Aug 192013
 

Feds Are Suspects in New Malware That Attacks Tor Anonymity

 

WIRED / Threat Level
by Kevin Poulsen
August 5, 2013

Feds Are Suspects in New Malware That Attacks Tor Anonymity

Feds Are Suspects in New Malware That Attacks Tor Anonymity (Photo: Andrewfhart / Flickr)

 

Security researchers tonight are poring over a piece of malicious software that takes advantage of a Firefox security vulnerability to identify some users of the privacy-protecting Tor anonymity network.

The malware showed up Sunday morning on multiple websites hosted by the anonymous hosting company Freedom Hosting. That would normally be considered a blatantly criminal “drive-by” hack attack, but nobody’s calling in the FBI this time. The FBI is the prime suspect.

“It just sends identifying information to some IP in Reston, Virginia,” says reverse-engineer Vlad Tsyrklevich. “It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based.”

If Tsrklevich and other researchers are right, the code is likely the first sample captured in the wild of the FBI’s “computer and internet protocol address verifier,” or CIPAV, the law enforcement spyware first reported by WIRED in 2007.

Court documents and FBI files released under the FOIA have described the CIPAV as software the FBI can deliver through a browser exploit to gather information from the target’s machine and send it to an FBI server in Virginia. The FBI has been using the CIPAV since 2002 against hackers, online sexual predators, extortionists, and others, primarily to identify suspects who are disguising their location using proxy servers or anonymity services, like Tor.

The code has been used sparingly in the past, which kept it from leaking out and being analyzed or added to anti-virus databases.

The broad Freedom Hosting deployment of the malware coincides with the arrest of Eric Eoin Marques in Ireland on Thursday on an U.S. extradition request. The Irish Independent reports that Marques is wanted for distributing child pornography in a federal case filed in Maryland, and quotes an FBI special agent describing Marques as “the largest facilitator of child porn on the planet.”

Freedom Hosting has long been notorious for allowing child porn to live on its servers. In 2011, the hactivist collective Anonymous singled out Freedom Hosting for denial-of-service attacks after allegedly finding the firm hosted 95 percent of the child porn hidden services on the Tor network.

Freedom Hosting is a provider of turnkey “Tor hidden service” sites — special sites, with addresses ending in .onion — that hide their geographic location behind layers of routing, and can be reached only over the Tor anonymity network.

Tor hidden services are ideal for websites that need to evade surveillance or protect users’ privacy to an extraordinary degree – which can include human rights groups and journalists. But it also naturally appeals to serious criminal elements.

Shortly after Marques’ arrest last week, all of the hidden service sites hosted by Freedom Hosting began displaying a “Down for Maintenance” message. That included websites that had nothing to do with child pornography, such as the secure email provider TorMail.

Some visitors looking at the source code of the maintenance page realized that it included a hidden iframe tag that loaded a mysterious clump of Javascript code from a Verizon Business internet address located in Virginia.

By midday Sunday, the code was being circulated and dissected all over the net. Mozilla confirmed the code exploits a critical memory management vulnerability in Firefox that was publicly reported on June 25, and is fixed in the latest version of the browser.

Though many older revisions of Firefox are vulnerable to that bug, the malware only targets Firefox 17 ESR, the version of Firefox that forms the basis of the Tor Browser Bundle – the easiest, most user-friendly package for using the Tor anonymity network.

“The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based,” the non-profit Tor Project wrote in a blog post Sunday. “We’re investigating these bugs and will fix them if we can.”

The inevitable conclusion is that the malware is designed specifically to attack the Tor browser. The strongest clue that the culprit is the FBI, beyond the circumstantial timing of Marques’ arrest, is that the malware does nothing but identify the target.

 

The payload for the Tor Browser Bundle malware is hidden in a variable called “magneto”.

The payload for the Tor Browser Bundle malware is hidden in a variable called “magneto”.

The heart of the malicious Javascript is a tiny Windows executable hidden in a variable named “Magneto.” A traditional virus would use that executable to download and install a full-featured backdoor, so the hacker could come in later and steal passwords, enlist the computer in a DDoS botnet, and generally do all the other nasty things that happen to a hacked Windows box.

