What We Know About the Attack on Freedom Hosting

If you’ve been following this blog for any length of time you know that I’m a huge fan of location hidden services. While a huge chunk of the security community was busy at Defcon the feds made their move against the largest hidden service provider, Freedom Hosting. Most media outlets have simply indicated that the Federal Bureau of Investigations (FBI) made a major strike against the world’s “largest child pornography dealer”:

US authorities are seeking the extradition of a 28-year-old Irishman described in the High Court by an FBI special agent as “the largest facilitator of child porn on the planet.”

Eric Eoin Marques appeared before Mr Justice Paul Gilligan on foot of an extradition request by the FBI, which alleges he is involved in the distribution of online child pornography.

The High Court yesterday put Mr Marques back in custody until next Thursday.

Fortunately we no longer have to rely exclusively on major media outlets for our news. Over at Bitcoin Talk infested999 posted a far better summary of what went down. Mr. Marques is the owner of Freedom Hosting, which is a hosting service for Tor location hidden services. Unsurprisingly, distributors of child pornography have moved their operations to location hidden services and, also unsurprisingly, the FBI moved against the only entity it could identify, the owner of the hosting service. Since the nature of location hidden services prevent client and server identification it’s difficult to determine who owns and operates a hidden website and who visits it. This is where the more interesting part of the story comes into play. Not only did the FBI seize Freedom Hosting, it also loaded malicious JavaScript onto the sites in an attempt to locate visiting clients:

Attackers exploited a recently patched vulnerability in the Firefox browser to uncloak users of the Tor anonymity service, and the attack code is now publicly circulating online. While the exploit was most likely designed to identify people alleged to have frequented a child porn forum recently targeted by the FBI, anonymity advocates say the code could be used against almost any Tor user.

A piece of malicious JavaScript was found embedded in webpages delivered by Freedom Hosting, a provider of “hidden services” that are available only to people surfing anonymously through Tor. The attack code exploited a memory-management vulnerability, forcing Firefox to send a unique identifier to a third-party server using a public IP address that can be linked back to the person’s ISP. The exploit contained several hallmarks of professional malware development, including “heap spraying” techniques to bypass Windows security protections and the loading of executable code that prompted compromised machines to send the identifying information to a server located in Virginia, according to an analysis by researcher Vlad Tsrklevich.

According to the Tor mailing list the vulnerability used was specific to older versions of Firefox (the Tor Browser Bundle is based on Firefox 17) and users of the latest version of the Tor Browser Bundle weren’t affected. Likewise, at some point in the Tor Browser Bundle’s history the developers decided to enable JavaScript by default. Previously JavaScript was disabled by default. This recent exploit demonstrates why it’s important to have the latest version of your browser software and why JavaScript is, in general, a dangerous thing.

The exploit has been confirmed to phone home to an Internet Protocol (IP) address owned by the National Security Agency (NSA), adding further credence to the belief that the malicious JavaScript was inserted by an agency of the United States government to unveil Tor users.

From a technical standpoint this is an intriguing case. The FBI are beginning to adapt to hidden services. It has found a weak point, known providers of location hidden service hosting, and is using exploits to an attempt to locate anonymous users. It will be interesting to see what comes of this case.