The Washington PostDemocracy Dies in Darkness

A bunch of Tor sites spread malware. Was the FBI behind it?

Placeholder while article actions load

Tor users visiting secret sites hosted by Freedom Hosting early Sunday morning weren't able to reach their desired destinations. Instead they were met with a "Down for Maintenance" notice and, if they had javascript enabled, malware that could effectively identify Tor users. The Internet is wild with speculation that malware was planted by the FBI. And that isn't as paranoid as you might think.

Eric Eoin Marques, the man believed to be behind Freedom Hosting, was arrested in Ireland Thursday and is currently awaiting extradition to the U.S. on child pornography charges. While Freedom Hosting was the largest hosting service for secret .onion sites and used for things like the secret e-mail service TorMail, it was also infamous for hosting sites that included depictions of the rape and torture of pre-pubescent children. Taking down the hosting service may have removed some half of the hidden sites accessible through the Tor network.

A lot of people know that you can use Tor to browse the Internet anonymously. This works by routing traffic through several randomly-selected computers in the Tor networks. Web site operators can use the same technique to hide the location of their servers. This can be for illicit purposes like child pornography or dealing drugs. However, Tor's "hidden service" capability can also be a boon to political activists, whistleblowers, and journalists who want to publish anonymously.

Malware reportedly appeared on all hidden sites hosted by Freedom Hosting, not just those related to child pornography. It exploited a critical memory management vulnerability that existed in many older versions of Firefox. But the malware only targeted the version of Firefox that is part of the Tor Browser Bundle.

The malware looked up users' MAC addresses and Windows hostnames, then relayed it to a server in Virginia outside of the Tor network -- revealing the users' real IP addresses.

When reached by the Post, the FBI press office declined to comment on the malware. Some reverse engineers looking at the code over the weekend argued that it was "likely" operated by a law enforcement agency because the malware doesn't do anything other than identify users.

And that argument isn't very far-fetched. The Wall Street Journal reported last week that the FBI was deploying spyware capable of remotely activating the microphones of Android devices. And documents disclosed in 2011 show that the FBI was using programs that gather Internet addresses and programs running among other data since at least 2005. Just last year, the FBI left a child pornography site up and running for two weeks to snoop out intel in a sting operation.

U.S. law enforcement has a history of treating people who use strong privacy practices as if they have something to hide. In fact, the minimization procedures leaked about NSA surveillance suggest encryption and Tor usage are likely to flag U.S.-based communications for retention even if the communications were collected inadvertently. So, it's really not so crazy to think the FBI might be trying to hack Tor users.