Feds Accused Of Distributing Malware That De-Anonymizes Tor Users

from the left-hand,-meet-the-anonymous-right-hand dept

It's somewhat well known that the popular Tor anonymous browsing system gets a significant amount of funding from the US government. In the past, the suggestion had always been that the State Department was a major supporter because of its belief that Tor would help dissidents in other countries communicate better via anonymous systems. However, now there's a lot of buzz because it appears that a bit of malware that was discovered this weekend targeting Tor users, may have come directly from the FBI itself. The implication isn't against the Tor project at all, but rather it appears that whoever pushed out this malware did so by using a vulnerability targreting people using the Tor Browser Bundle -- a Firefox bundle that builds in Tor -- browsing a variety of hidden sites (available only to Tor users) hosted by the somewhat infamous Freedom Hosting. Freedom Hosting's boss, Eric Eoin Marques was arrested in Ireland last week as the US is trying to extradite him. But, what was more interesting was what some people discovered on all Freedom Hosting pages:
Shortly after Marques' arrest last week, all of the hidden service sites hosted by Freedom Hosting began displaying a “Down for Maintenance” message. That included websites that had nothing to do with child pornography, such as the secure email provider TorMail.

Some visitors looking at the source code of the maintenance page realized that it included a hidden iframe tag that loaded a mysterious clump of Javascript code from a Verizon Business internet address located in eastern Virginia.

By midday Sunday, the code was being circulated and dissected all over the net. Mozilla confirmed the code exploits a critical memory management vulnerability in Firefox that was publicly reported on June 25, and is fixed in the latest version of the browser.

Though many older revisions of Firefox are vulnerable to that bug, the malware only targets Firefox 17 ESR, the version of Firefox that forms the basis of the Tor Browser Bundle – the easiest, most user-friendly package for using the Tor anonymity network.
So why do people think the feds are involved? The bit of malware scoops up various identifying information -- MAC address and Windows hostname -- and then sends it to a server in Virginia to find the real IP address of the computer in question. The Virginia server is controlled by the infamous contractor SAIC, who works with numerous government agencies.

It's no secret that law enforcement has wanted to identify folks who are trying to be anonymous. And, as discussed just last week, the FBI has been using malware at an increasing rate. So it wouldn't be a huge surprise to find out that little tricky bit of malware was designed to provide more info on Tor users who might be up to nefarious activity (or, you know, they might just want to surf anonymously). I imagine that this is not the end of this particular story...


Reader Comments (rss)

(Flattened / Threaded)

  1. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Aug 5th, 2013 @ 1:24pm

    But when I tell these FACTS here at Techdirt, I get censored.

    This comment has been flagged by the community. Click here to show it

    out_of_the_blue, Nov 30th, 2012 @ 1:54pm

    Lie down with dogs, you get up with fleas.

    I'm short on sympathy, as usual.

    Listen. There MAY be "legitimate" uses for TOR, but as the obvious purpose IS to avoid some sort of laws, if police find the trail ends at you -- due to deliberate suppressing of logs on a system having purpose of hiding identity -- then you're left holding the bag, and jurors ain't gonna believe you're (totally) innocent. Smear tactics do work: you'll get a "probably guilty of something" verdict, is all.

    Besides that, nothing will matter to the state except that you are HIDING something from them: that's a far greater "crime" to a state than anything actual. You self-identity just by operating these. So beware.

    Now, I'd like to point out to those who believe these networks do provide anonymity is that's only true IF none are operated by gov't or its contractors, AND in any event, exit points are as easily found as any IP, so it's a simple matter to shut down ALL of those (in time). You guys who think you'll "route around" the police state keep assuming that the state will act lawfully and pretty much as at present.

    Mike here quite unusually fails to mention his favorable prior pieces on "deep dark network" though is on the automatic related links.

    http://www.techdirt.com/articles/20121130/07495221185/tor-exit-node-operator-charged-with- distributing-child-porn.shtml#c35

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    Internet Zen Master (profile), Aug 5th, 2013 @ 1:25pm

    It's not surprising

    Tor is nothing more than a wretched hive of child pornographers and terrorists. Anyone who says otherwise is clearly aiding the enemy and should be locked up with Bradley Manning!

