FBI Uses Malware Take Down Child Pornographer
August 5, 2013

FBI Suspected Of Using Malware To Spy On Child Pornographers

Michael Harper for redOrbit.com - Your Universe Online

The FBI is suspected of being behind a piece of malware which captures user information before logging it on a server located in Reston, Virginia. The virus has been spotted in the wild on websites in the Tor anonymity network. A supposed zero-day vulnerability in a special version of Mozilla's Firefox could allow the FBI access to machines which view these anonymous sites.

The timing of this malware discovery has led some security researchers to suspect the feds are the authors. Following the Saturday arrest of Eric Eoin Marques, a 28 year old living in Ireland and founder of Freedom Hosting, several websites running on the Tor network became unavailable. Marques was arrested on a warrant from the US on charges he is the "largest facilitator of child porn on the Internet," reported Ars Technica.

The Tor network is an anonymous and private portion of the Internet that only allows those with access to a selection of hosted sites. Such anonymity can be helpful in a myriad of ways. For instance, public figures or journalists may find a secure place to engage in whistleblower activities on the Tor network. However, cybercriminals also find the anonymity of the Tor network useful. For instance, just last week, security researcher Brian Krebs posted a story on his blog about a group of pranksters who bought heroin on the Tor operated Silk Road to ship to his house in hopes of having him arrested.

Freedom Hosting specialized in providing these Tor websites a home, including a significant number of child pornography websites and wikis which give child porn traffickers a platform to offer their services.

Marques was taken to court Friday on extradition charges associated with his activity with Freedom Hosting, though the Irish court never mentioned the company's name. The creators of the anonymous Internet, the Tor Project, have since offered a statement saying they are not affiliated with Freedom Hosting in any way.

"Other organizations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence and abuse-recovery," reads the statement.

Tor operates on its own browser, a modified version of Mozilla's Firefox 17 ESR (Extended Support Release.) Shortly after Marques' arrest, sites which were located on Freedom Hosting appeared to be offline with a "down for maintenance" message.

According to Wired, however, some trying to access Freedom Hosting sites noticed suspicious code running on what appeared to be a blank website. These users began passing the code around and discovered it downloaded a virus which operates quite differently from the others. Rather than embedding itself into the computer and opening up a back door to be used later to steal passwords, the virus - dubbed Magneto - doesn't download anything. Instead it looks up the MAC address of the machine (a unique number used to identify a computer's network or WiFi card) and the host name of the user. This information is then sent to a server outside of Tor located in Virginia.

Wired believes this could be the first in-the-wild example of a surveillance tool called the "computer and internet protocol address verifier," or CIPAV which has allegedly been in use since 2002.

According to the Tor project, the malware only targets Firefox 17 ESR, and they plan to address and fix these bugs as soon as they can.