FBI Admits It Controlled Tor Servers Behind Mass Malware Attack

Stan.Dupp's Avatar



It wasn’t ever seriously in doubt, but the FBI yesterday acknowledged that it secretly took control of Freedom Hosting last July, days before the servers of the largest provider of ultra-anonymous hosting were found to be serving custom malware designed to identify visitors.

Freedom Hosting’s operator, Eric Eoin Marques, had rented the servers from an unnamed commercial hosting provider in France, and paid for them from a bank account in Las Vegas. It’s not clear how the FBI took over the servers in late July, but the bureau was temporarily thwarted when Marques somehow regained access and changed the passwords, briefly locking out the FBI until it gained back control.

The new details emerged in local press reports from a Thursday bail hearing in Dublin, Ireland, where Marques, 28, is fighting extradition to America on charges that Freedom Hosting facilitated child pornography on a massive scale. He was denied bail today for the second time since his arrest in July.

Freedom Hosting was a provider of turnkey “Tor hidden service” sites — special sites, with addresses ending in .onion, that hide their geographic location behind layers of routing, and can be reached only over the Tor anonymity network. Tor hidden services are used by sites that need to evade surveillance or protect users’ privacy to an extraordinary degree – including human rights groups and journalists. But they also appeal to serious criminal elements, child-pornography traders among them.

On August 4, all the sites hosted by Freedom Hosting — some with no connection to child porn — began serving an error message with hidden code embedded in the page. Security researchers dissected the code and found it exploited a security hole in Firefox to identify users of the Tor Browser Bundle, reporting back to a mysterious server in Northern Virginia. The FBI was the obvious suspect, but declined to comment on the incident. The FBI also didn’t respond to inquiries from WIRED today.

But FBI Supervisory Special Agent Brooke Donahue was more forthcoming when he appeared in the Irish court yesterday to bolster the case for keeping Marque behind bars, according to local press reports. Among the many arguments Donahue and an Irish police inspector offered was that Marques might reestablish contact with co-conspirators, and further complicate the FBI probe. In addition to the wrestling match over Freedom Hosting’s servers, Marques allegedly dove for his laptop when the police raided him, in an effort to shut it down.

Donahue also said Marque had been researching the possibility of moving his hosting, and his residence, to Russia. “My suspicion is he was trying to look for a place to reside to make it the most difficult to be extradited to the U.S.,” said Donahue, according to the Irish Independent.

Freedom Hosting has long been notorious for allowing child porn to live on its servers. In 2011, the hactivist collective Anonymous singled out the service for denial-of-service attacks after allegedly finding the firm hosted 95 percent of the child porn hidden services on the Tor network. In the hearing yesterday, Donahue said the service hosted at least 100 child porn sites with thousands of users, and claimed Marques had visited some of the sites himself.

Reached by phone, Marques’ lawyer declined to comment on the case. Marques faces federal charges in Maryland, where the FBI’s child-exploitation unit is based, in a case that is still under seal.

The apparent FBI-malware attack was first noticed on August 4, when all of the hidden service sites hosted by Freedom Hosting began displaying a “Down for Maintenance” message. That included at least some lawful websites, such as the secure email provider TorMail.

Some visitors looking at the source code of the maintenance page realized that it included a hidden iframe tag that loaded a mysterious clump of Javascript code from a Verizon Business internet address. By midday, the code was being circulated and dissected all over the net. Mozilla confirmed the code exploited a critical memory management vulnerability in Firefox that was publicly reported on June 25, and is fixed in the latest version of the browser.

Though many older revisions of Firefox were vulnerable to that bug, the malware only targeted Firefox 17 ESR, the version of Firefox that forms the basis of the Tor Browser Bundle – the easiest, most user-friendly package for using the Tor anonymity network. That made it clear early on that the attack was focused specifically on de-anonymizing Tor users.

Tor Browser Bundle users who installed or manually updated after June 26 were safe from the exploit, according to the Tor Project’s security advisory on the hack.



Perhaps the strongest evidence that the attack was a law enforcement or intelligence operation was the limited functionality of the malware.

