Tor browser malware appears loaded by FBI to identify users

This week the folks out there looking to be entirely anonymous (not to be mistaken for the Anonymous hacker collective) have been greeted by a message through the Tor web browser. Tor is a fork of Firefox – based in Firefox's code, recreated as a web browser here to allow entirely anonymous web browsing. According to reports, the malware in question exploits a bug present in Firefox 17 ESR, the same build on which Tor is based, allowing – through "Freedom Hosting" webpages specifically – a payload to be delivered which ultimately sends the location of the user to a 3rd party.

Sites that appear to be targeted this week are those associated with Freedom Hosting, a company which specializes in keeping webpages anonymous and – ultimately – free from the law. The delivery of this code happens to have taken place less than a week after the arrest of Eric Eoin Marques, as noted by Wired, his arrest having been for hosting massive amounts of illegal pedophilic media on what's being connected (by Wired) to Freedom Hosting servers.

The malware being delivered here is said to be directly related to CIPAV, aka the FBI's own "computer and internet protocol address verifier." With this code, the FBI is able to identify the location of the machine infected by it, this location then sent back to a server through the web.

This identifying information is sent – according to reverse-engineer Vlad Tsyrklevich – to Reston, Virginia. This IP has been linked in this same Wired report to Science Applications International Corporation. This corporation works as a technology contractor for such intelligence and defense agencies as the FBI.

According to the Tor security advisory released this afternoon, only those iterations of the browser older than June 26th of 2013 are affected by this venerability.