Dr Gareth Owenson's blog

Analysis of the FBI Tor Malware

Files

Background

Note: this blog post was originally written for the benefit of students who will disect this shellcode on their course.

The Tor network is an anonymising network that allows people to browse the web and access other services without being traced. As part of this network, there is the so called ‘darknet’, servers only accessible through Tor which host a variety of services from forums to e-mail. Whilst a few of these services are innocent and aimed at those concerned about Human Rights abuses, the anonymity naturally attracts those with criminal intent such as the distribution of child pornography. It’s then very difficult for law enforcement agencies to trace the original IP address.

In 2013, a piece of malware was found embedded in Freedom Hosting’s darknet server that would exploit a security hole in a particular web browser and execute code on the user’s computer. This code gathered some information about the user and sent it to a server in Virginia and then crashed – it had no obvious malicious intent that is so characteristic of malware.