Dr Gareth Owenson's blog

Analysis of the FBI Tor Malware

Files

Background

The Tor network is an anonymising network that allows people to browse the web and access other services without being traced. As part of this network, there is the so called ‘darknet’, servers only accessible through Tor which host a variety of services from forums to e-mail. Whilst many of these services are innocent and aimed at those concerned about Human Rights abuses, the anonymity naturally attracts those with criminal intent such as the distribution of child pornography. It’s then very difficult for law enforcement agencies to trace the original IP address.

In 2013, a piece of malware was found embedded in Freedom Hosting’s darknet server that would exploit a security hole in a particular web browser and execute code on the user’s computer. This code gathered some information about the user and sent it to a server in Virginia and then crashed – it had no obvious malicious intent that is so characteristic of malware. It was therefore theorised that the FBI, who have offices in Virginia, and who have ‘form’ for writing malware, may have authored it – this now appears to be true. UPDATE: Confirmed authored by FBI with codename EgotisticalGiraffe.