Feds Are Suspects in New Malware That Attacks Tor Anonymity
August 5th, 2013Update: Phoned Home to NSA
Really?!
I find it very hard to believe that this is some sort of screw up. If you don’t know much about this type of thing, you might think, “Oh the government is incompetent, so someone made a mistake and used one of their own IPs for this attack.” No way. The whole point of something like this would be deniability from top to bottom. They definitely have extensive resources for hiding their attacks.
Someone must want people to know who did this. For what reason, though, I have no idea.
Via: Ars Technica:
Malware planted on the servers of Freedom Hosting—the “hidden service” hosting provider on the Tor anonymized network brought down late last week—may have de-anonymized visitors to the sites running on that service. This issue could send identifying information about site visitors to an Internet Protocol address that was hard-coded into the script the malware injected into browsers. And it appears the IP address in question belongs to the National Security Agency (NSA).
This revelation comes from analysis done collaboratively by Baneki Privacy Labs, a collective of Internet security researchers, and VPN provider Cryptocloud. When the IP address was uncovered in the JavaScript exploit—which specifically targets Firefox Long-Term Support version 17, the version included in Tor Browser Bundle—a source at Baneki told Ars that he and others reached out to the malware and security community to help identify the source.
Initial investigations traced the address to defense contractor SAIC, which provides a wide range of information technology and C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance) support to the Department of Defense. The geolocation of the IP address corresponds to an SAIC facility in Arlington, Virginia.
Further analysis using a DNS record tool from Robotex found that the address was actually part of several blocks of IP addresses permanently assigned to the NSA. This immediately spooked the researchers.
—
Via: Wired:
Security researchers tonight are poring over a piece of malicious software that takes advantage of a Firefox security vulnerability to identify some users of the privacy-protecting Tor anonymity network.
The malware showed up Sunday morning on multiple websites hosted by the anonymous hosting company Freedom Hosting. That would normally be considered a blatantly criminal “drive-by” hack attack, but nobody’s calling in the FBI this time. The FBI is the prime suspect.
“It just sends identifying information to some IP in Reston, Virginia,” says reverse-engineer Vlad Tsrklevich. “It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based.”
If Tsrklevich and other researchers are right, the code is likely the first sample captured in the wild of the FBI’s “computer and internet protocol address verifier,” or CIPAV, the law enforcement spyware first reported by WIRED in 2007.
Court documents and FBI files released under the FOIA have described the CIPAV as software the FBI can deliver through a browser exploit to gathers information from the target’s machine and send it to an FBI server in Virginia. The FBI has been using the CIPAV since 2002 against hackers, online sexual predator, extortionists and others, primarily to identify suspects who are disguising their location using proxy servers or anonymity services, like Tor.
The code has been used sparingly in the past, which kept it from leaking out and being analyzed or added to anti-virus databases.
I would say this is just a way to suggest that Tor anonymity is real. If the Feds are attacking something, then it must be a threat. For whatever reason they want to convince people that Tor has been providing anonymity for years even if that means blowing it up for future use.