Researchers say Tor-targeted malware phoned home to NSA

Discussion in 'Tech news' started by guardian, Aug 8, 2013.

  1. guardian

    guardian Administrator Staff Member

    JavaScript attack had a hard-coded IP address that traced back to NSA address block.


    The researchers at Baneki and Cryptocloud have heavily revised their findings, backing off claims of an explicit connection between the IP addresses associated with malware that attacked Tor browser users and the National Security Agency. They still maintain that there is a high likelihood of a connection, but admit their read of the data that led to the conclusions does not match up with the analysis of others who looked at the data sources later.

    Malware planted on the servers of Freedom Hosting—the "hidden service" hosting provider on the Tor anonymized network brought down late last week—may have de-anonymized visitors to the sites running on that service. This issue could send identifying information about site visitors to an Internet Protocol address that was hard-coded into the script the malware injected into browsers. And it appears the IP address in question belongs to the National Security Agency (NSA).

    This revelation comes from analysis done collaboratively by Baneki Privacy Labs, a collective of Internet security researchers, and VPN provider Cryptocloud. When the IP address was uncovered in the JavaScript exploit—which specifically targets Firefox Long-Term Support version 17, the version included in Tor Browser Bundle—a source at Baneki told Ars that he and others reached out to the malware and security community to help identify the source.

    The exploit attacked a vulnerability in the Windows version of the Firefox Extended Support Release  17 browser—the one used previously in the Tor Project's Tor Browser Bundle (TBB).  That vulnerability had been patched by Mozilla in June, and the updated browser is now part of TBB. But the TBB configuration of Firefox doesn't include automatic security updates, so users of the bundle would not have been protected if they had not recently upgraded.

    Initial investigations traced the address to defense contractor SAIC, which provides a wide range of information technology and C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance) support to the Department of Defense. The geolocation of the IP address corresponds to an SAIC facility in Arlington, Virginia.

    Further analysis using a DNS record tool from Robtex found that the address was actually part of several blocks of IP addresses allocated by SAIC to the NSA. This immediately spooked the researchers.

    "One researcher contacted us and said, 'Here's the Robotex info. Forget that you heard it from me,'" said a member of Baneki who requested he not be identified.

    The use of a hard-coded IP address traceable back to the NSA is either a strange and epic screw-up on the part of someone associated with the agency (possibly a contractor at SAIC) or an intentional calling card as some analyzing the attack have suggested. One poster on Cryptocloud's discussion board wrote, "It's psyops—a fear campaign... They want to scare folks off Tor, scare folks off all privacy services."


    The government wouldn’t do something like that, would they? Nooo surely not I must have misread :S
  2. Google Adsense

Share This Page