A newly unsealed FBI search warrant application illustrates yet another example of how the government deploys malware and uses sophisticated exploits in an attempt to bust up child pornography rings.

The 28-page FBI affidavit (text-only, possibly NSFW) was unsealed in a federal court in Brooklyn, New York earlier this month. It describes a North Carolina server hosting a Tor hidden service site. The setup was seized in February 2015, but law enforcement allowed it to run for two additional weeks as a way to monitor its nearly 215,000 users.

Currently, at least three men—Peter Ferrell, Alex Schreiber, and James Paroline—have been charged in connection with this site.

Ferrell, username "plowden23," is the target of the search warrant affidavit. Schreiber, 66, of Queens, was a former New York City schoolteacher. The two New York men have been released on bond.

Paroline remains in federal custody without bail in New Jersey. The criminal complaint against him states that "during an interview with law enforcement officers, defendant PAROLINE admitted" that while working at a nursery school and a summer camp counselor in New Jersey, he "inappropriately touched minor children."

Two of the lawyers for two of the suspects did not respond to Ars' request for comment.

Mia Isner-Grynberg, the federal public defender for Ferrell, told Ars: "Thanks for reaching out. I'm sorry, but I don't generally comment on pending cases."

Kelly Langmesser, an FBI spokeswoman, also declined to respond to specific questions. "Because this is an ongoing matter, we are not commenting on the case," she told Ars.

Legal warrant or not?

Legal experts told Ars that there are significant questions about precisely how the unnamed Tor site was breached, exactly how its "Network Investigative Tool" (or NIT, i.e., malware) works, how many of the users were outside of the judicial district, and if the seized server contained other non-criminal content.

"This is another example of the FBI obtaining a warrant that they are not yet authorized to obtain or execute based on the lack of technical expertise of the judiciary," Ahmed Ghappour, a law professor at the University of California, Hastings, told Ars. Ghappour pointed to a proposed change to Rule 41 that is currently working its way through the judicial system. He has written at length about this potential upcoming modification to Rule 41.

If the proposal is passed as currently drafted, federal authorities would gain an expanded ability to conduct "remote access" under a warrant against a target computer whose location is unknown or outside of a given judicial district. It would also apply in cases where that computer is part of a larger network of computers spread across multiple judicial districts. For now, in the United States, federal warrants are issued by judges who serve one of the 94 federal judicial districts and are typically only valid for that particular jurisdiction.

With the Tor-server effort, the affidavit does not clearly indicate how the malware was specifically deployed, nor if it was used against users outside of the Eastern District of New York.

"As you say, [the amendment to] Rule 41 has not yet been implemented, and so the variety of users on this website that were abroad to the extent that they were hacked as a result of the execution of this warrant, that would be in violation of the current venue restrictions of Rule 41," Ghappour added. "Even if someone from out of state was to have their computer searched as a result, that would be outside the bounds of the venue restriction of the current rule."

Hanni Fakhoury, a former federal public defender and current attorney with the Electronic Frontier Foundation, told Ars that there are no specific statutes or cases that currently deal with government-sanctioned malware deployed against criminal suspects.

“Website A”

"Rather, it would just be governed by the same principles and standards that would apply to other forms of electronic communications," told Ars. "So if law enforcement is using the malware to monitor electronic communications in real time, it would need a wiretap order to monitor. And if the malware needs to be installed on a specific computer, they would need to get a search warrant to do that (and that’s what it looks like they did here, at least according to paragraph 21 on page 11 of the affidavit). There are some really tricky technical questions about whether these warrants are ‘particular,’ specifically because many times the actual location of the computer is unknown."

The affidavit only refers to "Website A" and doesn’t refer to Tor by name, but anyone familiar with how Tor works would recognize its description.

"The court filings scrupulously avoid naming Tor (or mentioning hacking). Instead, they provide a detailed description of an anonymizing ‘Network’ and how a particular website was hidden in that ‘Network," Jonathan Mayer, a Stanford University legal scholar and current computer science doctoral candidate, told Ars. "There's only one software tool with the described popularity and with the described client and server functionality. That's Tor."

As FBI Special Agent John Robertson wrote:

Websites that are accessible only to users within the Network can be set up within the Network and Website A was one such website. Accordingly, Website A could not generally be accessed through the traditional Internet. Only a user who had installed the appropriate software on the user’s computer could access Website A. Even after connecting to the Network, however, a user had to know the exact web address of Website A in order to access it. Websites on the Network are not indexed in the same way as websites on the traditional Internet. Accordingly, unlike on the traditional Internet, a user could not simply perform a Google search for the name of Website A, obtain the web address for Website A, and click on a link to navigate to Website A. Rather, a user had to have obtained the web address for Website A directly from another source, such as other users of Website A, or from online postings describing both the sort of content available on Website A and its location.

