[tor-bugs] #22369 [Metrics/Censorship analysis]: Increase of users in Ukraine due to block of Russia-based services

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed May 24 23:48:35 UTC 2017 

#22369: Increase of users in Ukraine due to block of Russia-based services
-----------------------------------------+------------------------------
 Reporter:  dcf                          |          Owner:  metrics-team
     Type:  project                      |         Status:  new
 Priority:  Medium                       |      Milestone:
Component:  Metrics/Censorship analysis  |        Version:
 Severity:  Normal                       |     Resolution:
 Keywords:  censorship block ua          |  Actual Points:
Parent ID:                               |         Points:
 Reviewer:                               |        Sponsor:
-----------------------------------------+------------------------------

Comment (by dcf):

 cachuatl found code that looks like it's fetching an obfuscated whitelist
 of sites to proxy through tor, and deobfuscating it:
  * attachment:fetchBlackListJson.js\\
    Retrieves !https://update. ''host'' /blckd.json for values of ''host''
 in `['updtbrwsr.com', 'updtapi.com', 'brwsrapi.com', 'mrbrwsr.com',
 'savebrwsr.com', 'svbrwsr.com']`.

 {{{
 var decryptJson = function decryptJson(str) {
   var xorc = (0, _xorc2.default)(1234567890);
   return JSON.parse(xorc.decrypt(str));
 };

 exports.default = function (salt) {
   var randomMin = arguments.length > 1 && arguments[1] !== undefined ?
 arguments[1] : 100;
   var randomMax = arguments.length > 2 && arguments[2] !== undefined ?
 arguments[2] : 100;

   var saltInt = parseInt(salt);

   if (salt) {
     if (!saltInt) {
       throw new Error('Salt is not a Number');
     }
     salt = saltInt;
   } else {
     salt = Math.round(Math.random() * (randomMax - randomMin) +
 randomMin);
   }

   return {
     encrypt: function encrypt(str) {
       var result = '';
       for (var i = 0, n = str.length; i < n; i++) {
         result += String.fromCharCode(salt ^ str.charCodeAt(i));
       }
       return result;
     },
     decrypt: function decrypt(hash) {
       var result = '';
       for (var i = 0, n = hash.length; i < n; i++) {
         result += String.fromCharCode(salt ^ hash.charCodeAt(i));
       }
       return result;
     }
   };
 };
 }}}

 A sample obfuscated download:
  * https://update.updtbrwsr.com/blckd.json
 ([https://web.archive.org/web/20170524234418/https://update.updtbrwsr.com/blckd.json
 archive link])\\
    (https://updtbrwsr.com/blckd.json
 ([https://web.archive.org/web/20170524233844/https://updtbrwsr.com/blckd.json
 archive link]) also works).
  * attachment:blckd.json

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22369#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list