04
Aug 13

Firefox Zero-Day Used in Child Porn Hunt?

facebooktwittergoogle_plusredditpinterestlinkedinmail

A claimed zero-day vulnerability in Firefox 17 has some users of the latest Mozilla Firefox browser (Firefox 22) shrugging their shoulders. Indeed, for now it appears that this flaw is not a concern for regular, up-to-date Firefox end users. But several experts say the vulnerability was instead exposed and used in tandem with a recent U.S. law enforcement effort to discover the true Internet addresses of people believed to be browsing child porn sites via the Tor Browser — an online anonymity tool powered by Firefox 17.

Freedom Hosting's Wiki page on the Tor network's HiddenWiki page.

Freedom Hosting’s entry on the Tor network’s The Hidden Wiki page.

Tor software protects users by bouncing their communications across a distributed network of relays run by volunteers all around the world. As the Tor homepage notes, it prevents anyone who might be watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets users access sites that are blocked by Internet censors.

The Tor Browser bundle also is the easiest way to find Web sites that do not want to be easily taken down, such as the Silk Road (a.k.a. the “eBay of hard drugs“) and sites peddling child pornography.

On Saturday, Aug. 3, 2013, Independent.ie, an Irish news outlet, reported that U.S. authorities were seeking the extradition of Eric Eoin Marques, a 28-year-old with Irish and American citizenship reportedly dubbed by the FBI as “the largest facilitator of child porn on the planet.” According to the Independent, Marques was arrested on a Maryland warrant that includes charges of distributing and promoting child porn online.

The Tor Project’s blog now carries a post noting that at approximately midnight on August 4th “a large number of hidden service addresses disappeared from the Tor Network, sites that appear to have been tied to an organization called Freedom Hosting – a hosting service run on the Tor Network allegedly by Marques.

torHidden services can be used to run a variety of Web services that are not directly reachable from a normal Internet connection — from FTP and IRC servers to Web sites. As such, the Tor Network is a robust tool for journalists, whistleblowers, dissidents and others looking to publish information in a way that is not easily traced back to them.

“There are rumors that a hosting company for hidden services is suddenly offline and/or has been breached and infected with a javascript exploit,” writes “phobos,” a Tor Project blogger. Phobos notes that the person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research, and continues:

“The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user’s computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We’re investigating these bugs and will fix them if we can.”

Even if the claimed vulnerability is limited to Firefox version 17, such a flaw would impact far more than just Tor bundle users. Mozilla says it has been notified of a potential security vulnerability in Firefox 17, which is currently the extended support release (ESR) version of Firefox. Last year, Mozilla began offering an annual ESR of Firefox for enterprises and others who didn’t want to have to keep up with the browser’s new rapid release cycle.

“We are actively investigating this information and we will provide additional information when it becomes available,” Michael Coates, director of security assurance at Mozilla, wrote in a brief blog post this evening.

Ofir David, head of intelligence for Israeli cybersecurity firm Cyberhat, said he believes the now-public exploit code is indeed related to Marques’ arrest.  David said someone appears to have gained access to Freedom Hosting and injected malicious HTML code that checks the visitor’s browser to see if he is using Firefox 17. If so, the code silently redirects that visitor’s browser to another site which generates a unique identifier called a ‘UUID.'”

firefoxiconDavid said that although the exploit can be used to download and run malicious code on the visitor’s computer, whoever infiltrated Freedom Hosting appear to have only used the exploit to gather the true Internet addresses of people visiting the child porn sites hosted there.

“Ironically, all [the malicious code] does is perform a GET request to a new domain, which is hosted outside of the Tor network, while transferring the same UUID,” David said. “That way, whoever is running this exploit can match any Tor user to his true Internet address, and therefore track down the Tor user.”

For more on this developing story, check out this Reddit thread. Also, Mozilla has an open Bugzilla entry analyzing the exploit code.

