June 19, 2011

I2P...The *other* Anonymous Network

One of the more interesting aspects to the Internet, is the area of anonymity and hidden services. While many people are familiar with the Tor network, there is another "network" that is gaining rapidly in popularity. The I2P Anonymous Network is a peer-to-peer network in which all traffic is encrypted end-to-end.  I became interested in I2P after seeing a tweet by @OpBritain where I2P was mentioned.
While looking into I2P further, I saw several pastebins where it was again mentioned and discussed.

From the I2P website, "I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties. I2P is designed to allow peers using I2P to communicate with each other anonymously — both sender and recipient are unidentifiable to each other as well as to third parties."

Unlike Tor where a "directory" of the network is maintained, I2P maintains its network database via peer profiling and router info. The I2P network selects its peers by a profiling process that continually ranks performance and updates the "I2P netDb", which is contains constantly updated information on router contact information called "RouterInfos" and the destination contact information, called "LeaseSets". This netDB is distributed via a technique called "floodfill", where a smaller subset of I2P routers, known as the "floodfill routers", will maintain this distributed database. 

I2P uses virtual, unidirectional tunnels that pass through a series of routers, and are typically 2 to 3 hops. Each round trip message and reply will require four tunnels. One each for the sender and recipient's inbound and outbound traffic. Tunnels are created using what is known as "Garlic Routing" (a shot at Tor's Onion routiing??) A Tunnel build message is sent via Garlic routing to an I2P router requesting that it participate in the tunnel.

One of the primary uses of I2P is via an I2PTunnel application which allows for familiar TCP/IP applications to be run through the I2P network.

I2P has been around since 2003 and has a Java client, where it will run on Windows, Linux, and MacOS. After installation, you are presented with a very comprehensive control and informational page.

Peer profiles and UDP connections

I2P Services

There are many anonymous and encrypted services that can be utilized via the I2P tunnels including:
    • Browsing to websites within the I2P network (called eepsites) as well as anonymous browsing to public sites. A custom build of Firefox called I2PFox that is hardened and built specifically for I2P is also available.
    • Hosting of your own eepsite. You can make your eepsite exclusive to I2P, or also available to a public browser.
    • Search. You can search for I2P content and sites via http://eepsites.com. You can also use Google to find http://xxxx.i2P.to websites accessible without I2P proxy.
    • Susimail/2IpMail. Anonymous email to/from public Internet. More on this below.
    • I2P-Bote accessible via http://i2pbote.i2p 
    • IRC. Anonymous chat via a local IRC tunnel that directs to one of two I2P IRC servers. There is also an I2P Instant Messenger and the ability to run your own anonymous chat servers.  More on this below.
    • I2P-Messenger  encrypted, serverless instant messenger.
    •  Jabber via i2pjabber.i2p
    • Tahoe-LAFS. You can use it from within the I2P network.
    • Syndie. System for distributed anonymous forums.

Addressing and Naming Services

I2P utilizes a 516 byte crypto identifier key to refer to routers and any end point services. All destinations in I2P are referenced by this key. Three local host files are used to map destination names to their crypto key, similar to traditional DNS. I2P users can discover new destinations by subscribing to other published "addressbooks" via a configured "web of trust". I2P uses an "addressbook" application to merge these external host lists with the local host files. A "SusiDNS" application is also provided to facilitate the user's management of their host lists and addressbook configuration. The Subscriptions page allows to add additional public subscription sites in addition to the default http://www.i2p2.i2p/hosts.txt, such as
  • http://i2host.i2p/cgi-bin/i2hostetag
  • http://stats.i2p/cgi-bin/newhosts.txt
  • http://tino.i2p/hosts.txt
  • http://inr.i2p/export/alive-hosts.txt

Basic Naming Services Architecture

Default Addressbook
External Destination List

An "eepsite" is simply a website that is hosted anoymously within the I2P network and accessed via HTTP tunneled back via I2P. This is similar to Tor "hidden services".

