[tor-talk] TOR tried to take a snapshot of my screen

Fri Aug 22 21:38:49 UTC 2014

Hi,

I have TOR 3.6.3 installed in a Windows XP computer that is used almost
just for it with very few additional software installed.
My understanding is that a potential attacker will test his
exploit/approach against most of the security software available, but
possibly will not be able to test against ALL of them, so I have a
miscelaneous of popular and not popular security software installed in the
same computer; among them is a not so common anti spyware called Zemana.

I am using TOR browser and Zemana for years and I am familiar with the
behaviour of both.
The TOR I am running has just the extensions that comes with it; no
additional extension was installed; no plug-in is installed.

I have proper licenses to run all the software, including Zemana, so no
crack or other suspicious tool was ever used.
Zemana is a quiet software and I can not remember about any single fake
alert.

Few days ago, while browsing with TOR, I got a shocking alert from Zemana:
TOR TRIED TO TAKE A SNAPSHOT OF MY SCREEN.

As Zemana allow me, I did block such screen capture and TOR crashed
immediatly.
By this crash I understand that TOR really tried to capture my screen.

I restarted TOR with a new identity, changed the identity many times but
TOR repeated the same behaviour a number of times with the screen capture
try-Zemana block-TOR crash. Change the identity just does not works for
such attacker.

The script funcions were always blocked by NoScript 2.6.8.36.

On the following days I used TOR again, without any change in my system or
software, accessing the same web sites but the attack no longer took
place.

I verified the MD5 signature for the TOR browser (firefox.exe) and it is
unchanged, i.e, it is as distributed by torproject.org

The TOR 3.6.3 was downloaded from the TOR project web site, and not from
other servers.
The install package torbrowser-install-3.6.3_en-US.exe has the MD5
signature: 9529C5A633CF0CF6201662CA12630A04
I have the installer in my files for any forensic work.

I am sending some screens with the Zemana log, where is possible to see
the TOR MD5 signature (firefox.exe; FC19E4AFB0E68BD4D25745A57AE14047) and
the logged behaviour ("screenlogger"), the TOR version, TOR button and the
Zemana version screens, and the extensions and plug-ins existing in my TOR
install (just to confirm that nothing strange is there). They are
available to download here:
http://www.datafilehost.com/d/dfb201d8
or
https://www.sendspace.com/file/6ygdl3

Seems that TOR has hidden server capabilities, a back door that allow a
remote operator take snap shot of the screen and possible perform other
actions (record mic, turn on the webcam, ...).

I think TOR can protect the users from many enemies, but at the same time
it is a perfect tool to attract, identify and log very specific (users)
targets.
This may explain also the, until now, unclear role and objectives of the
US goverment by funding the TOR Project.

Seems that hardly will be possible to identify suck attacker as it
probably comes from the TOR network itself, but I am considering a
trap/honney pot just in case this repeats.

I am an entusiast of privacy tools and TOR is not used for any kind of
unlawful purposes, is unlikely that I will attract attention from public
authorities and I am not worried with any data such attacker eventually
may have had access.

Hope this information may help to improve the TOR community security and
in some point in the future we will able to find a solution for this back
door.