Feds Accused Of Distributing Malware That De-Anonymizes Tor Users
from the left-hand,-meet-the-anonymous-right-hand dept
It's somewhat well known that the popular Tor anonymous browsing system gets a significant amount of funding from the US government. In the past, the suggestion had always been that the State Department was a major supporter because of its belief that Tor would help dissidents in other countries communicate better via anonymous systems. However, now there's a lot of buzz because it appears that a bit of malware that was discovered this weekend targeting Tor users, may have come directly from the FBI itself. The implication isn't against the Tor project at all, but rather it appears that whoever pushed out this malware did so by using a vulnerability targreting people using the Tor Browser Bundle -- a Firefox bundle that builds in Tor -- browsing a variety of hidden sites (available only to Tor users) hosted by the somewhat infamous Freedom Hosting. Freedom Hosting's boss, Eric Eoin Marques was arrested in Ireland last week as the US is trying to extradite him. But, what was more interesting was what some people discovered on all Freedom Hosting pages:Shortly after Marques' arrest last week, all of the hidden service sites hosted by Freedom Hosting began displaying a “Down for Maintenance” message. That included websites that had nothing to do with child pornography, such as the secure email provider TorMail.So why do people think the feds are involved? The bit of malware scoops up various identifying information -- MAC address and Windows hostname -- and then sends it to a server in Virginia to find the real IP address of the computer in question. The Virginia server is controlled by the infamous contractor SAIC, who works with numerous government agencies.
Some visitors looking at the source code of the maintenance page realized that it included a hidden iframe tag that loaded a mysterious clump of Javascript code from a Verizon Business internet address located in eastern Virginia.
By midday Sunday, the code was being circulated and dissected all over the net. Mozilla confirmed the code exploits a critical memory management vulnerability in Firefox that was publicly reported on June 25, and is fixed in the latest version of the browser.
Though many older revisions of Firefox are vulnerable to that bug, the malware only targets Firefox 17 ESR, the version of Firefox that forms the basis of the Tor Browser Bundle – the easiest, most user-friendly package for using the Tor anonymity network.
It's no secret that law enforcement has wanted to identify folks who are trying to be anonymous. And, as discussed just last week, the FBI has been using malware at an increasing rate. So it wouldn't be a huge surprise to find out that little tricky bit of malware was designed to provide more info on Tor users who might be up to nefarious activity (or, you know, they might just want to surf anonymously). I imagine that this is not the end of this particular story...
Filed Under: eric eoin marques, fbi, government, malware, state department, tor
Companies: freedom hosting, saic