Update, Aug. 5, 1:45 a.m. ET: Reverse engineer Vlad Tsrklevich has posted a brief analysis of what the exploit does. His conclusion (which seems sound):  “Because this payload does not download or execute any secondary backdoor or commands it’s very likely that this is being operated by an [law enforcement agency] and not by blackhats.”

Also, here’s a bit more from Mozilla’s security lead Dan Veditz on the vulnerability:

“The vulnerability being exploited by this attack was fixed in Firefox 22 and Firefox ESR 17.0.7. The vulnerability used is MFSA 2013-53

People who are on the latest supported versions of Firefox are not at risk.

Although the vulnerability affects users of Firefox 21 and below the exploit targets only ESR-17 users. Since this attack was found on Tor hidden services presumably that is because the Tor Browser Bundle (TBB) is based on Firefox ESR-17. Users running the most recent TBB have all the fixes that were applied to Firefox ESR 17.0.7 and were also not at risk from this attack.”

Update, Aug. 5, 4:08 p.m., ET: Kevin Poulsen from Wired.com notes that, according to a domaintools.com lookup, the IP address used by the malicious script’s controllers found by Tsrklevich resolves to a Verizon address space that is managed by Science Applications International Corp. (SAIC), an American defense contractor headquartered in Tysons Corner, Va.

Tags: , , , , , , ,

218 comments

  1. I don’t think anyone here has mentioned it yet, but the “malicious HTML code” is being picked up by multiple AVs now.

    Here’s a scan of the .js Krebs posted ( http://pastebin.mozilla.org/2777139 )

    https://www.virustotal.com/latest-scan/7d657aba8d25eba8fe54cbf2c4883960

    Some people were wondering if AVs would even flag an exploit apparently used by “the FBI” or what-have-you, and they are. A lot of reputable vendors too. So, even with it requiring an outdated Firefox to work, if it ever was reused by anyone (exploit kits) it’d be picked up by AVs.

  2. @Chris Hansen: I am thinking that the post a bit above this one was not really you. Confirm?

  3. Well, there’s basically a simple answer to this vulnerability : do not use the Browser Bundle and route your traffic yourself using Tor+Vidalia+Privoxy, and whatever up-to-date browser you can find. I sort of remember the Tor website indicating that while the Browser Bundle is easily set up it’s not perfect in terms of anonymity…

  4. The USDOJ/FBI lied to the Irish Courts. Freedom Hosting houses TorMail and they’ve been after TorMail since WikiLeaks popped up. When Eric Snowden broke big they accelerated their efforts. They couldn’t exercise NDL Patriot Act authority over Freedom Hosting because it’s not in the U.S. So they networked with some of the usual anonymous cowards to upload illegal porn over the course of several years/months – then they networked with civilian organizations briefly (SAIC, Verizon) to locate the Admin in Ireland. They couldn’t get Ireland’s cooperation just to grab TorMail because it would be an obvious privacy issue, but the court in Ireland bought the bit about illegal porn so they arrested Mr. Marques for extradition to the U.S.

  5. Why would Brian delete your comment, given that it did not contain profanity or violence? Besides, a few people have recently commented that they really enjoy reading the thoughts of people like you.

    You do not represent the majority of readers here, so your saying “trust me” is rather presumptuous. I will grant that your views may be representative of Russian criminals.

  6. In what way my views ( on you and your friend ) may be representative of Russian criminals ? Can you elaborate on this a bit more please ??

    i think your views may be representative of American pedophile who pray in little children .and i tell you why after i get an answer from you .

  7. The Utah Data Center/N.S.A./ Area 51/Room 641A/XKeyscore

    Attackers wield Firefox exploit to uncloak anonymous Tor users
    Publicly available exploit threatens all Tor users unless they take action now.

    “The exploit contained several hallmarks of professional malware development, including “heap spraying” techniques to bypass Windows security protections and the loading of executable code that prompted compromised machines to send the identifying information to a server located in Virginia, (possibly the N.S.A.) according to an analysis by researcher Vlad Tsrklevich.
    http://arstechnica.com/security/2013/08/attackers-wield-firefox-exploit-to-uncloak-anonymous-tor-users/

  8. That seems pretty flimsy to me. Not saying it isn’t connected, but the evidence presented so far seems like major reaching.

