Researchers: malware aimed at unmasking Tor users sent data to IP address belonging to NSA or FBI

image credit:
screenshot from Robtex
click to enlarge

Madison Ruppert
Activist Post

Malware aimed at uncovering the anonymous identities of Tor users reportedly sent information to an IP address that belongs to the National Security Agency (NSA), routed through Science Applications International Corporation (SAIC).

Tor, an anonymity network originally short for The Onion Router, was developed with contributions from individuals who worked for the Navy and the NSA. This latest revelation comes as the NSA is under increasingly intense scrutiny around the world for their data harvesting activities.

It also comes on the heels of a report stating that the FBI regularly employs hackers to develop malware and an earlier report which stated that the US government is the world’s largest buyer of malware.

The NSA link was uncovered by researchers from Baneki Privacy Labs, a group of Internet security researchers, along with Cryptocloud, a VPN provider.

The IP address, hardcoded into the JavaScript exploit, was discovered by Cryptocloud but a Baneki source told Ars Technica that they reached out to other researchers in the malware and security community to identify the source.

The exploit specifically targeted FireFox Extended Support Release 17 for Windows, the same browser that was released as a part of the Tor Project’s Tor Browser Bundle.

The vulnerability exploited was patched by Mozilla in June of this year and the patched version is part of the new Browser Bundle.

However, Ars points out that, “the TBB configuration of Firefox doesn’t include automatic security updates, so users of the bundle would not have been protected if they had not recently upgraded.”

Early investigations traced the IP address back to SAIC, which incidentally provides support to the Department of Defense in the areas of information technology and Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance (C4ISR).

The IP address was specifically tracked to the SAIC facility in Arlington, Virginia, though further analysis turned up that it went beyond the defense contractor.

Research using Robtex, a DNS record tool, found that the IP address was part of one of many blocks of IP addresses which have been permanently assigned to the NSA.

Ars Technica points out that this discovery is one of two things: a laughable mistake by someone working for either the NSA or SAIC, or “an intentional calling card as some analyzing the attack have suggested.”

An individual posting on Cryptocloud’s discussion forum speculated, “It’s psyops—a fear campaign… They want to scare folks off Tor, scare folks off all privacy services.”

Kevil Poulsen, writing for Wired’s Threat Level, on the other hand, believes that “the FBI is the prime suspect.”

“It just sends identifying information to some IP in Reston, Virginia,” Vlad Tsrklevich, a reverse-engineer, said to Wired. “It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based.”

They note that if Tsrklevich and others are correct, it could be the FBI’s computer and internet protocol address verifier (CIPAV).

CIPAV is a piece of law enforcement spyware first covered by Wired back in 2007, though it has reportedly been in use since 2002.

SAIC has not responded to attempts by Wired to get a comment on the story, and Poulsen notes that SAIC is a contractor for the FBI.

The discovery of the exploit came soon after the FBI reportedly sought to extradite Eric Eoin Marques, 28-year-old founder of Freedom Host, on child pornography charges.

It also came after individuals involved with the Tor Project reported the disappearance of numerous so-called “hidden service addresses” that were used by Freedom Hosting.

“The confluence of the three events has prompted speculation that the de-anonymizing exploit is the work of the FBI or another organized group targeting child pornographers,” Ars Technica reports.

“Because this payload does not download or execute any secondary backdoor or commands it’s very likely that this is being operated by an LEA [law-enforcement agent] and not by blackhats,” Tsrklevich wrote, according to Ars.

It seems that the evidence indicating that the IP address is linked to the NSA is quite strong, though if that is the case, they almost certainly provided information to the FBI in relation to the Marques case mentioned above.

More information on this story will be added as it becomes available.

I’d love to hear your opinion, take a look at your story tips and even your original writing if you would like to get it published. I am also available for interviews on radio, television or any other format. Please email me at [email protected]

Please support our work and help us start to pay contributors by doing your shopping through our Amazon link or check out some must-have products at our store.

This article first appeared at End the Lie.

Madison Ruppert is the Editor and Owner-Operator of the alternative news and analysis database End The Lie and has no affiliation with any NGO, political party, economic school, or other organization/cause. He is available for podcast and radio interviews. Madison also now has his own radio show on UCYTV Monday nights 7 PM – 9 PM PT/10 PM – 12 AM ET. Show page link here: http://UCY.TV/EndtheLie. If you have questions, comments, or corrections feel free to contact him at [email protected]

var linkwithin_site_id = 557381;

linkwithin_text=’Related Articles:’


Activist Post Daily Newsletter

Subscription is FREE and CONFIDENTIAL
Free Report: How To Survive The Job Automation Apocalypse with subscription

Be the first to comment on "Researchers: malware aimed at unmasking Tor users sent data to IP address belonging to NSA or FBI"

Leave a comment