Skip to main content

FBI May Be Behind Tor Browser Focused Malware

For web surfers wanting to be totally anonymous, the Tor Project offers a browser bundle that bounces the user's communication around a distributed network of relays run by volunteers stationed across the globe. It supposedly prevents eavesdroppers from viewing your surfing habits, and websites from knowing who you are, where you've been and where you're physically located.

The Tor browser is actually based on Firefox 17 ESR, but has been retooled on the code level to enable full anonymous browsing. The Tor Project said on Monday that an attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Even more, this attack appears to be targeted directly at users of the Windows-based Tor Browser bundle.

MORE: Can You Hide Anything from the NSA?

"The vulnerability allows arbitrary code execution, so an attacker could in principle take over the victim's computer," the group states. "However, the observed version of the attack appears to collect the hostname and MAC address of the victim computer, send that to a remote webserver over a non-Tor connection, and then crash or exit. The attack appears to have been injected into (or by) various Tor hidden services, and it's reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services."

Tor Browser users are suggested to use the latest bundle release, as the vulnerability was fixed in Firefox 17.0.7 which applies to Tor Browser versions 3.25-10, 4.15-alpha-1 and 4.15-beta-1. The Tor Browser bundle also automatically checks to see if it's out of date, and notifies the user on its home page if an update is needed. Users are also suggested to disable JavaScript by clicking the blue "S" beside the green onion, and selecting "Forbid Scripts Globally." Of course, this may "break" many websites that depend on JavaScript.

"Consider switching to a 'live system' approach like Tails," the team states. "Really, switching away from Windows is probably a good security move for many reasons."

The attack in question reportedly stems from websites served up by the anonymous web hosting company, Freedom Hosting. This company specializes in playing host to special .onion websites that hide their IP addresses and geographical locations behind layers of routing, and in turn can only be accessed via the Tor network. Some of these sites are also supposedly known to dish out child pornography.

Wired reports that the broad deployment of malware across the Freedom Hosting network coincided with the arrest of Eoin Marques in Ireland on Thursday. He was wanted for distributing child pornography in a federal case filed in Maryland. Shortly thereafter, all of the hidden service sites hosted by Freedom Hosting began displaying a "Down for Maintenance" message, and included legit sites like TorMail.

The maintenance pages were examined and found to include a hidden "iframe" tag that loaded a clump of JavaScript code from a Virginia-based Verizon business Internet address. "It just sends identifying information to some IP in Reston, Virginia," reverse-engineer Vlad Tsyrklevich told Wired. "It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based."

Buried within the malicious JavaScript is a tiny Windows-based executable inside a hidden variable named "Magneto." Instead of downloading additional code that would open a back door to hackers, it relays the victim's MAC address and Windows hostname to a server in Virginia that's outside the Tor network. This exposes the user's actual IP address.

So is this malware really linked to the FBI? DomainTools reports that the command-and-control IP address used by the malware is associated with McLean, Virginia-based Science Applications International Corporation (SAIC). This is a major technology contractor for defense and intelligence agencies… including the FBI.