    Yes, we need one more reporter piling on to the NSA story! Sorry, but I never was much into churnalism.

  9. Ok had to look that term up, agreed; almost puked reading the wikipedia. If it seems flimsy to you get to investigating! Operating by myself I have to really try hard to crack some of the OPSEC these agencies employ and even still I have to leave some traps to really get the evidence. There is criminal activity taking place and you’ve been lucky to have a head’s up to avoid seeing the ugly side.

    To see you from investigating individuals on darknets to investigating some of the most powerful gov’t organizations in the world; you attain the next level of legendary. Don’t wait until it’s too late Brian…

  10. The Utah Data Center/N.S.A./ Area 51/Room 641A/XKeyscore

    I would agree with you, except for the fact if you look at how the United States government reportedly infected centrifuges in the Iranian uranium enrichment plants then you start to wonder if they real have the capability to do such a thing.

  11. LOL your nuts…

  12. I do not mean to hijack your comment but I would still like to talk with you outside of the comment section here sometime, if you are amenable? Your post above reminded me.

  13. Very strange. Threading has stopped working for me. I do not know why or if I am the only person this is happening for, but I am thinking maybe not? Hopefully this will post under Chris Hansen’s message, but if not, then I have my answer. Please forgive “spamming”.

  14. Chris – Your post reminded me that I would still like to get in touch with you outside of the comments section here about something you mentioned, if you’d be amenable.

  15. Geraldo Rivera

    Maybe you should stop doing shows on catching online predators and do a investigation into why the N.S.A. and or F.B.I. is going after criminals who disseminate child porn and get caught by malicious java script code by way of TOR browser.

  16. Sh*t that was supposed to post as a reply to Chris Hansen but for some reason it did not — software mess up? I am going to repost it where it was supposed to go, Mr. Krebs, can you delete this comment thread when I do so? Thank you.

  17. Chris Hansen (The Brian Krebs of Child Predators)

    @voksalna
    Please don’t take offense, I don’t have reliable means to talk outside of physical handoff of OTP’s, and even still I haven’t vetted you yet, and even still I don’t really want to get too detailed. Please excuse my lack of trust but hopefully it has nothing to do with you. Seems you have had some experiences to make you feel similar…

    I do wonder what “tripped your filter” though.

  18. While I am aware you are trolling (at Chris Hansen, I suspect), there are right ways and wrong ways to “catch a criminal” — at what point are you willing to draw the line? To toss a philosophical question out into the air, would this have become more acceptable if (a) it was done with the cooperation of Freedom Host and (b) he was not charged for child pornography merely because his customers were possibly using it. My point continues to be that the case they are making is that because child pornography went *through his network*, independent of any participation, he is a child pornographer. To take this one step further, and yet back to the more comfortable land of the typical Krebs reader, to retain any degree of parity you would need to charge every advertising company that does online ads that has ever served, unwittingly, a piece of malware (and this has happened a LOT over the years if you look at the news) — or charging every WiFi user whose router has been hacked and used for a crime as a participant in that crime, or every ISP that permitted the traffic at all to be a participant in the crime. I could continue here, but you get the point I am trying to make, I hope.

  19. once again, like those money laundering sites you guys use and get mad about shutting down, it boils down to COOPERATION, which i’m sure he did not give because it goes against tors whole philosophy.
    also the ratio of criminals to honest civilians who use these services is a huge factor you always ignore. And i’m sure for those heading the investigation its also about whats practical and possible and will deal the biggest blow to the child porn industry.

    To try and compare tor to any other service is extremely disingenuous.

  20. You tripped my filters ages ago. :) And yes, I am also quite ‘careful’ and a fan of OTPs myself, as well as physical key exchanges, so I understand your point. At the same time, I really would like to talk with you briefly, nonetheless. Think about it anyway.