An I2P user would access these sites by setting their web browser's HTTP proxy to localhost:4444, and localhost:4445 for HTTPS.  An I2P eepsite will have a URL with .i2p as its top level domain, such as http://sempersecurus.i2p. By use of an "outproxy", an I2P user will also have access to external HTTP, HTTPS, and email services. The I2P "httpclient" application allows for this outproxying. If the requested hostname does not end in .i2p, a random outproxy will be selected from a user provided list, and the request will be sent there.  These outproxies are basically I2P servers that are voluntarily run specifically as an outproxy. No I2P router instance is an outproxy by default.

Some eepsite operators will make their sites publicly available outside the I2P network. Those sites can be accessed by appending a ".to" to the I2P domain, such as http://sempersecurus.i2p.to

There are a wide variety of eepsites running in the I2P network. Just reading through the addressbook listings is interesting and reflects the scope of material you can find in I2P.

Homepages of various eepsites.

The internal I2P web landscape reminds one of the public Internet from the mid 90's. Searching is rudimentary, some sites work great while others are barely usable and are functional only for a few hours a day. However, availability is not the objective with eepsites, anonymity is.

It's very easy to setup your own eepsite within the I2P network. Comprehensive instructions are found within the local help files, as well as from the resources listed below. In a nutshell, a site is created as follows:

  • A site name is selected that won't collide with the name of another eepsite currently listed in the I2P addressbook. Add your new site name to the eepsite I2P tunnel configuration page.
  • Content is placed in a 'docroot' folder which  is created at installation.
  • Start the eepsite from your router control panel.
  • Highlight the full destination crypto key that was created for your site.
  • Enter the eepsite name and the crypto key into your master address book. Additionally, you should now register your .i2p domain in one of the I2P address books. The I2P routers periodically pull address book updates from these sites, so eventually your site will be listed across the I2P network. 

The images below show a test eepsite I setup within minutes. There is also a pcap of the browsing session, but note that the traffic is via an encrypted tunnel

EMAIL- SusiMail basics
A java email client called Susimail can be accessed directly from the I2P router console window at http://localhost:7657/susimail/susimail. SusiMail allows you to send and retrieve I2P mail and was designed specifically for strong I2P privacy and anonymity. Creating an email account is takes minutes via a Postman HQ site, and chances are good that you can get your coveted address, the one you could never get on Gmail :) Oddly, I2P email only accepts letters and numbers for the password. The interface is spartan, but it works quite well most of the time.
Webmail login page

"Your password is too complicated"

How I2P email works
The following illustrations indicate the mail flow between the I2P network and the public Internet. They are based on the text explanations kindly provided by the Postman at http://hq.postman.i2p
I2P mail to the Internet

Internet mail back to I2P

I2P Message headers
According to HQ Postman, the I2P MTA (Mail Transfer Agent) provides the following sanitizing of message headers: 
"All User-Agent: and X-Mailer: header lines are automatically removed and replaced by the line X-Mailer: smtp.postman.i2p Official I2P Mailer.
- All X- header lines are completely removed
- All message IDs are replaced by server-side generated message-IDs
- All Date: tags are removed and replaced by server-side generated Dates in UTC
- All Received: tags are removed (apart from the very last one)"
The following chart shows comparative email headers after testing sending emails between I2P and Gmail.

Measures to prevent abuse
There are several good resources online pertaining to the basics of I2P mail, I just want to address a concern often expressed about anonymous mail services - abuse and its potential usage for spam and malware distribution.

To prevent abuse, I2P mail sets a quota for outgoing mail to 20 recipients per day. Every day at 0:00 UTC the quota is reset . You can “buy” up to 80 recipients a day by paying in hashcash tokens / CPU cycles. You cannot “hoard” your recipient quota, the number is reset to 20 every day. Additionally, there are limits on how much mail you can store and for how long. Old mail gets deleted after 180 days, but you can easily download it via POP3.