    /s

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    Machin Shin (profile), Aug 5th, 2013 @ 1:38pm

    Re: But when I tell these FACTS here at Techdirt, I get censored.

    "But when I tell these FACTS here at Techdirt, I get censored."

    I know I am just wasting my time, but I just so happen to have some time that needs wasting so...

    I think it is worth pointing out that most people here would be more than willing to have an intelligent discussion. The reason most people report these post is because of your "holier than thou" tone. This results in us having no sympathy when your comments get hidden.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Aug 5th, 2013 @ 1:41pm

    > a vulnerability trgreting people

    missing an a in targeting.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    S. T. Stone, Aug 5th, 2013 @ 1:44pm

    Re: But when I tell these FACTS here at Techdirt, I get censored.

    the obvious purpose IS to avoid some sort of laws

    No, the obvious purpose of Tor has to do with avoiding surveillance.

    Yes, avoiding surveillance can mean someone wants to avoid having the police bust down their door and send them to county lockup for a Blue Light Special (one nightstick, hold the lube).

    But it can also mean that someone wants to avoid having the government read their metadata, see what fully-legal political/news/etc. sites they visit, or other such potentially suppressive actions.

    The act of avoiding surveillance exists in a neutral state; the reason why people do it makes it ‘good’ or ‘evil’, kinda like how phones exist to perform a specific action (allow two or more people to converse with each other over long distances) but also have a ‘neutrality’ to them until a person decides to use them for a specific ‘good’ or ‘evil’ purpose.

    Don't go judging the technology based on its users; instead, judge the users based on what they do with the technology.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    S. T. Stone, Aug 5th, 2013 @ 1:44pm

    Re: Re: But when I tell these FACTS here at Techdirt, I get censored.

    Don’t forget the ad hominems and the ‘boy who cried Google’ routine.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Aug 5th, 2013 @ 1:47pm

    Re:

    Nope. It's not the NSA, but a government contractor. Best article I've seen written about it: Wired

    The actual source code is available there as well in decompiled code done by Vlad Tsyrklevich. link

    Long story short, most tech folks usually run in VMs with a Linux live distro and were not effected. The code itself uploads only the MAC address, IP Address, and URL to servers in Virgina, and it was directly targeting Windows users with the Tor Browser installed. Lesson learned, use a VM (defeats MAC Address), use a VPN before entering TOR (defeats IP Address), and mostly don't use Windows.

    The fact that they infected TorMail is very disconcerting however and questionable to say the least.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Aug 5th, 2013 @ 1:49pm

    Re: But when I tell these FACTS here at Techdirt, I get censored.

    So then, just give up?

    Since you're always talking about morality, is it moral behavior to hide your identity from a government that's gone corrupt?

    If only these Internet services were used exclusively for what you *think* they are...

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Aug 5th, 2013 @ 1:54pm

    What is surprising here are the fools that believe that animosity exists.

    With almost all small computers, desktop, laptop, et, running only one operating system world wide there in a NSA dream world that allows NSA access to almost every computer. Small wander that when Microsoft was sewed for its monopolist practices by state governments the federal squished the suit.

    Then there is of course sites like Facebook where is has became the chick thing to post all one confidential history for world view. Again a false monopoly sanctioned by the NSA States of America.

    The said part is that computer geeks believe that they are immune to government snooping because they are geeks. This was much the attitude of the German and Russian scientists in the 1930s. Unfortunately they were not immune to the negative effects of the real world and lead mosquitoes. Wonder how the 21 century geeks are going to fair with total surveillance in a totalitarian world.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Machin Shin (profile), Aug 5th, 2013 @ 2:07pm

    Re: But when I tell these FACTS here at Techdirt, I get censored.

    I would also like to take this moment to point out something you seem to have missed.

    Your always ranting about Google and how evil they are tracking our actions, but here you suggest that Tor users all are just criminals hiding from the law. You ever stop to think maybe some Tor users are actually just avoiding the evil google tracking?

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Aug 5th, 2013 @ 2:09pm

    Sounds like SAIC is violating the Computer Fraud and Abuse Act. The DOJ and FBI should be investigating this immediately. I expect to see them pile on the charges too as they have done with so many others. I want to see their CEO doing the perp walk as well.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Anonymous Coward, Aug 5th, 2013 @ 2:29pm

    Tor Updates

    I just checked my Tor browser to see if it was up to date. I asked specifically to check for updates, and it reported up to date.

