On August 4, websites hosted by Freedom Hosting, a service provider that offers anonymous hosting through the Tor network, began to host malicious scripts. This follows media reports from August 3 about US authorities seeking the extradition of the man believed to be the head of Freedom Hosting.
The scripts that were found take advantage of a Firefox vulnerability that was already fixed in Firefox 22 and Firefox ESR 17.0.7. It is thought that this vulnerability was chosen because the Tor Browser Bundle (TBB) is based on Firefox ESR-17. Symantec detects these scripts as Trojan.Malscript!html.
Figure. Attack steps
If successfully exploited, the attacker is able to retrieve the unique MAC address of the network card and the local hostname from the compromised computer and send that data back to IP 65.222.202.54. An example of the data sent back follows. The host is the local computer name and the cookie ID is actually the MAC address.
GET /05cea4de-951d-4037-bf8f-f69055b279bb HTTP/1.1
Host: PXE306141
Cookie: ID=0019B909D908
Connection: keep-alive
Accept: */*
Accept-Encoding: gzip
A unique cookie is also left on the system after visiting the website. An attacker can use the unique MAC address, local computer name, and cookie to help locate the systems involved in this attack. If these methods were used by law enforcement, it could potentially allow them to track down the system by tracing who the network card was sold to. There is plenty of speculation about who is doing this and why they are doing it, but at this time nothing has been confirmed.
While the Tor network is meant for personal privacy and designed to conceal a user’s location or usage from traffic analysis and network surveillance, this attack method shows that it is possible to track down those who use the Tor network.