The Connection Between Tor Malware And NSA Doesn’t Stand Up To Scrutiny

Researchers from Cryptocloud and Baneki Privacy Labs have admitted previous statements about the connection between recently surfaced Tor malware and the US National Security Agency (NSA) could be wrong.

Earlier this week, the experts claimed that malware responsible for bringing down Freedom Hosting, the biggest service provider on the anonymous Tor network, was hard-coded to send information to the IP address belonging to the NSA.

After much consultation and fact-checking, they have concluded that the attribution of the IP address to the agency might have been “inaccurate”.

Hunting the ‘torsploit’

Tor is a free encrypted network that conceals a user’s location or Internet use from anyone conducting network surveillance or traffic analysis. It hosts a variety of content from forums and secure communication services to things like the Hidden Wiki and the Silk Road.

Freedom Hosting is one of the largest and most known Tor service providers. Last weekend, dozens of Tor websites went down following the arrest of Eric Eoin Marques, believed to be the head of Freedom Hosting. The FBI has accused Marques of facilitating child pornography distribution. If he is extradited to the US, he could spend up to 30 years in prison.

Researchers across the world have been baffled by the attack on the anonymous network that coincided with Marques’ arrest. Several sources suggest he was identified and tracked using a JavaScript exploit in the Tor Browser Bundle, which is based on Firefox 17 browser.

After thorough analysis of the malware, Baneki Privacy Labs and Cryptocloud, like many of their colleagues, came to the conclusion that it was used to collect information and send it to a single IP address (65.222.202.53). They claimed this address was part of a block owned by Science Applications International Corporation (SAIC), a US defence contractor, and directly allocated to the NSA’s Autonomous Systems.

Even though it seemed to make sense in light of the information disclosed by Edward Snowden, it turns out the attribution was wrong. The two companies blame the mistake on their lack of expertise in working with certain IP analytics tools.

“The popular analytics resource domaintools.com uses an old (ca. 1993) method for interpolating individual IP ownership (“assignment” is a better term, really, but it’s a bit clunky). That old method, all evidence suggests, doesn’t give accurate information about the 2 torsploit IPs in question,” wrote the team at Cryptocloud.

The experts also allow the possibility that the DNS records were “cleaned up” in real-time, making it a serious cyberwarfare operation.

“If someone’s managed to do a quick-switch so elegantly as to fool all of us into thinking this inaccurately… well, we’re outgunned and we’d have to admit it. That doesn’t seem likely; more likely, the SAIC connection is simply not an accurate reflection of the individual IP records during the timespan in question. We’ve no problem acknowledging that, and offer our appreciation to the researchers who helped set this item right,” read a statement from Baneki Labs.

“Many questions remain unanswered, presently… more than you can shake a stick at without getting pretty tired of doing the shaking,” added Cryptocloud on its forum.

What do you know about whistleblowers and their tech? Take our quiz!