Eli Grey

Zerodrop

We are announcing Zerodrop, an open-source stealth URL toolkit optimized for bypassing censorship filters and dropping malware. Zerodrop is written in Go and features a powerful web UI that supports geofencing, datacenter IP filtering, blocklist training, manual blocklisting/allowlisting, and advanced payload configuration!

Zerodrop can help you elude the detection of the automatic URL scanners used on popular social media platforms. You can easily blocklist traffic from the datacenters and public Tor exit nodes commonly used by URL scanners. For scanners not included in our default blocklists, you can activate blocklist training mode to automatically log the IP addresses of subsequent requests to a blocklist.

When used for anti-forensic malware distribution, Zerodrop is most effective paired with a server-side compromise of a popular trusted domain. This further complicates incident analysis and breach detection.

Live demo

A live demo is available at dangerous.link. Please keep your usage legal. Infrastructural self-destruct has been disabled for the demo. To prevent automated abuse, users may be required to complete CAPTCHA challenges in order to create new entries.

Update: We have decided to restrict access to the demo to prevent abuse.

Zerodrop geofencing & blocklist training

Auto-expiration

Entries may expire after reaching an optional request limit. After an entry expires, all requests to the entry trigger the denial condition resulting in 404 or a redirect.

Blocklisting, allowlisting, and geofencing

We support gitignore-style blocklists processed line-by-line top to bottom. Blocklists consist of allowlist inversions, IP address ranges, geofences, and ipcat queries, interspersed with comments. We added IPv6 support to ipcat to make it datacenter traffic detection more reliable.

Geofencing is implemented using MaxMind’s GeoIP databases and configured inside an entry’s blocklist and allowlist. Geofencing entries are specified in the form @ lat, long (radius) for blocklisting and the inverted form !@ lat, long (radius) for allowlisting. Currently we only support radial geofences. A graphical geofencing UI is planned for a future release.

Traffic from datacenters and public Tor exit nodes is blocked using a new version of ipcat, which now includes IPv6 support. The syntax to block each is db datacenters and db tor.

Redirects to other Zerodrop payloads may optionally be specified in the “Redirect On Deny” field under the blocklist. Payloads can be redirects, proxies, uploaded files, or plain text with a MIME media type.

Example blocklist

The following example blocklist blocks datacenters, public tor exit nodes, and everyone outside of San Francisco.

# Block all
*
# Allow San Francisco
!@ 37.7749, -122.4194 (24140m)
# Block datacenters
db datacenters
# Block public Tor exit nodes
db tor

Anti-censorship

This tool is useful for evading automatic censorship filters in use on popular social media websites. With blocklist training and ipcat, it’s very easy to build up a blocklist to block these filters and continue to share content that would otherwise be automatically censored on most sites. Zerodrop also includes CloudFlare integration to help hide the IP address of your server and avoid further blocklisting from censorship filters.

Anti-forensics

Complete infrastructure self-destruct can be triggered with blocklist redirects to the “💣” internal identifier. When triggered, Zerodrop will attempt to delete all traces of itself from the host system. External navigation to “/💣” will not trigger self-destruct.

Example usage of Zerodrop’s self-destruct functionality

What’s next?

There are many areas where the current release of Zerodrop can be improved. Over the coming months we hope to implement some of the following changes. This is an open source project, so feel free to contribute yourself by reporting issues and submitting pull requests.

Blocklist groups & machine learning

Blocklists will get an improved UI and reusable blocklist groups. Currently you must copy and paste blocklists and allowlists to copy list information into new entries. We can also improve training mechanisms with paid IP address services and machine learning techniques.

Geofencing improvements

In addition to the currently-support radial geofences, we plan to implement polygonal geofencing and a graphical geofence creation widget for the new entry UI. It will probably be based off Google Maps and require an API key for deployment. For now, the text-based blocklist should be just as powerful albeit less visually accessible.

Leave a Reply