    However, checking the Tor website, something was not right. I un-installed the old setup and downloaded the newest version. After installation I check the version number. It was quite different than the 'up to date' previous version.

    Y'all might want to check yours.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    The Real Michael, Aug 5th, 2013 @ 2:38pm

    Yes, how dare people want privacy! They must be up to no good! The Bill of Rights enables terrorism! /s

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    Manabi (profile), Aug 5th, 2013 @ 3:14pm

    Re:

    What is surprising here are the fools that believe that animosity exists.
    Oh, animosity most certainly exists, you only have to look at the regular trolls that post on nearly ever post to prove that.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Aug 5th, 2013 @ 3:18pm

    Spoof the MAC address and stick to GNU/Linux.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Aug 5th, 2013 @ 3:44pm

    Another IFRAME exploit. Make sure to disable IFRAMES in NoScript, and do not allow script globally.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Aug 5th, 2013 @ 3:45pm

    Re: Re: But when I tell these FACTS here at Techdirt, I get censored.

    This is why they are largely ignored and "downvoted", because there is next to no logical consistency to their arguments.

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    Francisco George (profile), Aug 5th, 2013 @ 3:56pm

    Tor Financial reports

    Page 6 of https://www.torproject.org/about/findoc/2012-TorProject-Annual-Report.pdf AND page 10 of https://www.torproject.org/about/findoc/2011-TorProject-Amended-Final-Report.pdf

    Major Program:
    U.S. Department of Defense
    Pass-Through from SRI International
    Basic and Applied Research and Development in
    Areas Relating to the Navy Command, Control,
    Communications, Computers, Intelligence, 12.335 N66001-11-C-4022 $ 503,706
    Surveillance, and Reconnaissance

    Non-Major Program:
    U.S. Department of State
    Pass-Through from Internews Network
    International Programs to Support
    Democracy, Human Rights 19.345 S-LMAQM-08-GR-618 $ 227,118
    and Labor
    National Science Foundation
    Pass-Through from Drexel University
    Computer and Information Science
    and Engineering 47.070 CNS-0959138 143,062

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    Francisco George (profile), Aug 5th, 2013 @ 4:09pm

    Hackers Making (very) Big Money selling flaws to Governments

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Aug 5th, 2013 @ 4:10pm

    Re:

    Agreed. You'll want:

    https://www.eff.org/https-everywhere
    https://addons.mozilla.org/en-US/firefox/addon/722
    h ttps://addons.mozilla.org/en-US/firefox/addon/1865
    https://addons.mozilla.org/en-US/firefox/addon/c alomel-ssl-validation/
    https://addons.mozilla.org/en-US/firefox/addon/6623

    and probably more.

    Note: in a better world, the Firefox developers would be making all of this functionality part of the base package instead of screwing around with the UI for the 38th time in a doomed attempt to dumb it down enough to scrape the bottom of the user barrel.

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    Francisco George (profile), Aug 5th, 2013 @ 4:20pm

    Re:

    In previous TOR Bundle JavaScripts were DISABLED by default. In the last version, the one actually available for download, JavaScript is ENABLED by default. Funny right? :-)

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Aug 5th, 2013 @ 4:24pm

    Re: Re: Re: But when I tell these FACTS here at Techdirt, I get censored.

    It seems it's only an 'ad hominem' if he's doing it though.
    you don't seem to mind playing the man and not the ball yourself

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Aug 5th, 2013 @ 4:33pm

    Re: Re:

    for every sentence OOTB or his ilk write, there are around 15 written in reply by the community. While I'll admit the first sentence is usually a wind-up, it's the 15 in reply that contain the animosity (and in the last few days more than a bit of vitriol and the cursed 'ad-hominems')

    It's a delightful train-wreck that keeps me coming back

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous, Aug 5th, 2013 @ 4:57pm

    Re: Re: But when I tell these FACTS here at Techdirt, I get censored.

    And even if it "IS to avoid some sort of laws", what's wrong with that?