Relay and spoofing
You can use only your own address as the return path and the auth login name has to match the sender. The sender is able to forge the "From" address but the return path is added by the MTA and will match the actual sender.

Settings available for I2P email accounts 

Hello snail mail
Well, not exactly snail speed but by default, messages are delayed 20-50 min to provide further anonymity by skewing the time you appear to be online.  In several testing runs, the delay was seen to be as much as 3 hours. This delay setting can be changed in the Account Management section and set it to deliver ‘immediately’. Testing I2P email to and from Gmail arrived almost instantly.

All these measures and features make the use of I2P mail for spamming and phishing rather impractical. An attacker would find it easier to use a compromised or misconfigured relay server or free webmail as opposed to I2P mail. Again, the primary goal of I2P email is anonymity.


I2P maintains anonymous IRC servers that can easily be accessed via an IRC client such as mIRC or xchat. After establishing with I2P, pointing the IRC client to, port 6668 will get you connected. There are many channels available on the I2P server, and users can create their own.

Various channels on the I2P IRC server

An I2P user can also establish their own IRC server and allow other I2P users to access it. The server is established similar to how an eepsite is built where a hostname and crypto key are generated for the particular destination. In order to connect to another I2P user's private IRC server, it was required to modify your subscription list to add the crypto keys of the destination. Next, you would create a tunnel to the destination and add that to your router address book while selecting a connection port (ie. 6669). At that point, pointing your IRC client to localhost, port 6669 would get you connected.

Since June, 2010, I2P now supports a SOCKS IRC tunnel for clients supporting SOCKS5. By configuring your IRC client to uses SOCKS5 at localhost, port 9052, you can connect to any i2p IRC server through your client, without setting up separate tunnels for each.

I2P Stats, Additional Information, and Resources

Stats NETDB - http://stats.i2p.to
I2P  is a much smaller network, compared to some better known networks like Tor but it has seen continuous growth over the past year. The best source of the current infomation about the total number of routers, the network health, and other data collected over the years about I2P is located at http://stats.i2p.toAs you can see below, at the time of the screenshot, there were 4665 routers available online, roughly twice as many as it were available a year ago.  The number is constantly changing, please see the site for the most current information.

Official I2Psite - http://www.i2p2.de
The Official site is the best place to start as it has the most comprehensive information about available services, installation, and resources.

Papers, Presentations, and Videos about I2P - Site maintained on the primary I2P Website. Updated regularly.

ZZZ -http://zzz.i2p (Accessible via I2P proxy only)
Once you are on I2P, this is the best source of information for the patches, updates, tips and help.

Forum - http://forum.i2p2.de
A very active I2P user forum. Ask questions, read answers. Full of news, announcements, and discussions.

Irongeek - http://irongeek.com
Adrian Crenshaw's Irongeek.com site is an excellent resource for how-to videos, presentations, and security research related I2P. Check out his Black Hat presentation Identifying the true IP/network identity of I2P service hosts

Privacy-Implications of Performance-Based Peer Selection by Onion-Routers: A Real-World Case Study using I2P - Master's thesis by Michael Herrmann -Technische Universit√§t M√ľnchen

I want to particularly thank Mila Parkour of Contagio for her excellent assistance, research, and illustrations.

June 12, 2011

Malware Sandbox Services and Software

Whether you are performing digital forensics, or just have an interest in malware, a sandbox environment is an essential part of your analysis program. Sandboxing services can save time and provide a quick and easy glimpse into a suspicious files behavior.  I received an email this morning from Jose' Nazario of Arbor Networks where he provided a link to a list made by Buster (author of Buster Sandbox Analyzer) of various sandboxing tools and services."  I decided to take that list, check out and update each of the links and provide a brief description of the various services. I also added a few other services that I'm aware of.

For this blog post, I'm not providing any opinions or reviews. I'm just listing the service, URL, and a basic description as quoted by the provider.

