Digital Bounds Logo

Feds Prime Suspects in Malware That Attacks Tor Anonymity

Security researchers are focusing on a piece of malicious software, which takes advantage of a security vulnerability in Firefox, designed to identify some users of the Tor network.

The malware was discovered Sunday morning on multiple websites hosted by the anonymous hosting company Freedom Hosting. While this attack would usually be considered criminal, the FBI is in the hot seat this time.

“It just sends identifying information to some IP in Reston, Virginia,” says reverse-engineer Vlad Tsyrklevich. “It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based.”

The code, which is part of the FBI’s CIPAV(Computer and Internet Protocol Address Verifier) has been used scarcely, keeping it from leaking out, being analyzed, or added to antivirus databases.

After arrests made last week, certain hidden services hosted by Freedom Hosting began displaying a “Down for Maintenance” page. These services included websites that had nothing to do with the earlier arrests, such as a secure email provider TorMail.

Upon viewing the source code of the ‘maintenance’ page, it was discovered that a hidden iframe tag was loading JavaScript from a Verizon Business internet address in Virginia. By midday Sunday, the code was being dissected and analyzed all over the web, Mozilla even confirmed the code exploited a critical memory management vulnerability in Firefox that had been publicly reported on June 25th.

“The attackers spent a reasonable amount of time writing a reliable exploit, and a fairly customized payload, and it doesn’t allow them to download a backdoor or conduct any secondary activity,” says Tsyrklevich, who reverse-engineered the code.

It’s worth noting that users of the Tor Browser Bundle who have installed or manually updated after June 26th are safe from this exploit. However, this does spark questions, including are there many variations of this malicious code are there, and how widespread might it actually be?