What's new
  • As of today ICMag has his own Discord server. In this Discord server you can chat, talk with eachother, listen to music, share stories and pictures...and much more. Join now and let's grow together! Join ICMag Discord here! More details in this thread here: here.

Feds are Suspects in New Malware That Attacks Tor Anonymity

Weird

3rd-Eye Jedi
Veteran
http://www.wired.com/threatlevel/2013/08/freedom-hosting/

Security researchers tonight are poring over a piece of malicious software that takes advantage of a Firefox security vulnerability to identify some users of the privacy-protecting Tor anonymity network.
The malware showed up Sunday morning on multiple websites hosted by the anonymous hosting company Freedom Hosting. That would normally be considered a blatantly criminal “drive-by” hack attack, but nobody’s calling in the FBI this time. The FBI is the prime suspect.
“It just sends identifying information to some IP in Reston, Virginia,” says reverse-engineer Vlad Tsrklevich. “It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based.”
If Tsrklevich and other researchers are right, the code is likely the first sample captured in the wild of the FBI’s “computer and internet protocol address verifier,” or CIPAV, the law enforcement spyware first reported by WIRED in 2007.
Court documents and FBI files released under the FOIA have described the CIPAV as software the FBI can deliver through a browser exploit to gathers information from the target’s machine and send it to an FBI server in Virginia. The FBI has been using the CIPAV since 2002 against hackers, online sexual predator, extortionists and others, primarily to identify suspects who are disguising their location using proxy servers or anonymity services, like Tor.
The code has been used sparingly in the past, which kept it from leaking out and being analyzed or added to anti-virus databases.
The broad Freedom Hosting deployment of the malware coincides with the arrest of Eric Eoin Marques in Ireland on Thursday on an U.S. extradition request. The Irish Independent reports that Marques is wanted for distributing child pornography in a federal case filed in Maryland, and quotes an FBI special agent describing Marques as “the largest facilitator of child porn on the planet.”
Freedom Hosting has long been notorious for allowing child porn to live on its servers. In 2011, the hactivist collective Anonymous singled out Freedom Hosting for denial-of-service attacks after allegedly finding the firm hosted 95 percent of the child porn hidden services on the Tor network.
Freedom Hosting is a provider of turnkey “Tor hidden service” sites – special sites, with addresses ending in .onion, that hide their geographic location behind layers of routing, and can be reached only over the Tor anonymity network.
Tor hidden services are ideal for websites that need to evade surveillance or protect user’s privacy to an extraordinary degree – which can include human rights groups and journalists. But it also naturally appeals to serious criminal elements.
Shortly after Marques’ arrest last week, all of the hidden service sites hosted by Freedom Hosting began displaying a “Down for Maintenance” message. That included websites that had nothing to do with child pornography, such as the secure email provider TorMail.
Some visitors looking at the source code of the maintenance page realized that it included a hidden iframe tag that loaded a mysterious clump of Javascript code from a Verizon Business internet address located in eastern Virginia.
By midday Sunday, the code was being circulated and dissected all over the net. Mozilla confirmed the code exploits a critical memory management vulnerability in Firefox that was publicly reported on June 25, and is fixed in the latest version of the browser.
Though many older revisions of Firefox are vulnerable to that bug, the malware only targets Firefox 17 ESR, the version of Firefox that forms the basis of the Tor Browser Bundle – the easiest, most user friendly package for using the Tor anonymity network.
“The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based,” the non-profit Tor Project wrote in a blog post Sunday. “We’re investigating these bugs and will fix them if we can.”
The inevitable conclusion is that the malware is designed specifically to attack the Tor browser. The strongest clue that the culprit is the FBI, beyond the circumstantial timing of Marques’s arrest, is that the malware does nothing but identify the target.
The heart of the malicious Javascript is a tiny Windows executable hidden in a variable named “Magneto”. A traditional virus would use that executable to download and install a full-featured backdoor, so the hacker could come in later and steal passwords, enlist the computer in a DDoS botnet, and generally do all the other nasty things that happen to a hacked Windows box.
But the Magneto code doesn’t download anything. It looks up the victim’s MAC address – a unique hardware identifier for the computer’s network or Wi-Fi card — and the victim’s Windows hostname. Then it sends it to the Virginia server, outside of Tor, to expose the user’s real IP address, and coded as a standard HTTP web request.
“The attackers pent a reasonable amount of time writing a reliable exploit, and a fairly customized payload, and it doesn’t allow them to download a backdoor or conduct any secondary activity,” says Tsrklevich, who reverse-engineered the Magneto code.
The malware also sends, at the same time, a serial number that likely ties the target to his or her visit to the hacked Freedom Hosting-hosted website.
In short, Magneto reads like the x86 machine code embodiment of a carefully crafted court order authorizing an agency to blindly trespass into the personal computers of a large number of people, but for the limited purpose of identifying them.
But plenty of questions remain. For one, now that there’s a sample of the code, will anti-virus companies start detecting it?
 

Harry Gypsna

Dirty hippy Bastard
Veteran
AFIK, you only need to worry about this if you a) look at CP (in which case you deserve all you get and should be flayed alive and drowned in a barrel of vinegar) or b) went to Tormail, and even then, only people slack enough not to update their Tor bundle to the latest version when it comes out need to worry. The hole in firefox was fixed in the last update.
This is from the brain trust over at SR forum.
 

Harry Gypsna

Dirty hippy Bastard
Veteran
Good thing I use chrome and not firefox.


This is a Tor specific issue. You can't be using chrome with Tor.
Firefox portable is the browser used in the tor browser bundle.
As I say, only kiddie beasts and slackasses need to worry.
You would have to be really super slack too, because when you start tor up, the 1st page you see tells you whenever there is an update.

They don't need to be making viruses to find your ip/mac number for chrome, as you are using it on the clearnet and it is there for all the websites you visit to see, along with anyone who is watching those sites (unless you are using a proxy).

TAILS uses mac spoofing to give a fake mac number and runs through Tor by default, thus hiding your IP. It also completely bypasses your windows or whatever OS you use and leaves no traces on your pooter. You download TAILS, put it on a USB stick, mess with the bios on your pooter to alter the boot order, then if you switch on with the USB plugged in, you get TAILS, but if you switch on without the USB, you get your regular OS. It's a pity Truecrypt only works with windows, because you can have a hidden OS on truecrypt, and TAILS + truecrypt hidden OS would be awesome. Some computers wont allow this dual booting without making it a PITA thanks to backroom deals with Microsoft. My new laptop, if I want to use TAILS, I have to go into the BIOS and switch the setting every time I want to switch between windows and tails, onerous, but doable.
 

Latest posts

Latest posts

Top