Skip to main content

FBI May Be Behind Tor Browser Focused Malware

For web surfers wanting to be totally anonymous, the Tor Project offers a browser bundle that bounces the user's communication around a distributed network of relays run by volunteers stationed across the globe. It supposedly prevents eavesdroppers from viewing your surfing habits, and websites from knowing who you are, where you've been and where you're physically located.

The Tor browser is actually based on Firefox 17 ESR, but has been retooled on the code level to enable full anonymous browsing. The Tor Project said on Monday that an attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Even more, this attack appears to be targeted directly at users of the Windows-based Tor Browser bundle.

MORE: Can You Hide Anything from the NSA?

"The vulnerability allows arbitrary code execution, so an attacker could in principle take over the victim's computer," the group states. "However, the observed version of the attack appears to collect the hostname and MAC address of the victim computer, send that to a remote webserver over a non-Tor connection, and then crash or exit. The attack appears to have been injected into (or by) various Tor hidden services, and it's reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services."

Tor Browser users are suggested to use the latest bundle release, as the vulnerability was fixed in Firefox 17.0.7 which applies to Tor Browser versions 3.25-10, 4.15-alpha-1 and 4.15-beta-1. The Tor Browser bundle also automatically checks to see if it's out of date, and notifies the user on its home page if an update is needed. Users are also suggested to disable JavaScript by clicking the blue "S" beside the green onion, and selecting "Forbid Scripts Globally." Of course, this may "break" many websites that depend on JavaScript.

"Consider switching to a 'live system' approach like Tails," the team states. "Really, switching away from Windows is probably a good security move for many reasons."

The attack in question reportedly stems from websites served up by the anonymous web hosting company, Freedom Hosting. This company specializes in playing host to special .onion websites that hide their IP addresses and geographical locations behind layers of routing, and in turn can only be accessed via the Tor network. Some of these sites are also supposedly known to dish out child pornography.

Wired reports that the broad deployment of malware across the Freedom Hosting network coincided with the arrest of Eoin Marques in Ireland on Thursday. He was wanted for distributing child pornography in a federal case filed in Maryland. Shortly thereafter, all of the hidden service sites hosted by Freedom Hosting began displaying a "Down for Maintenance" message, and included legit sites like TorMail.

The maintenance pages were examined and found to include a hidden "iframe" tag that loaded a clump of JavaScript code from a Virginia-based Verizon business Internet address. "It just sends identifying information to some IP in Reston, Virginia," reverse-engineer Vlad Tsyrklevich told Wired. "It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based."

Buried within the malicious JavaScript is a tiny Windows-based executable inside a hidden variable named "Magneto." Instead of downloading additional code that would open a back door to hackers, it relays the victim's MAC address and Windows hostname to a server in Virginia that's outside the Tor network. This exposes the user's actual IP address.

So is this malware really linked to the FBI? DomainTools reports that the command-and-control IP address used by the malware is associated with McLean, Virginia-based Science Applications International Corporation (SAIC). This is a major technology contractor for defense and intelligence agencies… including the FBI.

  • mi1ez
    Bloody Feds!
    Reply
  • internetlad
    Guess it got under somebodies skin high up the chain.
    Reply
  • whiteodian
    Stop looking at kiddie porn!
    Reply
  • MajinCry
    "Nothing to hide, nothing to fear"

    Yeah. Right.
    Reply
  • Oleg Melnikov
    what is wrong with them lol!
    they must stop this bull and start doing their job on getting bad guys , and not some internet geeks that try to look up porn on the net...
    Reply
  • RascallyWeasel
    @ Otacon72

    I don't you understand what privacy is. It is not that people are trying to hide things that may be embarassing to them or illegal activities. Privacy is the CHOICE to make information that you may deem personal public. When stuff like this happens it removes the individuals consent/choice in the matter as to wether the information is public or private.
    Reply
  • jdlobb
    @Oleg

    Looking for bad guys is exactly what they're doing. If you were just looking up legal porn it's unlikely you'd have any reason to use something like Tor, and if the FBI or NSA sees you spend all day on Tube8 they're not going to care at all.

    The the bad guys, like people who distribute and consume child pornography, are EXACTLY the kind of people who use Tor.
    Reply
  • jdlobb
    the "Right to Privacy" is an artificial construct imagined up by libertarians, hackers, and tin-foil hats.

    The constitution extends you a right to do a number of things, it doesn't exend the right not to have somebody monitoring you while you do it.

    If you want to do something illegal that you feel shouldn't be illegal, have the balls to stand up and accept the consiquences and fight for it.
    Reply
  • bluekoala
    Not sure if Otacon a troll, or just very stupid....
    Reply
  • Grandmastersexsay
    Jdlobb, math is an artificial construct. So is everything in the Constitution and Bill Of Rights which you have obviously never read.

    Try reading this.

    "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

    That clearly states the government needs probable cause and a warrant to monitor someone, because someone being monitored is clearly not secure in their person, house, papers, and effects. It is so clear infact that only a judge or lawyer could think differently.
    Reply