The feds are the top suspect in a piece of computer malware that aims to eliminate anonymity on “The Onion Router” or “TOR.” The malware works by utilizing a security hole in the popular Mozilla FireFox browser.
Via Wired:
Security researchers tonight are poring over a piece of malicious software that takes advantage of a Firefox security vulnerability to identify some users of the privacy-protecting Tor anonymity network.
The malware showed up Sunday morning on multiple websites hosted by the anonymous hosting company Freedom Hosting. That would normally be considered a blatantly criminal “drive-by” hack attack, but nobody’s calling in the FBI this time. The FBI is the prime suspect.
“It just sends identifying information to some IP in Reston, Virginia,” says reverse-engineer Vlad Tsrklevich. “It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based.”
If Tsrklevich and other researchers are right, the code is likely the first sample captured in the wild of the FBI’s “computer and internet protocol address verifier,” or CIPAV, the law enforcement spyware first reported by WIRED in 2007.
Court documents and FBI files released under the FOIA have described the CIPAV as software the FBI can deliver through a browser exploit to gather information from the target’s machine and send it to an FBI server in Virginia. The FBI has been using the CIPAV since 2002 against hackers, online sexual predators, extortionists, and others, primarily to identify suspects who are disguising their location using proxy servers or anonymity services, like Tor.
The code has been used sparingly in the past, which kept it from leaking out and being analyzed or added to anti-virus databases.
ZitatBy midday Sunday, the code was being circulated and dissected all over the net. Mozilla confirmed the code exploits a critical memory management vulnerability in Firefox that was publicly reported on June 25, and is fixed in the latest version of the browser.
Though many older revisions of Firefox are vulnerable to that bug, the malware only targets Firefox 17 ESR, the version of Firefox that forms the basis of the Tor Browser Bundle – the easiest, most user-friendly package for using the Tor anonymity network.
“The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based,” the non-profit Tor Project wrote in a blog post Sunday. “We’re investigating these bugs and will fix them if we can.”