But the Magneto code doesn’t download anything. It looks up the victim’s MAC address — a unique hardware identifier for the computer’s network or Wi-Fi card — and the victim’s Windows hostname. Then it sends it to the Virginia server, outside of Tor, to expose the user’s real IP address, and coded as a standard HTTP web request.

“The attackers spent a reasonable amount of time writing a reliable exploit, and a fairly customized payload, and it doesn’t allow them to download a backdoor or conduct any secondary activity,” says Tsyrklevich, who reverse-engineered the Magneto code.

The malware also sends, at the same time, a serial number that likely ties the target to his or her visit to the hacked Freedom Hosting-hosted website.

In short, Magneto reads like the x86 machine code embodiment of a carefully crafted court order authorizing an agency to blindly trespass into the personal computers of a large number of people, but for the limited purpose of identifying them.

But plenty of questions remain. For one, now that there’s a sample of the code, will anti-virus companies start detecting it?

Update 8.5.13 12:50:  According to Domaintools, the malware’s command-and-control IP address in Virginia is allocated to Science Applications International Corporation. Based in McLean, Virginia, SAIC is a major technology contractor for defense and intelligence agencies, including the FBI. I have a call in to the firm.

13:50  Tor Browser Bundle users who installed or manually updated after June 26 are safe from the exploit, according to the Tor Project’s new security advisory on the hack.

14:30:  SAIC has no comment.

15:10:  There are incorrect press reports circulating that the command-and-control IP address belongs to the NSA. Those reports are based on a misreading of domain name resolution records. The NSA’s public website, NSA.gov, is served by the same upstream Verizon network as the Tor malware command-and-control server, but that network handles tons of government agencies and contractors in the Washington DC area.

8.6.13 17:10:  SAIC’s link to the IP addresses may be an error in Domaintools’ records. The official IP allocation records maintained by the American Registry for Internet Numbers show the two Magneto-related addresses are not part of SAIC’s publicly-listed allocation. They’re part of a ghost block of eight IP addresses that have no organization listed. Those addresses trace no further than the Verizon Business data center in Ashburn, Virginia, 20 miles northwest of the Capital Beltway. (Hat tip: Michael Tigas)
Direct Link:  http://www.wired.com/threatlevel/2013/08/freedom-hosting/

 

Jun 262013
 

FBI’s Robert Mueller: Feds need broader surveillance powers

POLITICO
by Tony Romm
June 20, 2013

Mueller told the Senate Judiciary Committee that the need is real.  (Jay Westcott/POLITICO)

Mueller told the Senate Judiciary Committee that the need is real. (Jay Westcott/POLITICO)

 

FBI Director Robert Mueller told lawmakers — some already skeptical of government surveillance — that the feds may need additional powers to track down criminals who hide their activities online.

Buried in his prepared testimony Wednesday to the Senate Judiciary Committee, Mueller reaffirmed the Obama administration’s long-held view that there’s a “growing gap between law enforcement’s legal authority to conduct electronic surveillance, and its ability to conduct such surveillance.”

“The rapid pace of advances in mobile and other communication technologies continues to present a significant challenge for conducting court-approved electronic surveillance of criminals and terrorists,” Mueller noted.

“Because of this gap, law enforcement is increasingly unable to gain timely access to the information to which it is lawfully authorized and that it needs to protect public safety, bring criminals to justice and keep America safe,” added the FBI director, acknowledging there still exists a need to balance security and privacy.

(PHOTOS: Pols, pundits weigh in on NSA report)


The FBI and Justice Department for years have explored remedies to its so-called going dark problem — instances in which suspects communicate using Internet services that aren’t so easily subject to court-ordered wiretaps.

At one point, reports this year suggested law enforcement agencies even had bandied about a proposal that could fine large Internet companies that don’t build their services in a way to aid those investigations. The White House, however, said at the time it had not signed off on any new plan.

The efforts to expand federal law known as the Communications Assistance for Law Enforcement Act hit fresh resistance in May, after news broke that the DOJ had sought phone records for some Associated Press journalists. Civil-liberties groups, privacy-minded lawmakers and top Internet companies expressed unease with any plan to expand federal wiretapping powers.

Now the controversy over surveillance at the NSA — a driving topic at the Wednesday hearing — may only further complicate matters, or so privacy hawks hope.