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Aug 5th, 2013 @ 6:00pm

    Re: Re:

    How did the government compromise the servers in the first place? It would be difficult to do so without the ability to trace all that Tor traffic to the servers where the content was being hosted. NSA is the most likely candidate.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Aug 5th, 2013 @ 6:14pm

    Re: Re: Re: Re: But when I tell these FACTS here at Techdirt, I get censored.

    You don't know what ad hominem is.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Anonymous Coward, Aug 5th, 2013 @ 7:03pm

    Re: Re: Re: Re: Re: But when I tell these FACTS here at Techdirt, I get censored.

    Nice.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Very Anonymous Coward, Aug 5th, 2013 @ 7:22pm

    An odd thing...

    A week or so ago there was a story on the Slashdot firehose that purported to be from someone who had something to leak.

    Coincidence? Maybe. I'd use Tor if that was me.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous Coward, Aug 5th, 2013 @ 7:26pm

    Re: Re: Re:

    The owner of the servers, Eric Eoin Marques, was arrested by Irish police on Thursday and the servers were seized. During that time, according to Reddit the pages on FH were displaying a maintenance page. On Sunday the servers reappeared with the malware installed. According to the Independent, the FBI was the organization seeking extradition. link Though, I would suspect that the NSA probably had some hand in tracking down the location of the servers in Ireland. That certainly isn't an easy job, after all, a rather large group of Anonymous members were trying to shut the site down just last year without effect.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Anonymous Coward, Aug 5th, 2013 @ 7:39pm

    Re: Re: Re: Re:

    Exactly. They had to find the servers before they could shut them down. Most adversaries could never pull it off, but Tor is absolutely useless against an adversary that can monitor all traffic.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Anonymous Coward, Aug 5th, 2013 @ 8:12pm

    Re: Re: Re: Re: Re:

    Sorry I got that backwards in my previous comment. The servers were in Romania, and the owner in Ireland. Irish police were the ones who tracked his financial investments over to Romania, or at least that is how Ars is leaning towards linking in the seizure of the servers. I'm sure this case has been ongoing for a long time, as it was well noted that FH was a haven for Kiddy Porn, though they did host TorMail, OnionBank, and a lot of little known sites. I would say they were probably the biggest TOR hosting company around, as most just use a VPS or private server to host with.

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Pixelation, Aug 5th, 2013 @ 9:59pm

    It's great to see US government agencies ass raping the internet. What could possibly go wrong?

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Anonymous Coward, Aug 5th, 2013 @ 10:38pm

    Re: Re: Re: But when I tell these FACTS here at Techdirt, I get censored.

    Exactly, like how someone in Iran might want to avoid some repressive law to disseminate information of government wrongdoing. Or seeking help because of how the USA is holding your relative in jail without being provided basic constitutional rights like the right to a speedy trial.

     

    reply to this | link to this | view in thread ]

  34.  
    icon
    Ninja (profile), Aug 6th, 2013 @ 3:41am

    Again put aside the outrage of seeing them use malware to spy on anyone via malicious injection it's still completely and utterly ineffective against the real criminals. Those using the mentioned Tor bundle are the ones without enough ability to set up the thing to run by itself. Either the FBI is clueless or they intend to spy on regular citizens. None of the possible explanations are good.

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Anonymous Coward, Aug 6th, 2013 @ 6:07am

    Re: But when I tell these FACTS here at Techdirt, I get censored.

    Funny thing is facts is something that is true or false.

    Giving a fact is easy, like 1+1=2 is a fact. But proving it is more difficult than that.
    http://tachyos.org/godel/1+1=2.html

    You dispense facts like there is a fact fire sale. But where is your proof? When do you ever bother to prove any of your facts?

    With the amount of shit you throw onto the wall I'm surprised more doesn't stick.

     

    reply to this | link to this | view in thread ]

  36.  
    icon
    John Fenderson (profile), Aug 6th, 2013 @ 9:47am

    Re: Re:

    Note: in a better world[...]


    We can but dream, can't we?

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Anonymous Coward, Aug 7th, 2013 @ 2:26pm

    Re: Re: Re: Re: Re: But when I tell these FACTS here at Techdirt, I get censored.

    It means, "Include a word that sounds the same".

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This