Drive-by web nasty unmasks Tor Browser users, Mozilla dashes to patch zero-day vuln

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
SVG, JavaScript smuggles malicious payload into PCs

Mozilla is scrambling to patch a vulnerability in Firefox that is apparently being exploited in the wild to unmask Tor Browser users.

Earlier today, a small package of SVG, JavaScript and x86 code popped up on a Tor mailing list that, when opened by Firefox or Tor Browser on a Windows PC, phones home to a remote server and leaks the user's MAC address, hostname and potentially their public IP address. Typically, this exploit would be embedded in a webpage and leap into action when opened by an unsuspecting visitor.

Tor Browser is a repackaged version of Firefox that runs connections through the anonymizing Tor network; it's supposed to hide your public IP address, and the exploit is designed to leak that potentially identifying information to persons unknown.

The exploit was posted by an anonymous user of the Sigaint dark web email service. That mailing list message said the flaw is being used right now against Tor Browser folks.

"This is a JavaScript exploit actively used against Tor Browser now," the author wrote.

"It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it's getting access to VirtualAlloc in kernel32.dll and goes from there."

The exploit was lobbed at Mozilla's security team, which has studied the code and located the programming bug attacked by the JavaScript and SVG. It is working on a patch, Tor Project lead Roger Dingledine said.

"So it sounds like the immediate next step is that Mozilla finishes their patch for it then … a quick Tor Browser update and somewhere in there people will look at the bug and see whether they think it really does apply to Tor Browser," Dingledine noted.

Early analysis reveals the payload has striking similarities to a separate Tor Browser spying tool that emerged in 2013. According to reverse-engineering efforts, it appears once this latest x86 code injected by the JavaScript is running within the browser, it phones home to 5.39.27.226 on port 80 and sends over the machine's information.

Whatever was behind that IP address is no longer responding to connections; it appears to have belonged to an OVH-hosted virtual machine. The 2013 payload was used by the FBI to decloak Tor-protected suspected criminals.
 
Last edited by a moderator:

Tony Cole

Level 27
Verified
May 11, 2014
1,639
Why report it to Firefox, we need a way to hack Tor, it's a terrible place that allows criminals to carry out the most disgusting crimes and be hidden and immune from security services.
 

Janl1992l

Level 14
Verified
Well-known
Feb 14, 2016
648
Why report it to Firefox, we need a way to hack Tor, it's a terrible place that allows criminals to carry out the most disgusting crimes and be hidden and immune from security services.
Uhm what? i use tor myself and by no means i am a criminal! Ur statement is ridiclious. there should be ways avaiable to be untrackable on the web and that no "security services" can spy on u like they do almost ur whole life and know anything like the good old SS. U should support projects like tor as much as u can. tor is not only there for criminals, sure criminals use tor, but is it the fault from tor? No it is not, its the fault from the human and the system we life in.
 

Tony Cole

Level 27
Verified
May 11, 2014
1,639
If you look at the criminal activity on Tor, you will see in China and Japan people can watch bodies mutilated, people having sex with dead bodies and children being raped. I'm sorry places like that should NOT exist whether you are a normal person or a criminal. Tor enabled (my friend worked on the case) guys from Bristol who raped children, their own family, put it on Tor and allowed people to watch in real time children as young as 3yrs old. If they were not caught it would still be going on, £12,500 to watch that.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top