The FBI needs “to provide better reasons and more information about why they need this, when technologists and academics across the board are consistently saying and have shown … the whole ‘going dark’ messaging is incorrect in the golden age of surveillance,” said Mark Jaycox, a policy analyst at the Electronic Frontier Foundation. He described the FBI’s pursuit of additional surveillance authority as “breathtaking.”

The Democratic and Republican leaders of the House and Senate committees that would oversee such a debate didn’t comment for this story.

Mueller, though, told the Senate Judiciary Committee the need is real — and he urged lawmakers to help ensure “law enforcement capabilities keep pace with new threats and new technology, while at the same time protecting individual privacy rights and civil rights.”

“It is only by working together — within the law enforcement and intelligence communities, with our private sector partners and with members of Congress — that we will find a long-term solution to this growing problem,” Mueller noted in his prepared testimony.

Direct Link:  http://www.politico.com/story/2013/06/fbis-robert-mueller-help-needed-to-keep-criminals-from-going-dark-93055.html

Mar 062013
 

FBI ‘secretly spying’ on Google users, company reveals

FOX News
March 6, 2013

Electronic Communications Privacy Act

Electronic Communications Privacy Act

  • Google National Security Letters 1.jpg

     


    Mar. 5, 2013: Google has revealed some information about the FBI’s use of National Security Letters to seek information — an unprecedented win for privacy, experts said. (Google)

The FBI used National Security Letters — a form of surveillance that privacy watchdogs call “frightening and invasive” — to surreptitiously seek information on Google users, the web giant has just revealed.

Google’s disclosure is “an unprecedented win for transparency,” privacy experts said Wednesday. But it’s just one small step forward.

“Serious concerns and questions remain about the use of NSLs,” the Electronic Frontier Foundation’s Dan Auerbach and Eva Galperin wrote. For one thing, the agency issued 16,511 National Security Letters in 2011, the last year for which data was available. But Google was gagged from saying just how many letters it received — leaving key questions unanswered.

“The terrorists apparently would win if Google told you the exact number of times the Federal Bureau of Investigation invoked a secret process to extract data about the media giant’s customers,” Wired’s David Kravets wrote. He described the FBI’s use of NSLs as a way of “secretly spying” on Google’s customers.

National Security Letters are a means for the FBI to obtain information on people from telecommunications companies, authorized by the Electronic Communications Privacy Act (ECPA) and expanded under the Patriot Act. It lets the agency seek information on a subscriber to a wire or electronic communications service, although not things like the content of their emails or search queries, Google said.

And thanks to secrecy constraints built into NSLs, companies that receive them usually aren’t even allowed to acknowledge the request for information. Citing such extreme secrecy, privacy experts have decried the use of these letters in the past.

“Of all the dangerous government surveillance powers that were expanded by the USA PATRIOT Act, the National Security Letter (NSL) power … is one of the most frightening and invasive,” the EFF wrote. “These letters … allow the FBI to secretly demand data about ordinary American citizens’ private communications and Internet activity without any meaningful oversight or prior judicial review.”

Thanks to negotiations with the government, Google finally opened the smallest chink in the armor, allowing the search giant to reveal the fact that it had received these requests for data, as well as some general information about them.

“Visit our page on user data requests in the U.S. and you’ll see, in broad strokes, how many NSLs for user data Google receives, as well as the number of accounts in question,” Richard Salgado, Google’s legal director of law enforcement and information security, wrote in a Tuesday blog post.

A new table posted to Google’s Transparency Report site outlines the details; it tabulates how many requests for information the company has received over each of the past four years: some undisclosed number between 0 and 999. With those NSLs, the FBI sought information on somewhere between 1,000 and 1,999 users/accounts.

“People don’t always use our services for good, and it’s important that law enforcement be able to investigate illegal activity,” Salgado wrote.

No other technology company presently disclose such basic information about government requests, experts noted.

Jul 112012
 

DNS Changer Malware may have affected 47,000 Americans

 

Los Angeles Times

By Salvador Rodriguez

July 9, 2012

 

 

As many as 47,000 Americans may have lost Internet access Monday after the FBI shut down servers supporting computers that were infected by malware. (Karen Bleier/AFP/Getty Images)

 

The FBI finally shut off servers Monday morning that at one point supported millions of users infected by the DNS Changer Malware, leaving as many as 47,000 Americans disconnected from the Internet.

