A bunch of Tor sites spread malware. Was the FBI behind it?

Washington Post ^ | 8-5-2013

[markomalley]

Tor users visiting secret sites hosted by Freedom Hosting early Sunday morning weren’t able to reach their desired destinations. Instead they were met with a “Down for Maintenance” notice and, if they had javascript enabled, malware that could effectively identify Tor users. The Internet is wild with speculation that malware was planted by the FBI. And that isn’t as paranoid as you might think.

Eric Eoin Marques, the man believed to be behind Freedom Hosting, was arrested in Ireland Thursday and is currently awaiting extradition to the U.S. on child pornography charges. While Freedom Hosting was the largest hosting service for secret .onion sites and used for things like the secret e-mail service TorMail, it was also infamous for hosting sites that included depictions of the rape and torture of pre-pubescent children. Taking down the hosting service may have removed some half of the hidden sites accessible through the Tor network.

A lot of people know that you can use Tor to browse the Internet anonymously. This works by routing traffic through several randomly-selected computers in the Tor networks. Web site operators can use the same technique to hide the location of their servers. This can be for illicit purposes like child pornography or dealing drugs. However, Tor’s “hidden service” capability can also be a boon to political activists, whistleblowers, and journalists who want to publish anonymously.

[markomalley]

Also see this Wired article (cannot be posted to FR), Feds Are Suspects in New Malware That Attacks Tor Anonymity.

I personally use TOR through FF 21 over Ubuntu 12.04 LTS for my day to day browsing and I haven't seen this come up (course I don't go to the types of sites being targeted either). This could just be some government agitprop, but in case it's not, be aware.

[Monty22002]

The torbrowser bundle seems to be the best, it’s a stripped down firefox package. No cookies or scripting allowed, so it’s not something you can really use all the time imo.

Anyway, they’ll infiltrate anything they can and I’m sure they are all over TOR.

[Monty22002]

Oh, after I read the article, the torbrowser package is the target. lol.. So much for even that.

[Sergio]

tech bookmark

[Monty22002]

Posted today:

Posted August 5th, 2013 by arma
in security,
tbb,
tor browser

An attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches) appear to have been targeted.

This vulnerability was fixed in Firefox 17.0.7 ESR. The following versions of the Tor Browser Bundle include this fixed version:
•2.3.25-10 (released June 26 2013)
•2.4.15-alpha-1 (released June 26 2013)
•2.4.15-beta-1 (released July 8 2013)
•3.0alpha2 (released June 30 2013)

Tor Browser Bundle users should ensure they’re running a recent enough bundle version, and consider taking further security precautions.

[jacquej]

Wondering why Wired is on the “no posting” list?

It is getting hard to keep up.

[MeganC]

I highly recommend that everyone block the IP range that hosts the target address of the malware:

65.222.202.53

[DManA]

Did you see this?

13:50Tor Browser Bundle users who installed or manually updated after June 26 are safe from the exploit, according to the Tor Project’s new security advisory on the hack.

[Monty22002]

The government is surely working on the latest version as well. They’re always going to be a few steps ahead.

[Dr. Bogus Pachysandra]

Two of my guitar sites were down on Sunday too. They use the same server. But they always do maintenance ops on Sundays, so no connection to this, I’m sure.

[rarestia]

The Feds do NOT like it when free people use their resources against them. We’re seeing it more and more as of late. With the NSA outed and more likely to come, you can bet your bottom dollar that the government is frantically trying to close any “holes” they deem as problematic. That includes TOR.

[dadgum]

I was port scanned last night by 64.214.103.254...

OrgName: Level 3 Communications, Inc.
OrgId: LVLT
Address: 1025 Eldorado Blvd.
City: Broomfield
StateProv: CO
PostalCode: 80021
Country: US
RegDate: 1998-05-22
Updated: 2012-01-30
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Ref: http://whois.arin.net/rest/org/LVLT

Per Wikipedia: “In July 2013 Level 3 was accused of wiretapping large parts of data on the German Internet Exchange Point DE-CIX for the NSA”

[Windflier]

Wondering why Wired is on the “no posting” list?

I've always assumed it's because they're a bunch of liberals who hate our guts, and who've complained about us posting excerpts of their articles on this site.

Shame, because there are occasionally some very good articles on their site.

[Windflier]

I highly recommend that everyone block the IP range that hosts the target address of the malware: 65.222.202.53

How does one go about doing that?

[MeganC]

In IE you go to your Internet Settings > Security and add it to the restricted sites list.

[Windflier]

In IE you go to your Internet Settings > Security and add it to the restricted sites list.

I use Firefox. Looking through the 'tools' area, I can't find where or how to block certain sites.

Any suggestions?

[dadgum]

Inbound/Outbound filter on your router.

[MeganC]

Sorry, no.

[familyop]

"But the malware only targeted the version of Firefox that is part of the Tor Browser Bundle.

The malware looked up users’ MAC addresses and Windows hostnames, then relayed it to a server in Virginia outside of the Tor network — revealing the users’ real IP addresses."

Looks like a social engineering attack devised to moove the Windoze herd away from private browsing.

[familyop]

"Some reverse engineers looking at the code over the weekend argued that it was “likely” operated by a law enforcement agency because the malware doesn’t do anything other than identify users."