The court filing provides extensive descriptions of both the types of child pornography available on Website A (Ars will not repeat those here) and the malware’s capabilities:

Pursuant to that authorization, on or about and between February 20, 2015, and March 4, 2015, each time any user or administrator logged into Website A by entering a username and password, the FBI was authorized to deploy the NIT which would send one or more communications to the user’s computer. Those communications were designed to cause the receiving computer to deliver to a computer known to or controlled by the government data that would help identify the computer, its location, other information about the computer, and the user of the computer accessing Website A. That data included: the computer’s actual IP address, and the date and time that the NIT determined what that IP address was; a unique identifier generated by the NIT a series of numbers, letters, and/or special characters) to distinguish the data from that of other computers; the type of operating system running on the computer, including type (eg, Windows), version (eg, Windows 7), and architecture (eg, x86); information about whether the NIT had already been delivered to the computer; the computer’s Host Name; the computer's active operating system username; and the computer’s MAC address.

Pulling back the curtain

Over the past few years, the FBI has used a number of tools to pull back the veil of privacy provided by Tor to identify suspected child pornography rings and other "darknet" markets. There are several possible ways in which first the server itself, and then the users, were exposed. It's possible that the server had been monitored for months before the FBI seized it and used it as a "honeypot" to track and identify the individuals connecting to it.

The FBI's NIT was used in previous child pornography investigations. It's cited in court papers for the case USA v Cottom et al, which is currently being tried in the Nebraska US District Court. A team of experts hired by the defense—Dr. Ashley Podhradsky, Dr. Matt Miller, and Josh Stroschein of Dakota State University—performed forensic analysis of the NIT, reverse-engineering the code. They found it used the same techniques as Rapid7's Metasploit "decloaking engine"—a component of the Metasploit framework that in this case used a known Flash vulnerability to extract information about computers running an older, unpatched version of the Tor Browser Bundle. (Ironically, Metasploit's core developer for several years was also named Matt Miller—but he now works at Microsoft.)

While leveraging an exploit to extract identity information from computers connecting to the Tor service, the defense expert investigators wrote that they "do not consider the NIT to be 'hacking'" because the NIT "exploited a configuration setting that did not require offensive-based actions." The NIT exploit bypassed Tor by creating a direct socket connection that eschews Tor's routing—in this particular case, by using a Flash component. This functionality, the experts noted, was identical to Metasploit's decloaking code.

Tor only routes Transmission Control Protocol (TCP) traffic and does not handle other Internet communications protocols. The exploit took advantage of this to send information about the system that the exploit executed on over the public Internet, both revealing its public address and tying that address to the website the exploit was launched from. A "policy file" on the server hosting the exploit is checked by the exploit package "to see which type of method to use on the client side," the expert investigators wrote to the court. "The choices given in the NIT were Java, Javascript, or Flash. This allows the NIT to only connect via Flash when it is the 'best method' available."

In a conversation with Ars about the most recent FBI affidavit, security researcher and former Tor developer Runa Sandvik said she believes that the same Metasploit-based NIT was used to unmask the 215,000 users of the site seized by the FBI. Alternatively, she said the FBI may have used a honeypot technique that feeds site visitors a link to a webpage outside of Tor, next using a variety of traffic analysis methods and information provided by the site users themselves to aid in identifying them. "The FBI could have used that type of method too and not relied on [JavaScript] or Flash," she noted.

To use any of these techniques to "uncloak" users, however, the FBI must first find and gain control over the server those users visit. At this point, it's clear that the FBI has found a number of ways to identify servers running Tor "hidden services." Last November, as part of Operation Onymous, FBI and Europol officials identified and seized at least 27 servers hosting over 400 Tor hidden services—including the Silk Road 2.0 marketplace. While court papers filed in the Silk Road 2.0 case claim that an undercover Homeland Security investigator managed to get hired as an "admin" for the marketplace, the FBI could have used other techniques to identify hosting services that might have servers running Tor sites.

In a blog post last November, former Tor Project Director Andrew Lewman noted that ten Tor "exit nodes"—the last stops for Tor traffic before leaving the anonymizing network—had been taken offline during Operation Onymous. He noted that it was possible that law enforcement was operating Tor network nodes in an effort to identify hidden services and users. Even narrowing down the location of services to a particular hosting service's network would allow law enforcement to approach the hosting company. At that point, all the feds need to do is ask the service which servers running within their data centers matched the traffic profile of Tor.