FBI May Be Behind Tor Browser Focused Malware
Looks like the government is trying to see what Tor Browser users are doing.
For web surfers wanting to be totally anonymous, the Tor Project offers a browser bundle that bounces the user's communication around a distributed network of relays run by volunteers stationed across the globe. It supposedly prevents eavesdroppers from viewing your surfing habits, and websites from knowing who you are, where you've been and where you're physically located.
"The vulnerability allows arbitrary code execution, so an attacker could in principle take over the victim's computer," the group states. "However, the observed version of the attack appears to collect the hostname and MAC address of the victim computer, send that to a remote webserver over a non-Tor connection, and then crash or exit. The attack appears to have been injected into (or by) various Tor hidden services, and it's reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services."
"Consider switching to a 'live system' approach like Tails," the team states. "Really, switching away from Windows is probably a good security move for many reasons."
The attack in question reportedly stems from websites served up by the anonymous web hosting company, Freedom Hosting. This company specializes in playing host to special .onion websites that hide their IP addresses and geographical locations behind layers of routing, and in turn can only be accessed via the Tor network. Some of these sites are also supposedly known to dish out child pornography.
Wired reports that the broad deployment of malware across the Freedom Hosting network coincided with the arrest of Eoin Marques in Ireland on Thursday. He was wanted for distributing child pornography in a federal case filed in Maryland. Shortly thereafter, all of the hidden service sites hosted by Freedom Hosting began displaying a "Down for Maintenance" message, and included legit sites like TorMail.
So is this malware really linked to the FBI? DomainTools reports that the command-and-control IP address used by the malware is associated with McLean, Virginia-based Science Applications International Corporation (SAIC). This is a major technology contractor for defense and intelligence agencies… including the FBI.