A rather amazing story has bubbled up over the last week after half of the onion sites in the TOR
network were compromised, revealing the supposedly anonymous identities of Tor users. Malware popped up last Sunday morning on numerous sites hosted by anonymous hosting operation Freedom Hosting, the code exploiting a critical memory management vulnerability in Firefox (see the Tor security advisory
). The code fools Tor users into sending identifying info to an IP address in Reston, Virginia.
While that's interesting in and of itself, what's more interesting is who many think are responsible for the malware. TOR was originally designed to fight government and corporate censorship, though it has of course been abused for other purposes -- including the distribution of child pornography and drug sales through sites like Silk Road.
The malware being dumped on Freedom Hosting servers arrived just after Freedom Hosting founder Eric Eoin Marques was arrested in Ireland on charges of distributing child pornography. He's currently awaiting extradition to the United States, but in the interim the malware has continued sending user info to the aforementioned IP address in Virginia.
While I've seen several reports claiming
that the IP address in question belongs to the NSA, Wired
seems to have the most solid reporting I've seen on the subject, noting that the address belongs to contractor Science Applications International Corporation, who is likely working on the FBI's computer and internet protocol address verifier (CIPAV) spyware initiative:
"It just sends identifying information to some IP in Reston, Virginia,” says reverse-engineer Vlad Tsyrklevich. "It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based." If Tsrklevich and other researchers are right, the code is likely the first sample captured in the wild of the FBI’s “computer and internet protocol address verifier,” or CIPAV, the law enforcement spyware first reported by WIRED in 2007.