The heart of the malicious Javascript was a tiny Windows executable hidden in a variable named “Magneto.” A traditional virus would use that executable to download and install a full-featured backdoor, so the hacker could come in later and steal passwords, enlist the computer in a DDoS botnet, and generally do all the other nasty things that happen to a hacked Windows box.

But the Magneto code didn’t download anything. It looked up the victim’s MAC address — a unique hardware identifier for the computer’s network or Wi-Fi card — and the victim’s Windows hostname. Then it sent it to a server in Northern Virginia server, bypassing Tor, to expose the user’s real IP address, coding the transmission as a standard HTTP web request.

“The attackers spent a reasonable amount of time writing a reliable exploit, and a fairly customized payload, and it doesn’t allow them to download a backdoor or conduct any secondary activity,” said Vlad Tsyrklevich, who reverse-engineered the Magneto code, at the time.

The malware also sent a serial number that likely ties the target to his or her visit to the hacked Freedom Hosting-hosted website.

The official IP allocation records maintained by the American Registry for Internet Numbers show the two Magneto-related IP addresses were part of a ghost block of eight addresses that have no organization listed. Those addresses trace no further than the Verizon Business data center in Ashburn, Virginia, 20 miles northwest of the Capital Beltway.

The code’s behavior, and the command-and-control server’s Virginia placement, is also consistent with what’s known about the FBI’s “computer and internet protocol address verifier,” or CIPAV, the law enforcement spyware first reported by WIRED in 2007.

Court documents and FBI files released under the FOIA have described the CIPAV as software the FBI can deliver through a browser exploit to gather information from the target’s machine and send it to an FBI server in Virginia. The FBI has been using the CIPAV since 2002 against hackers, online sexual predators, extortionists, and others, primarily to identify suspects who are disguising their location using proxy servers or anonymity services, like Tor.

Prior to the Freedom Hosting attack, the code had been used sparingly, which kept it from leaking out and being analyzed.

No date has been set for Marques’ extradition hearings, but it’s not expected to happen until next year.

Link to article
Stan.Dupp's Avatar
We now know the US Government:

Had James Clapper lie under oath to us - on camera - to Congress to hide the domestic spying programs Occured in March, revealed in June.

Warrantlessly accesses records of every phone call that routes through the US thousands of times a day JuneSeptember

Steals your private data from every major web company (Facebook, Google, Apple, Microsoft, et al) via PRISMJune and pays them millions for it August

Pays major US telecommunications providers (AT&T, Verizon, et al) between $278,000,000-$394,000,000 annually to provide secret access to all US fiber and cellular networks (in violation of the 4th amendment). August

Intentionally weakened the encryption standards we rely on, put backdoors into critical software, and break the crypto on our private communications September

NSA employees use these powers to spy on their US citizen lovers via LOVEINT, and only get caught if they self-confess. Though this is a felony, none were ever been charged with a crime. August

Lied to us again just ten days ago, claiming they never perform economic espionage (whoops!) before a new leak revealed that they do all the time. September

Made over fifteen thousand false certifications to the secret FISA court, leading a judge to rule they "frequently and systemically violated" court orders in a manner "directly contrary to the sworn attestations of several executive branch officials," that 90% of their searches were unlawful, and that they "repeatedly misled the court." September September

Has programs that collect data on US Supreme Court Justices and elected officials, and they secretly provide it to Israel regulated only by an honor system. September

Compromises web hosting companies and subverts their sites to serve malware that infects visitors to geolocate their PCs. (This story)

And our government spends $75,000,000,000.00 of your tax money each year to do this spying to you. I'm not putting up with this any longer.

Congress just got back into session: call your Congressmen once a day until these programs end. I am, and they encourage it, because it gives them a platform to fight on. Find yours HERE, save it to your phone, and make it a 30 second call... just give your information and tell them they need to vote to end these programs immediately so they can report your opposition and the passion of your opposition (the daily call) in their metrics.

We just prevented a war in Syria by calling Congress: calling works. We can win again here. 6% of the US population reads the front page of Reddit, and 2014 is an election year. 30 seconds, once a day. Just call: you will end these policies.

----------------------

Above posted by reddit friend: spheroida