Malware used to identify Tor users contacted an IP address owned by US government agency, researchers claim
Researchers claim that malware responsible for bringing down Freedom Hosting, the biggest service provider on the anonymous Tor network, was hard-coded to send information to the NSA.
Experts said that malware remained on the servers after the arrest, and could have attempted to identify other Tor users. Now, Baneki Privacy Labs and Cryptocloud claimed it was designed to be controlled from an IP address that seemingly belongs to the NSA.
Tor is a free encrypted network that conceals a user’s location or Internet use from anyone conducting network surveillance or traffic analysis. It hosts a variety of content from news and secure communication services to things like The Hidden Wiki, a collection of illegal instructions and manuals.
Freedom Hosting is one of the largest and most known Tor service providers. Over the years, it has been linked to all manner of criminal activity, including websites dedicated to child abuse and the infamous Silk Road, an online illegal drug marketplace.
Marques, a 28-year-old Dublin resident with no previous convictions, has been described by the FBI as “the largest facilitator of child porn on the planet”.
Security researcher Vlad Tsyrklevich suggested that since this payload does not download or execute any secondary backdoors or commands, it is likely to be operated by law enforcement agencies and not hackers.
Baneki Privacy Labs and Cryptocloud have analysed the malware, and they have come to the conclusion that it was used to collect information and send it to a single IP address (188.8.131.52). This address is part of a block owned by Science Applications International Corporation (SAIC), a US defence contractor.
“SAIC is, needless to say, deep in the core of the cyber-military complex… and certainly not the FBI,” writes Cryptocloud team.
Further investigation of the DNS records by Baneki has suggested the address in question is part of IP space directly allocated to the NSA’s Autonomous Systems.
It’s not clear just how much information the malware managed to send home, or whether this information is completely accurate, but the danger of being identified is sure to make some Tor users nervous. “Tor Browser Bundle users should ensure they’re running a recent enough bundle version, and consider taking further security precautions,” says an updated advisory from the Tor project, issued on Monday.
What do you know about whistleblowers and their tech? Take our quiz!