Malware, Vulnerability Management

Child porn bust could hold deeper implications to privacy of Tor users

Older versions of the Firefox web browser – included within Tor Browser Bundle, which enables users to run the anonymity network on Windows, Mac OS X or Linux without the need to install any software – may not be giving users the protected web browsing experience they expect.

Many are pointing to U.S. law enforcement as the culprits behind malware being nicknamed Torsploit, which is exposing the location of Tor users and sending that information back to a single IP address – defying the private web browsing services that make Tor a go-to for its vast number of users.

The Tor network directs traffic through thousands of relays, making internet tracking nearly impossible. Users download the Tor Browser Bundle, which contains a modified version of Firefox, for use over the Tor network.

But a new vulnerability can enable the collection of the hostnames and MAC addresses of victim computers, Tor developer Roger Dingledine, said in an Monday post

The vulnerability was exposed after an FBI extradition request for 28-year-old Eric Marques, according to an Irish news report. He been charged with heading up Freedom Hosting on the Tor network – a group said to be involved in a large-scale child pornography distribution ring.

Many observers believe that the warrant issued for Marques' arrest and the revelations of the vulnerability is no coincidence, as it's believed the feds infected a large number of Freedom Hosting sites to track down his identity. The Freedom Hosting operation, however, is not connected Tor's developers, known as the Tor Project.

A quick finger was directed toward American authorities, including the FBI and National Security Agency (NSA), after users discovered that malware introduced into the Tor network via the vulnerability could gather locations of users and forward that information to an IP address belonging to a Verizon business in Virginia.

The security team at Cryptocloud, a VPN service, has been engaging discussion on its forums and posted recent findings from Baneki Privacy Labs, an activist project. Baneki traced the IP space used in the exploit back to the National Security Agency's (NSA) Autonomous Systems.

Is this PRISM, the NSA's mass data collection apparatus, at work? That is a popular theory right now.

“Because this payload does not download or execute any secondary backdoor or commands, it's very likely that this is being operated by a [law enforcement agency] and not by black hats [malicious hackers],” Vlad Tsyrklevich, a reverse engineer based in New York, wrote in a post. He later tweeted that “it only sends back hostname/MAC address/UUID [to identify which site you visited].”

The attack code – which is Windows-specific and is said not to affect Linux or OS X users – exploits a Firefox vulnerability in JavaScript that was fixed in Firefox 17.0.7 ESR, Dingledine said.

All users of earlier Tor Browser Bundles may be vulnerable to arbitrary code execution that could take over their computer, Dingledine warned. He does not believe the attack modifies anything on the victim's computer, but said “it's reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden [Tor] services.”

ACLU security and privacy researcher Chris Soghoian blamed an out-of-date package with the exploit.

“It looks like the exploit has been taking advantage of a vulnerability that was fixed in the June release of the Tor Browser Bundle,” he told SCMagazine.com in an email. “If this is indeed the case, it suggests that the root problem here is a failure of the Tor Project to deliver automatic security updates to users of the Tor Browser Bundle.”

Users receive notifications when there is an upgrade to the Tor Browser Bundle, and Dingledine suggested users always update promptly. To avoid these types of problems in the future, he said users could try disabling JavaScript or switch away from Windows entirely.

The FBI declined to comment on any malware.

"An individual has been arrested as part of an ongoing criminal investigation," a spokeswoman told SCMagazine.com. "Because this matter is ongoing, we are unable to provide further comment."

Frequent calls to the Tor phone number listed on the website could not be completed due to high call volume. Emails to the Tor media account were not immediately returned.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.