhaps they could be setting up HSDirs.

"We create what we call 'honey onions' or 'honions.' These are onion addresses that we don't share with anyone," Noubir said. If someone visits the sites, it's a good indication that their service has been picked up by a malicious HSDir.

At any one time, the pair ran 4,500 honey onions over 72 days, and found at least 110 HSDirs spying on hidden services. Some of the actors behind these weren't just passive observers; many came back and then aggressively probed the hidden services.

"They're looking for vulnerabilities in the web server," Sanatinia said. Those attackers might look for cross-site scripting attacks, SQL-injection vulnerabilities, or just try to find the server's status page, which can reveal lots of interesting, and potentially identifying, information about the site.

Most of the dodgy HSDirs the researchers found were hosted in the US, followed by Germany, France, and then other European countries. Of course, that doesn't necessarily mean their operators are based in the same country; anyone can whip up a remote server from pretty much anywhere in the world. And because over half of the 110 nodes were hosted on cloud infrastructure, it's not easy to immediately pin down who's behind them.

Roger Dingledine, co-founder of the Tor Project, told Motherboard in an email, "One key thing to understand is that those are not all relays that are in the Tor network at the same time, and few to none of them are in the Tor network right now." He added that the Tor Project has found malicious HSDirs itself recently, and kicked them out of the network.

Dingledine added that the research "mirrors some work we've been doing internally—It's great to have more people thinking along these lines. Ultimately, the fix will be the plan to re-do onion services."