Malware capable of revealing the identification and location of computers anonymously accessing 'hidden' websites in the Tor network is thought to have come from the FBI.

Malware used to identify users of Tor websites is believed to have been created by the FBI. (Credit: Reuters)

The malware was discovered on numerous websites hosted by the notorious Freedom Hosting, which some have claimed is home to the largest collection of child porn images on the web.

The malware claimed to be tracking Tor users was discovered three days after the arrest of Eric Eoin Marques in Ireland on a US extradition request. The 28-year-old Dublin-based man is accused by the FBI of being "the largest facilitator of child porn on the planet," according to the Irish Times, and allegedly owned and operated Freedom Hosting.

The malicious code exploits a vulnerability in the Firefox web browser, allowing it to look up the victim's MAC address - a unique code used to identify a computer's network or Wi-Fi hardware - and the Windows hostname assigned to that machine.


This information is then sent to an IP address in Reston, Virginia, according to computer programmer Vlad Tsrklevich, who reverse-engineered the malware. Tsrklevich continued, telling Wired: "It's pretty clear that it's FBI or it's some other law enforcement agency that's US-based."

Writing on his website, Tsrklevich believes the malware comes from a law enforcement agency and not a malicious hacker because it doesn't cause any immediate harm to its victims. Malware created by a hacker would seek to cause damage, or take control of its victim's computer, but this exploit merely feeds back information to the Virginia IP address.

Tor (The Onion Router) is free software and an open network that lets users browse the internet completely anonymously, leaving no trail of which websites they have visited, what they have said to others, and what they have looked at.

The Tor netowrk is used extensively by journalists and whistle-blowers to communicate in secret. It is also however home to what has become known as the deep web, a network of anonymous websites using the .onion suffix.

This has become to many criminals selling drugs and peddling child abuse images.

Freedom Hosting was targeted in 2011 by the Anonymous hacktivist collective, whose members forced the hosting company offline, claiming it was the largest host of child abuse images on the Tor network.

Terms and conditions for Freedom Hosting state that illegal activities were not allowed, but adds that it is "not responsible" for its users' actions.


Wired claims that if Tsrklevich and other researchers are correct, then this could be the first sighting of the FBI's 'computer and internet protocol address verifier' or CIPAV, law enforcement spyware first reported by the technology and science magazine in 2007.

The magazine explains: "Court documents and FBI files released under the FOIA have described the CIPAV as software the FBI can deliver through a browser exploit to gathers information from the target's machine and send it to an FBI server in Virginia."


Marketed as a tool for those wary of snooping by law enforcement agencies and for journalists who want their research and communication with sources to remain anonymous, Tor also has a reputation for being used to hide illegal activities, such as the distribution of drugs, firearms and child pornography.

The Irish Times reports that US authorities are seeking Marques' extradition on four charges, and that he is charged with distributing, conspiring to distribute, and advertising child pornography.

No way affiliated

The operators of Tor have distanced themselves from the incident, writing in a blog post on 4 August: "The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project Inc, the organisation coordinating the development of the Tor software and research."

With regard to the exploit found in Firefox 17, the network said: "The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We're investigating these bugs and will fix them if we can."