Though the FBI with the help of various organizations and companies was able to reduce the number of infected computers from 4 million to less than 250,000 in the last few months, several hundred thousand users were still affected by the 12:01 a.m. Eastern time cut off Monday morning.

The U.S. was left with the most affected users after the cutoff, according to security firm F-Secure, which put up a blog with stats Monday.

The U.S. had as many as 47,054 users still infected over the weekend. That was followed by Italy in second place with 21,508 users, and India came in the third spot, with 19,991 infected users.

The DNS Changer problem began as a result of an online advertising scam that ended up infecting 4 million computers worldwide. The FBI put an end to the scheme, but the government agency realized that turning off the servers running the malware would have taken down all those computers from the Internet.

As a solution, the FBI set up two servers to continue providing access for the infected users, set a date for when they would be shut down and began raising awareness.

If your computer or the computer of someone you know has been affected, there are steps that can be taken to remedy the problem.

For a list of what to do from an expert organization, head here. Essentially, what you may need to do is back up your computer, have an expert wipe it clean of the malware, reformat your hard drive and reinstall everything.

For future reference, make sure to browse the Web more securely. Don’t click links or open documents from untrusted email addresses, and when you enter logins and passwords, make sure you are entering them to trustworthy organizations and in their actual websites — not lookalikes built to take your information.

 

ALSO:

Apple removes malware app that made its way into App Store

Don’t want to lose the Internet on Monday? Check for malware now

Malware may knock 64,000 Americans off Internet on Monday morning

 

Direct Link:  http://www.latimes.com/business/technology/la-fi-tn-dns-changer-47000-20120709,0,777095.story

Jun 262012
 

Former FBI Bomb Investigator Arrested on Child Pornography Charges

 
ABC NEWS
by Jason Ryan
May 14, 2012

A former FBI Supervisory special agent who worked on some of the bureau’s most high profile terrorism and bombing cases including the Unabomber case, the USS Cole bombing,  the Oklahoma City bombing and the1993 World Trade Center bombing and the 9/11 attacks, has been arrested and charged with distributing child pornography.

Donald J. Sachtleben a former FBI agent who served as a team leader on the high profile investigations, was charged in a criminal complaint that was unsealed today by the U.S. Attorney’s Office in Indiana.

Sachtleben was charged with knowingly possessing child pornography and knowingly distributing child pornography. According to his Linked In profile, he left the Bureau in 2008 after a 25-year-career that spanned the globe.

The investigation by the FBI and an Internet Crimes Against Children task force spanned back to last fall when investigators executed a search warrant of another man allegedly trading images of child pornography. A review of the computer of that suspect, identified as Jason Nicoson from Illinois, led agents to Sachtleben and an Internet protocol address at his home in Carmel, Ind.

“A limited on-scene triage of the evidence was completed on computers and storage media found inside the residence and a vehicle. Approximately 30 image and video files containing child pornography were recovered from within a Hitachi Hard Drive inside a Sony VAIO Laptop,” the criminal complaint said of items recovered from Sachtleben’s home after federal agents executed a search warrant at his residence.

“Sachleben’s [sic] wife was interviewed during the execution of the search warrant and denied any knowledge of the child pornography found in Sony VAIO laptop or any involvement with child pornography distribution or possession,” FBI Special Agent Kerri Reifel wrote in the affidavit.

The images that were viewed on Sachtleben’s computer allegedly matched those that were found on Jason Nicoson’s computer from the Illinois search.

If convicted, Donald Sachtleben could face 20 years in prison on the distribution charge and 10 years for possession.

“Today’s announcement underscores this serious commitment, and should make clear that no matter who you are, you will be brought to justice if you are found guilty of such criminal behavior.” said US Attorney Joseph Hogsett.

The Justice Department has made prosecuting these cases a priority under Project Safe Childhood which was set up in 2006. According to Justice Department statistics there has been a 42 percent increase in the number of cases the Department has brought involving the sexual exploitation of children with over 2,700 indictment obtained in 2011.

Attorneys for Sachtleben did not return phone messages or emails when contacted by ABC News.

 

Direct Link:  http://abcnews.go.com/blogs/politics/2012/05/former-fbi-bomb-investigator-arrested-on-child-pornography-charges/