A malware outbreak which reveals the IP addresses of computer users has struck sites on the anonymous Tor network, including some said to host child pornography - with forum users and security researchers suggesting that the outbreak might be the work of the FBI.
Tor directs data through a worldwide network of relays to conceal the identities of users. Using Tor, users can access special .onion sites - only accessible using the Tor browser - some of which host highly illegal content, including child porn. Researchers and Tor users have claimed that the malware outbreak aims to expose the identities of Tor users, in particular users of child pornography.
The "smoking gun", one researcher suggests, is that the malware - which infects users via Firefox, distributed as part of the Tor Browser Bundle - does not install a "backdoor" in users' PCs. Intead, it sends their IP address and MAC address (which can be used to identify PC users) to an address in America.
The outbreak coincided with the reported disappearance of several sites connected to Freedom Hosting, a hosting firm widely reported to have connections to child pornography - and the recent arrest of a 28-year-old Eric Eoin Marques, described as “the largest facilitator of child porn on the planet”, according to the Irish Examiner. Tor users have suggested that the two events are linked.
"This is an annotation and very brief analysis of the payload used by the Tor Browser Bundle exploit," said security researcher Vlad Tsyrklevich in a blog post. "Briefly, this payload connects to 65.222.202.54:80 and sends it an HTTP request that includes the host name (via gethostname()) and the MAC address of the local host. After that it cleans up the state and appears to deliberately crash. Because this payload does not download or execute any secondary backdoor or commands it's very likely that this is being operated by an LEA [Law Enforcement Agency] and not by blackhats."
“It just sends identifying information to some IP in Reston, Virginia,” Tsyrklevich said in a report in Wired’s Threat Level blog. “It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based.”
Online forums have suggested that the malware has spread on other sites within the Tor network, with some suggesting that TORmail, TOR’s secure email service, may be compromised, according to a report in The Register.
The Tor Project announced the outbreak in two linked blog posts, in which the organization distanced itself from Freedom Hosting. “Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the Tor Network. There are a variety of rumors about a hosting company for hidden services: that it is suddenly offline, has been breached, or attackers have placed a javascript exploit on their web site. An attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches) appear to have been targeted. This vulnerability was fixed in Firefox 17.0.7 ESR.”
ESET Senior Research Fellow David Harley says that the outbreak raises questions over how companies should deal with such “policeware”.
“We have no absolute proof that it's FBI code,” Harley sayd. “They didn't ask the AV community not to detect it (they may have asked some of the big players, but no-one has admitted it - Please Police Me), and many companies would probably have declined anyway. No-one wants the FBI not to pursue child abusers: in fact, we've frequently cooperated with police forces on forensic issues that are probably related to 'the Trojan defence' (SODDImy and the Trojan Defence) - but if we come across something like this, we simply can't assume it's being used legitimately, even if was known to be policeware in origin. The online threatscape is far too complex and dynamic for that. Robert Lipovsky and I also looked at this issue with reference to German policeware.”
Author Rob Waugh /Rob Waugh, WeLiveSecurity/