On Sunday, malicious software, known as malware, was identified on several sites hosted by Freedom Hosting, which provides consumers the ability to run hidden services, designed to protect their creators from being identified. While these are used for legitimate reasons, many hidden services are used for criminal purposes as well. Freedom Hosting is known to host the fraud and hacking board HackBB. In 2011, Freedom Hosting was targeted for a distributed-denial-of-service attack by Anonymous for hosting some of the most notorious child pornography sites online.
The company became widely known for having a very “hands off” approach — while they warned against doing anything illegal, their terms clearly indicated their position should a customer do anything illegal: “if you choose to do so anyway, we’re not responsible for your actions.”
“The vulnerability [in Firefox, on which the Tor browser is based] allows arbitrary code execution, so an attacker could in principle take over the victim’s computer,” the Tor Project advisory read. “However, the observed version of the attack appears to collect the hostname and MAC address of the victim computer, send that to a remote webserver over a non-Tor connection, and then crash or exit. The attack appears to have been injected into (or by) various Tor hidden services, and it’s reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services. We don’t currently believe that the attack modifies anything on the victim computer.”
Last week, the U.S. Federal Bureau of Investigation arrested 28-year-old Eric Eoin Marques, the owner and operator of Freedom Hosting for his role in hosting and facilitating child pornography. According to Motherboard, “shortly after Marques’s arrest, around half of Freedom Hosting’s hidden services reportedly experienced malware attacks, and some went down.”
Though this is a victory over child pornography, the repercussions extend far beyond it. Of the sites affected, many had nothing to do with sexual or suggestive images of minors. Wired reports that TorMail, the secure e-mail provider, was among the affected sites. Kevin Poulsen writes:
Tor hidden services are ideal for websites that need to evade surveillance or protect usersÃ¢â‚¬â„¢ privacy to an extraordinary degree — which can include human rights groups and journalists. But it also naturally appeals to serious criminal elements.
The inevitable conclusion is that the malware is designed specifically to attack the Tor browser. The strongest clue that the culprit is the FBI, beyond the circumstantial timing of Marques’ arrest, is that the malware does nothing but identify the target. The malware also sends, at the same time, a serial number that likely ties the target to his or her visit to the hacked Freedom Hosting-hosted website.
In short, [the malware] reads like the x86 machine code embodiment of a carefully crafted court order authorizing an agency to blindly trespass into the personal computers of a large number of people, but for the limited purpose of identifying them.
As for Windows — “switching away from Windows is probably a good security move for many reasons.” Gizmodo has a guide on how to continue using Tor safely on a Windows machine.
Header image by Aleksandar Cocek.