These are the malware analysis services and software that I am currently aware of from the Buster Sandbox link, or via other sources. If you know of any other good malware analysis services, please feel free to drop me an email and I will add it to the list.

Web Services
"We can accept any type of file including executables, documents, spreadsheets, presentations, compiled help files, database packages, PDF, images, emails, or archives. You can also submit a file from a remote web address."
"View PDF objects as hex/text, PDF dissector and inspector, scan for known exploits"
"Joe Sandbox is a fully automated analysis system for trojans, viruses and rootkits (malware). It requests malicious executables such as PE, PDF (Acrobat Reader) or DOC (Microsoft Word) files as input and returns highly detailed reports describing the behavior of executables being executed"

Note:  Joe Sandbox has an online service with three account types. It is described more fully here: http://www.joesecurity.org/service.php

"Anubis is a service for analyzing malware. Submit your Windows executable and receive an analysis report telling you what it does. Alternatively, submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process when visiting this URL"

"Wepawet is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files."

"Submit a Suspicious File for a FREE Malware Analysis"

"Due to heavy load, the public site does not support: URL or BHO analysis, zipped files or analysis of infected documents."

"ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode."

- Windows executable (exe,dll)
– Adobe PDF (Beta Testing)
– Zip file (with password “panda”)
– RAR compressed file (without password)
– 7zip Compressed file (without password)
– Autovin File Extractor compressed file

    "Eureka is a binary static analysis preparation framework. It implements a novel binary unpacking strategy based on statistical  bigram analysis and coarse-grained execution tracing. Eureka incorporates advanced API deobfuscation capabilities to facilitate the structural analysis of the underlying malware logic. "

    "xandora.net is a tool for analyzing the behavior of Windows PE-executables with special focus on the analysis of malware. Execution of xandora.net results in the generation of a report file that contains enough information to give a human user a very good impression about the purpose and the actions of the analyzed binary.
    The generated report includes detailed data about modifications made to the Windows registry or the file system or other processes and of course it logs all generated network traffic. The analysis is based on running the binary in an emulated environment and watching."

    "Submit your Windows executable(*.exe) and receive an analysis report telling you what it does,
    or submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process when visiting this URL."

    A Generic JavaScript Unpacker. Enter a single URL (or paste JavaScript to decode). Upload a PDF, pcap, HTML, or JavaScript file.

    Standalone Malware Sandboxing Software

    "An Open Source dynamic malware analysis system which allows you to get informations on suspicious files in a completely automated fashion.
    Such results include:
        * Relevant Windows API calls tracing of all recursively spawned processes.
        * Network traffic dump generated during malware execution.
        * Files being downloaded and deleted during execution.
        * Screenshots taken during malware the whole analysis process."

    "Software and tips to easily build up an automated malware analysis station based on a concept introduced in the paper Mass Malware Analysis: A Do-It-Yourself Kit."

    "Zero wine is an open source (GPL v2) research project to dynamically analyze the behavior of malware. Zero wine just runs the malware using WINE in a safe virtual sandbox (in an isolated environment) collecting information about the APIs called by the program. "

    "Buster Sandbox Analyzer is a tool that has been designed to analyze the behaviour of processes and the changes made to system and then evaluate if they are malware suspicious.
    The changes made to system can be of several types: file system changes, registry changes and port changes."https://vicheck.ca/

    "This is a free tool for the analysis of malicious PDF documents. Has specialized tools for dealing with obsfuscated javascript, low level pdf headers and objects, and shellcode."

    jsunpack-n emulates browser functionality when visiting a URL. It's purpose is to detect exploits that target browser and browser plug-in vulnerabilities. It accepts many different types of input:
    PDF files - samples/sample-pdf.file
    Packet Captures - samples/sample-http-exploit.pcap
    HTML files
    JavaScript files
    SWF files
    This project contains the source code which runs at the website http://jsunpack.jeek.org/.