  21. @CooloutAC – “also the ratio of criminals to honest civilians who use these services is a huge factor you always ignore.”

    You do realise that this is *precisely* the rationale that your government has been using for ages now to ‘infiltrate’, set-up, accuse, and surveil actually *innocent* mosques and truly non-violent activist groups, don’t you? Tar them all with the same feathers, do please. One bad apple and all that. You also are talking as if you somehow have some magical knowledge of who makes up the tor userbase. That’s a pretty large assumption from someone who bluntly takes people who lie regularly at face value.

  22. what mosques? I have some in my neighborhood. Give examples please….of course that is the rationale.

  23. part of the reason anyways….I also call it common sense, one of the biggest differences in certain services and organizations…

    Give some examples of mosques that have been shut down. What people are you talking about lying to me? Is BK lying when he reiterated the same thing about Liberty Reserve. I think its safe to assume the same thing about Tor.

    I guess people i have talked to that actually host tor servers were lying to me, the linux people, I mean tor being a den for criminals was a running joke in most chatrooms when I would ask about it man… who are you trying to convince?

  24. @voksalna
    Ok now your really getting my juices flowing, just tell me! I’ll do radio comms if you want, name a freq. and mode; even do russian morse for ya lol.

    @cooloutac
    So your credentials just popped up on this site. And you called me crazy, accused me of using money sites for spammers, and accused me of child porn. Accusations don’t get off scotch free troll, same with skiddy attacks. Sorry to hear about your mobo btw.

  25. huh what? You lost me man.

  26. @volksana its not working for me anymore either haha…maybe it has to do with making too many posts in a certain amount of time.

    @ Chris Hansen I’m not sure what your talking about sorry.

  27. @Chris Hansen, I might be a troll, but I would never hack you and I never accused you of those things, You probably have me confused with Voksalna or another poster.

  28. @cooloutac
    Just stop talking to me and don’t talk about me ever again. You may also want to unplug your computer[s] for a little while, remove the batteries, and shield them from info-carrying waves.

  29. @CooloutAC: I have been thinking at great length of your conundrum, and I think your best bet at this stage, given your past unluck online, may be to create a Faraday cage for yourself. You can even build them into your own (current) walls. Hackers are terrible and insidious beasts, and should not be trusted; you should not allow your WiFi signal to escape your premises. You should also shield your windows, since right this moment both the government and private sectors have the ability to capture your typing via microvibrations on windows, glass doors, and such. You can never be too careful, this is my motto — maybe it is time that you follow my lead so that terrible people can no longer bring you or your friends any harm. It’s not such a bad way to live, really. The copper may get a bit expensive, but it is worth the cost.

  30. hahah, i’m sorry voksalna hacked you.

  31. @voksalna, I’m a celebrity what can I say.

    My friends being hacked has nothing to do with me. Most people get hacked its a sad reality. More then 60% of americans know they have and its only getting worse. I’m type of guy that notices and makes it public lol.

    Malicious hackers are the biggest losers on the planet, sort of like people who watch jerry springer or honey boo boo. Most of them live boring lives and become infatuated with other peoples lives like the real losers they are. the rest are just delusional pathological liars always trying to impress someone who doesn’t care.

  32. @voksalna, Have you ever noticed most of these hacking thieves already have money? come from well off families or have inheritance in the banks? They do it because they are pathological losers who think its cool to be fake and anonymous. They have nothing else to do for fun or spend their money on.

    I’ve been hacked since i was 13 years old on an 8080, this is nothing new. Its always been part of using a pc, most people don’t realize they might have a trojan, even though most of us do.

    Your propaganda might of worked in the 90s. But people are becoming less anonymous now and more people are becoming aware. Malicious hackers now should really start to treat the internet with the same respect they would outside of their house because its only going to get worse for them.


Read previous post:
Pavel Vrublevsky Sentenced to 2.5 Years

Pavel Vrublevsky, the owner of Russian payments firm ChronoPay and the subject of an upcoming book by this author, was sentenced to...

Close