Malicious software has reportedly been spotted in the wild that exploits a Firefox security vulnerability to determine the identity of users accessing Web sites using anonymizing services such as Tor.
Tor (The Onion Router) software, installed on Web servers to provide anonymity, has been known to passively facilitate illegal behavior -- but some security researchers believe the FBI may have found a way around those security settings. The researchers have been looking at recent uses of the malware and have discovered that it sends information to an IP address in Reston, Va.
"It seems unlikely that the malware was written by criminals as the information it is sending back to its masters is of little use to anyone other than law enforcement agencies," Alan Woodward, chief technology officer at security advisory company Charteris, told the BBC.
Using Hacker Tactics
Security engineer Vlad Tsrklevich told ZDNet "it's pretty clear that it's the FBI or it's some other law enforcement agency that's U.S.-based." Although this assumption is based on the Reston server's location, the FBI has come under scrutiny for its cyber investigative practices for years.
A number of audits in the past decade have brought up questions regarding the legality of some of the FBI's tactics. In particular, an audit by the Department of Justice earlier this year revealed that many of the investigative cyber tools available to the FBI were being mismanaged and used for spying.
CIPAV (computer and Internet Protocol address verifier), a tool meant to analyze anonymous Web traffic, has allowed the FBI and other law enforcement agencies to gather information and then determine who was accessing specific Web sites. Although the tool has primarily been used against hackers, predators, and other criminal suspects, the American Civil Liberties Union and Electronic Frontier Foundation have raised concerns that CIPAV and other such technologies could be abused.
A number of tools that facilitate these investigative techniques reportedly have been sold to the FBI in the past couple of years. Companies such as HackingTeam SRL and Gamma International have not disclosed their customers, but it is suspected that they have worked with the FBI, according to former U.S. officials speaking with The Wall Street Journal.
Many hidden Web sites using Tor suddenly went offline over the weekend, according to one of Tor's administrators. The hosting provider behind these Web sites, Freedom Hosting, has been used by traffickers in child pornography.
The Web sites seem to be connected to an FBI case that resulted in the arrest of an Irish man whom the FBI has called "the largest facilitator of child porn on the planet."
The Onion Router quickly tried to distance itself from the case as much as possible and assured members of the press that the organization is not connected to Freedom Hosting.
Since this is the first time that researches have been able to see what appears to be the CIPAV code itself, anti-virus programs may be able to provide updates that block the code from infecting computers in the future.