On the same boundary of this subject, I wanted mention how it can relate to all the CM testers out there... how this may affect you, and what can you do to fool proof or prevent from such a malware attack to compromise you?
Please feel free to assert your comments, opinions, and objections about the FBI/NSA and their malware that is able to bypass anonymous network servers. Any of the security experts are very welcome to inform and advise anything about this for all of us in concerned.
Orginal:
http://www.broadbandreports.com/shownews...ers-125839
Quote:FBI Admits Control of Malware-Spewing Tor Servers
by Karl Bode 02:35PM Tuesday Sep 17 2013
Last month a widespread malware attack on the Tor network used a Firefox exploit to send the personal data of Tor users to an IP address in Reston, Virginia. While it was already believed that this IP address belonged to an FBI subcontractor working on the FBI's "computer and internet protocol address verifier" (CIPAV) spyware iniatiative, a new Wired report confirms that the FBI in court has acknowledged they controlled the servers behind that attack on the Tor network.
While the FBI obviously will never specifically admit they then used those servers to launch a malware attack on Tor users, the fact they're behind the attack remains fairly obvious to security researchers:
"Perhaps the strongest evidence that the attack was a law enforcement or intelligence operation was the limited functionality of the malware.
The heart of the malicious Javascript was a tiny Windows executable hidden in a variable named “Magneto.” A traditional virus would use that executable to download and install a full-featured backdoor, so the hacker could come in later and steal passwords, enlist the computer in a DDoS botnet, and generally do all the other nasty things that happen to a hacked Windows box.
But the Magneto code didn’t download anything. It looked up the victim’s MAC address — a unique hardware identifier for the computer’s network or Wi-Fi card — and the victim’s Windows hostname. Then it sent it to a server in Northern Virginia server, bypassing Tor, to expose the user’s real IP address, coding the transmission as a standard HTTP web request."
That malware attack was part of an FBI investigation into child pornography and Freedom Hosting -- but obviously impacted all Tor users, whether they were engaged in illegal activity or not.
=======================
MORE INFORMATION FOUND FROM...
Source:
http://thehackernews.com
Quote: “The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect users’ computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We’re investigating these bugs and will fix them if we can.” Andrew Lewman, Tor Project's Executive Director said in a blog post.
Mozilla says it has been notified of a potential security vulnerability in Firefox 17 (MFSA 2013-53) , which is currently the extended support release (ESR) version of Firefox. The Exploit code posted by Mozilla and Deobfuscated JS used by the Tor Browser exploit posted on Google Code.
The malicious Javascript is a tiny Windows executable hidden in a variable named “Magneto”, but the Magneto code doesn’t download anything. It looks up the victim’s MAC address and the victim’s Windows hostname. Then it sends it to the Virginia server, outside of Tor, to expose the user’s real IP address, and coded as a standard HTTP web request.
Firefox Zero Day used by FBI to track down owner of Tor hidden services hosting
The FBI appears to have gained access to Freedom Hosting and injected malicious HTML code that checks the visitor’s browser to see if he is using Firefox 17. Some visitors looking at the source code of the maintenance page realized that it included a hidden iframe tag that loaded a mysterious clump of Javascript code from a Verizon Business internet address located in eastern Virginia.
The Openwatch reported that, The execution of malicious JavaScript inside the Tor Browser Bundle, perhaps the most commonly used Tor client, comes as a surprise to many users. Previously, the browser disabled JavaScript execution by default for security purposes, however this change was recently reverted by developers in order to make the product more useful for average internet users. As a result, however, the applications have become vastly more vulnerable to attacks such as this.
The JavaScript code's payload analyzed by reverse engineering and exploit developer Vlad Tsyrklevich, who reveals that it briefly connects to a server and sends the hostname and MAC address of the victim. "Briefly, this payload connects to 65.222.202.54:80 and sends it an HTTP request that includes the host name (via gethostname()) and the MAC address of the local host (via calling SendARP on gethostbyname()->h_addr_list). After that it cleans up the state and appears to deliberately crash."
Microsoft used to provide the US government with a an early start on its security vulnerabilities, which was reportedly used to aid its cyber espionage programs. But here no idea at this point, that Mozilla worked with the government in this case.
Of course, this shows how complacency can be a very bad thing, especially when it comes to security. In its attempts to bring down child abuse images, but it could also mean a serious security breach for international activists and internet users living in repressive states who use the services to practice online free speech.
Be sure you're running a recent enough Tor Browser Bundle. That should keep you safe from this attack. Windows users are advised to Update Tor Browser Bundle, version 2.3.25-10 (released June 26 2013), 2.4.15-alpha-1 (released June 26 2013), 2.4.15-beta-1 (released July 8 2013), 3.0alpha2 (released June 30 2013) includes the fix. Consider disabling JavaScript (click the blue"S" beside the green onion, and select "Forbid Scripts Globally"). Disabling JavaScript will reduce your vulnerability to other attacks like this one, but disabling JavaScript will make some websites not work like you expect.
Update: According to Baneki Privacy Labs research, the IP address 65.222.202.53 hardcoded into the exploit belongs to Virginia is actually owned by Science Applications International Corporation (SAIC), a major intelligence, military, aerospace, engineering and systems contractor involved with the Federal Bureau of Investigation (FBI), Defense Advanced Research Projects Agency (DARPA) , Central Intelligence Agency (CIA) and National Security Agency (NSA).
They believe that the hardcoded IP address is directly allocated to the NSA's Autonomous Systems (AS), so its probably not the FBI, its NSA who used Firefox Zero-Day exploit to compromise Freedom Hosting and TOR network.
Please feel free to assert your comments, opinions, and objections about the FBI/NSA and their malware that is able to bypass anonymous network servers. Any of the security experts are very welcome to inform and advise anything about this for all of us in concerned.