Sign in with
Sign up | Sign in

FBI May Be Behind Tor Browser Focused Malware

By - Source: Tor Project | B 16 comments

Looks like the government is trying to see what Tor Browser users are doing.

For web surfers wanting to be totally anonymous, the Tor Project offers a browser bundle that bounces the user's communication around a distributed network of relays run by volunteers stationed across the globe. It supposedly prevents eavesdroppers from viewing your surfing habits, and websites from knowing who you are, where you've been and where you're physically located.

The Tor browser is actually based on Firefox 17 ESR, but has been retooled on the code level to enable full anonymous browsing. The Tor Project said on Monday that an attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Even more, this attack appears to be targeted directly at users of the Windows-based Tor Browser bundle.

MORE: Can You Hide Anything from the NSA?

"The vulnerability allows arbitrary code execution, so an attacker could in principle take over the victim's computer," the group states. "However, the observed version of the attack appears to collect the hostname and MAC address of the victim computer, send that to a remote webserver over a non-Tor connection, and then crash or exit. The attack appears to have been injected into (or by) various Tor hidden services, and it's reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services."

Tor Browser users are suggested to use the latest bundle release, as the vulnerability was fixed in Firefox 17.0.7 which applies to Tor Browser versions 3.25-10, 4.15-alpha-1 and 4.15-beta-1. The Tor Browser bundle also automatically checks to see if it's out of date, and notifies the user on its home page if an update is needed. Users are also suggested to disable JavaScript by clicking the blue "S" beside the green onion, and selecting "Forbid Scripts Globally." Of course, this may "break" many websites that depend on JavaScript.

"Consider switching to a 'live system' approach like Tails," the team states. "Really, switching away from Windows is probably a good security move for many reasons."

The attack in question reportedly stems from websites served up by the anonymous web hosting company, Freedom Hosting. This company specializes in playing host to special .onion websites that hide their IP addresses and geographical locations behind layers of routing, and in turn can only be accessed via the Tor network. Some of these sites are also supposedly known to dish out child pornography.

Wired reports that the broad deployment of malware across the Freedom Hosting network coincided with the arrest of Eoin Marques in Ireland on Thursday. He was wanted for distributing child pornography in a federal case filed in Maryland. Shortly thereafter, all of the hidden service sites hosted by Freedom Hosting began displaying a "Down for Maintenance" message, and included legit sites like TorMail.

The maintenance pages were examined and found to include a hidden "iframe" tag that loaded a clump of JavaScript code from a Virginia-based Verizon business Internet address. "It just sends identifying information to some IP in Reston, Virginia," reverse-engineer Vlad Tsyrklevich told Wired. "It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based."

Buried within the malicious JavaScript is a tiny Windows-based executable inside a hidden variable named "Magneto." Instead of downloading additional code that would open a back door to hackers, it relays the victim's MAC address and Windows hostname to a server in Virginia that's outside the Tor network. This exposes the user's actual IP address.

So is this malware really linked to the FBI? DomainTools reports that the command-and-control IP address used by the malware is associated with McLean, Virginia-based Science Applications International Corporation (SAIC). This is a major technology contractor for defense and intelligence agencies… including the FBI.

Display 16 Comments.
This thread is closed for comments
  • 4 Hide
    mi1ez , August 6, 2013 1:14 PM
    Bloody Feds!
  • 1 Hide
    internetlad , August 6, 2013 1:25 PM
    Guess it got under somebodies skin high up the chain.
  • -4 Hide
    whiteodian , August 6, 2013 1:41 PM
    Stop looking at kiddie porn!
  • 3 Hide
    MajinCry , August 6, 2013 1:59 PM
    "Nothing to hide, nothing to fear"

    Yeah. Right.
  • 6 Hide
    Oleg Melnikov , August 6, 2013 8:43 PM
    what is wrong with them lol!
    they must stop this bull and start doing their job on getting bad guys , and not some internet geeks that try to look up porn on the net...
  • 4 Hide
    RascallyWeasel , August 7, 2013 6:07 AM
    @ Otacon72

    I don't you understand what privacy is. It is not that people are trying to hide things that may be embarassing to them or illegal activities. Privacy is the CHOICE to make information that you may deem personal public. When stuff like this happens it removes the individuals consent/choice in the matter as to wether the information is public or private.
  • -5 Hide
    jdlobb , August 7, 2013 6:13 AM
    @Oleg

    Looking for bad guys is exactly what they're doing. If you were just looking up legal porn it's unlikely you'd have any reason to use something like Tor, and if the FBI or NSA sees you spend all day on Tube8 they're not going to care at all.

    The the bad guys, like people who distribute and consume child pornography, are EXACTLY the kind of people who use Tor.
  • -5 Hide
    jdlobb , August 7, 2013 6:16 AM
    the "Right to Privacy" is an artificial construct imagined up by libertarians, hackers, and tin-foil hats.

    The constitution extends you a right to do a number of things, it doesn't exend the right not to have somebody monitoring you while you do it.

    If you want to do something illegal that you feel shouldn't be illegal, have the balls to stand up and accept the consiquences and fight for it.
  • 2 Hide
    bluekoala , August 7, 2013 6:26 AM
    Not sure if Otacon a troll, or just very stupid....
  • 1 Hide
    Grandmastersexsay , August 7, 2013 8:42 AM
    Jdlobb, math is an artificial construct. So is everything in the Constitution and Bill Of Rights which you have obviously never read.

    Try reading this.

    "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

    That clearly states the government needs probable cause and a warrant to monitor someone, because someone being monitored is clearly not secure in their person, house, papers, and effects. It is so clear infact that only a judge or lawyer could think differently.
  • 1 Hide
    ddpruitt , August 7, 2013 9:14 AM
    @Grandmaster

    Quote:
    Try reading this.

    "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."


    Try understanding it. The right to privacy is not absolute. Read the first few lines of the declaration of independence. If what you do in private adversely affects the rest of us we have the right to know, regardless of how offended you may be. The fact that all the sites went down for "maintenance" leads me to believe that whomever is doing this is working in cooperation with a number of people. Just because they need a warrant doesn't mean that they're going to announce it to the world, especially if they're trying to do some good by catching some of the kiddie porn people.
  • 1 Hide
    dalethepcman , August 7, 2013 9:18 AM
    Just because "you" didn't receive a warrant, doesn't mean one was not indeed issues for this alleged Irish child pornographer. If the only way to track his internet usage was by hijacking the tor network, then so be it. Just so everyone understands I am not condoning this type of behavior, but I do understand the logic behind it.

    P.S. if you think using the internet in any way is untraceable you are sorely mistaken.
  • 0 Hide
    Grandmastersexsay , August 7, 2013 9:28 AM
    I understand it quite well ddpruit.

    What you are ignoring is that the FBI did not, and could not get a warrant to monitor the electronic communications of every tor user indiscriminately infected with this virus.

    You need to wake up. Automatically supporting the boys in blue is not the good conservative thing to do. It is the foolish thing to do. If you are a big goverment liberal, I can understand you supporting these draconian law enforcement measures, but then calling you a fool would be redundant.
  • 0 Hide
    lordjakian , August 9, 2013 3:21 AM
    I think you can break down the article like so.

    Put on a scale, with one side being unrestricted and anonymous internet usage, or going after cloud service providers that don't control what data is on their hard drives.

    Which one seems more important to you?

  • 0 Hide
    antiglobal , August 12, 2013 8:12 AM
    Fight the future!
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter