Scanning The Dark Web
So what did Wanna Cry connect to? Well once installed on a machine (through unpatched SMB shares on Windows), the ransomware first downloaded the Tor program, and then connected directly to five addresses:
gx7ekbenv2riucmf.onion
57g7spgrzlojinas.onion
xxlvbrloxvriy2c5.onion
76jdd2ir2embyv47.onion
cwwnhwhlz52maqm7.onionIncreasingly we see applications and, especially, malware, connecting directly to the Dark Web (which is basically the Tor network). Within the Tor network, data is encrypted at its core, and will travel over the network from an entry node to an exit gateway. This allows traffic to travel across the Internet in a secure way. Increasingly, though, we now see a complete end-to-end connection from a host into the Dark Web.
So how do we find out the systems that are there, as we can’t search for them on Google? Well luckily there’s a great little application called onionscanning, and which communicates through the Tor service, and dumps a JSON file based on the results. Our first task is to download the complete list of onion site [link]:
1muta.3535663776646657.onion
2222222222hofxwd.onion
2222222223myexge.onion
22222222266i2kbs.onion
222222222c7r2gdj.onion
222222222g4bgdec.onion
222222222hldsq4k.onion
222222222nykzrsh.onion
22222222ay7mhtbs.onion
22222222bxxurr35.onion
22222222cjqiit46.onion
22222222hkqnx4ec.onion…
