Security experts have accused US law enforcement of taking advantage of a flaw in the Firefox Internet browser then exploiting it to identify and potentially monitor subscribers to Tor, which shields an individual's online activity from privacy threats.

A piece of malicious software was launched Sunday morning and appeared to target Firefox users who use a Tor add-on that allows them to browse the Internet without putting their location, communication, and other activities at risk. The malware was also reported on multiple websites affiliated with Freedom Hosting, a web-hosting company favored by customers who wish to remain anonymous.

The exact origin of the malware attack remains unknown, although the Federal Bureau of Investigation and the National Security Agency are among the chief suspects. When the malware was analyzed, its source was identified as a Virginia server belonging to SAIC, a contractor known to work with multiple government agencies, according to TechDirt.

“It just sends identifying information to some IP in Reston, Virginia,” reverse-engineer Vlad Tsyrklevich told Wired. “It’s pretty clear that it’s the FBI or it’s some other law enforcement agency that’s US-based.”

Users who visited Freedom Hosting’s websites while cloaked by the Tor Browsing Bundle were targeted for identification, possibly because of Freedom Hosting’s known willingness to look the other way when nefarious activity sprouted on company-protected networks.

The malware and site outages come just days after the arrest of Eric Eoin Marques in Ireland. The 28-year-old is expected to be extradited from Dublin to Washington DC after the FBI claims he used Freedom Hosting to become “the largest facilitator of child porn on the planet.” Marques is alleged to be behind Freedom Hosting, which first made headlines in 2011 when the Anonymous hacker collective launched a distributed-denial-of-service (DDoS) attack against sites depicting child porn.



Tor – an acronym for “The Onion Router” – was quick to distance itself from Freedom Hosting after Marques’ arrest, issuing a statement on its official blog saying “the persons who run Freedom Hosting are in no way affiliated or connected to the Tor Project Inc, the organizations coordinating the development of the Tor software and research.”

“Anyone can run hidden services, and many do,” the statement read. “Organizations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse recovery.”

The Tor blog post went on to warn that, while the script was a threat to Firefox users, the malware only targeted users with an old version of the browser.

“The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We’re investigating these bugs and will fix them if we can.”

While the FBI reportedly sought Marques for more than a year, the Bureau is known to have drastically increased its use of malware in recent years. Agents first began using a computer and Internet protocol address verifier, known as CIPAV, in 2007 to infiltrate a suspect’s computer, capture the data, and send that information back to FBI servers in Virginia.

Seven years ago Wired reported that CIPAV gathered information including “the computer's IP address; MAC address; open ports; a list of running programs; the operating system type, version and serial number; preferred internet browser and version; the computer's registered owner and registered company name; the current logged-in user name and the last-visited URL.”

Since then, the FBI has hired former hackers to monitor users’ key-logs, even capable of turning on a mobile phone’s microphone from Virginia. They have also requested court permission to override an individual’s phone or computer camera in order to snap pictures of a suspect. Judges have consistently denied such requests by citing the possibility innocent people would be snared in an all-encompassing dragnet, a situation with an eerie similarity to what could happen on anonymous Tor networks.



