The Tor Project has advised users of the anonymous browser to stop using Windows, in the wake of a malware attack which exploited a Firefox vulnerability in the Tor Browser Bundle.
It also warned users that it is “reasonable to conclude” that the unknown attacker has a list of vulnerable Tor users. The Tor Project issued the warning in a critical security announcement this week.
Tor said that the attack targeted Windows users specifically, and said that the attack collects the hostname and MAC address of computers who visited various Tor “hidden services” and sends them to a remote webserver.
“It’s reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services,” Tor said in its official post. “Consider switching to a “live system” approach like Tails. Really, switching away from Windows is probably a good security move for many reasons.”
“The vulnerability allows arbitrary code execution, so an attacker could in principle take over the victim’s computer. We don’t currently believe that the attack modifies anything on the victim computer,” Tor said.
Researchers and Tor users have claimed that the malware outbreak aims to expose the identities of Tor users, in particular users of child pornography.
The “smoking gun”, one researcher suggests, is that the malware – which infects users via Firefox, distributed as part of the Tor Browser Bundle – does not install a “backdoor” in users’ PCs. Intead, it sends their IP address and MAC address (which can be used to identify PC users) to an address in America.
The outbreak coincided with the reported disappearance of several sites connected to Freedom Hosting, a hosting firm widely reported to have connections to child pornography – and the recent arrest of a 28-year-old Eric Eoin Marques, described as “the largest facilitator of child porn on the planet”, according to the Irish Examiner. Tor users have suggested that the two events are linked.
“This is an annotation and very brief analysis of the payload used by the Tor Browser Bundle exploit,” said security researcher Vlad Tsyrklevich in a blog post. “Briefly, this payload connects to 126.96.36.199:80 and sends it an HTTP request that includes the host name (via gethostname()) and the MAC address of the local host. After that it cleans up the state and appears to deliberately crash. Because this payload does not download or execute any secondary backdoor or commands it’s very likely that this is being operated by an LEA [Law Enforcement Agency] and not by blackhats.”
“It just sends identifying information to some IP in Reston, Virginia,” Tsyrklevich said in a report in Wired’s Threat Level blog. “It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based.
ESET Senior Research Fellow David Harley says that the outbreak raises questions over how companies should deal with such “policeware”.
“We have no absolute proof that it’s FBI code,” Harley sayd. “They didn’t ask the AV community not to detect it (they may have asked some of the big players, but no-one has admitted it – Please Police Me), and many companies would probably have declined anyway. No-one wants the FBI not to pursue child abusers: in fact, we’ve frequently cooperated with police forces on forensic issues that are probably related to ‘the Trojan defence’ (SODDImy and the Trojan Defence) – but if we come across something like this, we simply can’t assume it’s being used legitimately, even if was known to be policeware in origin. The online threatscape is far too complex and dynamic for that. Robert Lipovsky and I also looked at this issue with reference to German policeware.”
Author Rob Waugh /Rob Waugh, WeLiveSecurity/
Author Rob Waugh, We Live Security