Tor users targeted with spyware following anonymous Web-host shutdown

The news that the alleged owner of Freedom Hosting, the internet host for a great number of Tor hidden services, has been arrested and is accused of distributing and promoting child pornography has resounded across the Internet and has explained why in the last few days there were mass outages of Tor hidden services.

But that was not the end of it, because it has been discovered that the pages hosted by Freedom Hosting have been modified to include a specially crafted malicious JavaScript. It’s only purpose is to exploit a flaw in Firefox 17 so that the IP address of the user is revealed and sent to a server in Virginia believed to be operated by the FBI.

The 28-year-old Eric Eoin Marques was arrested in Dublin on Thursday on the basis of an extradition warrant issued by a US court on July 29, and has been denied bail until the Irish High Court has had time to review the case. He is scheduled to appear before the court again later this week.

If extradited, Marques, who holds dual US and Irish citizenship, will be facing four charges (distributing, conspiring to distribute, advertising child pornography, and aiding and abetting a conspiracy to advertise child pornography) and, if convicted, can be sentenced to spend up to 30 years in prison.

Freedom Hosting is well known for allowing pages containing child pornography to be hosted on its servers, and has been the target of attacks by Anonymous in 2011.

Tor Project has moved to point out that Freedom Hosting and its operator(s) are not affiliated or connected with them or the project, and that hidden services are used also for “good” purposes.

“Anyone can run hidden services, and many do. We use them internally at The Tor Project to offer our developers anonymous access to services such as SSH, IRC, HTTP, and our bug tracker,” one of the project’s bloggers wrote in a blog post.

“Other organizations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse-recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them.”

Daniel Veditz, Security Lead at Mozilla, shared that the vulnerability being exploited by this attack has been discovered on June 25, 2013, and has been fixed in Firefox 22 and Firefox ESR (Extended Support Release) 17.0.7.

“Although the vulnerability affects users of Firefox 21 and below the exploit targets only ESR-17 users. Since this attack was found on Tor hidden services presumably that is because the Tor Browser Bundle (TBB) is based on Firefox ESR-17,” he opined.

The attack has taken advantage of the fact that the NoScript add-on in the Tor Browser Bundle is setup to allow JavaScript by default – a move made to make it more user-friendly for average internet users. The Project’s aim was to up the number of people who use it, because the more people use Tor, the more anonymous it is.

Researchers that have analyzed the malware delivered to the users are pretty sure that it has been created by the FBI and used in previous child porn sting operations. According to Wired, it could be FBI’s infamous CIPAV (Computer and Internet Protocol Address Verifier) spyware.

One of the reason why they think law enforcement might be behind this operation is that the payload does not install a backdoor into the targeted systems or modifies them in any way – it simply looks up the victim’s MAC address and Windows hostname.

But Tor users are understandably unnerved, as Freedom Hosting also hosted sites and services that have nothing to do with child pornography and have mainly been used by users eager to escape censorship in their home countries and/or being identified as dissidents.

Don't miss