Pierluigi Paganini
August 07, 2014
It’s not a mystery that usage of the Tor network represents a problem for investigators of law enforcement agencies and for government entities that need to track users on the popular anonymizing network. Last year the FBI dismantled the Tor hosting service Freedom Hosting in a large scale investigation on child pornography. FBI used a malicious code able to exploit a Firefox Zero-day for Firefox 17 version that allowed it to track Tor users. The malware implants a tracking cookie which fingerprinted suspects through a specific external server. The exploit is based on a Javascript that is a tiny Windows executable hidden in a variable dubbed “Magneto”. Magneto code looks up the victim’s Windows hostname and MAC address and sends the information back to the FBI Virginia server exposing the victims’s real IP address. The script sends back the data with a standard HTTP web request outside the Tor Network.
A few days ago, operators at Tor Project revealed that an unknown entity has managed a series of relay servers to conduct a confirmation attack against the Tor network and de-anonymize its users.
“The security advisory explains that bad actors were leveraging a critical flaw in Tor to modify protocol headers in order to perform a traffic confirmation attack and inject a special code into the protocol header used by attackers to compare certain metrics from relays to de-anonymize users. The advisory reports that 115 malicious fast non-exit relays (6.4% of whole Tor network) were involved in the attack, the servers were actively monitoring the relays on both ends of a Tor circuit in an effort to de-anonymizeusers. ” I’ve reported in a previous post on the attack.
A new report disclosed by Wired suggests that agents of FBI are using a malware to identify Tor users by infecting their machines, it seems that the law enforcement agency is infecting computers as part of a large scale campaign dubbed Operation Torpedo. The tactic adopted by the FBI is simple as dangerous, the Bureau has compromised high-traffic websites using them to deliver the malicious code used to track Tor users, the infection schema is known as “drive-by download”. A court case has revealed that the FBI has used the tactic to track computers accessing the Tor network. It is difficult to verify if innocent Tor users were also infected by the the Operation Torpedo campaign, but security experts are sure that FBI and other agencies will continue to infect systems with drive-by download exploits.
“Security experts call it a “drive-by download”: a hacker infiltrates a high-traffic website and then subverts it to deliver malware to every single visitor. It’s one of the most powerful tools in the black hat arsenal, capable of delivering thousands of fresh victims into a hackers’ clutches within minutes.” report Wired.
“You could easily imagine them using this same technology on everyone who visits a jihadi forum, for example,” “And there are lots of legitimate reasons for someone to visit a jihadi forum: research, journalism, lawyers defending a case. ACLU attorneys read Inspire Magazine, not because we are particularly interested in the material, but we need to cite stuff in briefs.” said Chris Soghoian, principal technologist with the American Civil Liberties Union.
“A federal magistrate signed three separate search warrants: one for each of the three hidden services. The warrants authorized the FBI to modify the code on the servers to deliver the NIT to any computers that accessed the sites. The judge also allowed the FBI to delay notification to the targets for 30 days”
(Security Affairs – malware, FBI)
