Monday, 05 August 2013 21:33

Malware Used to Identify People on the Tor Network...

Written by

Reading time is around minutes.

The news is all abuzz with the compromise of the Tor (Originally The Onion Router) Network. This network has been used by a wide variety of people who are looking for a degree of anonymity. It relies on the use of different entry and exit point to prevent someone from identifying your exact IP Address or MAC address. In-between these point there are different hops that further confuse the trail. In basic terms your system is masked by the exit point which is selected randomly by the system. Now in addition the anonymity services for individual users there are also servers that host websites and even anonymous email services. Some have called this the “dark net” or “deep web” although that is not actually the case (the dark net is something else entirely). Many of these sites are legitimate sites that need to protect their readers from less than understanding authorities, but there are a larger number that are not above board at all including many sites that host child pornography.


What is very interesting is that the Tor network is primarily funded by the US Government (The US State Department is a big contributor) and had its early beginnings as a DARPA project. Yes the network that has become the world’s most popular free anonymity software (sponsored by the Electronic Frontier Foundation) is heavily sponsored by the people that its users are often trying to hide from. All that aside it is also known that US Law Enforcement agencies have honey pot entry and exit points to collect user data and that certain protocols like Java Script, Flash and even DNS requests can give your identity away because of the way the protocols work. There are ways to protect yourself from these little holes and the majority of them are well documented so people keep using the service (and others use it without the protections in place). So what made today’s news more concerning? It was because someone used malware to infect anonymous sites to collect visitor’s IP information.

According to the facts at hand someone managed to infect a large number of anonymous websites with malware that records the user’s original IP address and send this data back to a central server. Who did this is up for speculation, but coincidently the FBI announced the arrest of what they describe as the person responsible for the largest number of child pornography on the internet and the server that the malware was reporting to was a US Defense Department contractor called SAIC. Now this does not mean that the FBI and US Government is responsible here. Not all that long ago online activist group Anonymous went after many sites and organizations that were hosting these types of images. They also called out hosting service Freedom Hosting as one of the biggest hosts for these types of sites through the Tor system. Freedom Hosting Service was the primary point of the malware infection and, at the time of this writing, most of their services were offline. Other sites and services may have been effected as a large number were shut down today after the malware was reported.

Right now the leading suspects are the FBI through a contractor. They appear to have poisoned a large number of anonymous sites and services in an attempt to catch people serving up child pornography. The incident has inspired mixed feelings in the community. Almost everyone would agree that removing child pornography from the internet (even the anonymous and hidden internet) is a good thing, but it also shows how vulnerable people are even when using a service that is supposed to help protect you. What if the target had not been pornography, but a political dissent site or a whistle blower drop site (there are a few that the press use) or just an attempt to identify as many people using the Tor network as possible? This attack will have some serious impacts in the way people communicate over the internet.

According to the Tor Project the Malware was designed to affect the installation of Firefox in their Vidalia Bundle (a simple stand-alone package), but that the latest version of this bundle is not affected by the malware. Mozilla has confirmed this and state that the malware used a JavaScript flaw to obtain the user’s information. Firefox 17.0.7 ESR and newer are not vulnerable to this type of malware. It is also important to note that the actual Tor network was not truly compromised as it still was operating as it was supposed to, it is just that someone managed to infect a large number of servers to force the Firefox browser to rat on their users.

As we said the Tor network will never be the same and it will be hard for people to trust in the legitimate services that are provided through then network. It is sort of like the opening moves in a war, you attack the lines of communication first and then you move in… We wonder if this is just the opening move in a much larger operation; one that could involve a much wider scope than just a single type of site. If nothing else if/when the US takes credit for this, we are sure it will be used to show how valuable their surveillance programs are.

Tell us what you think about this in our Forum


Read 3443 times Last modified on Monday, 05 August 2013 21:36

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.