FBI again thwarts Tor to unmask visitors to a Dark Web child sex abuse site

The FBI has once again launched its harpoons into the Deep Web, piercing the anonymizing layers of Tor to drag out the identities of two New York men who were indicted earlier this month on charges of possessing child abuse images.

The FBI doesn’t reveal how it bypasses Tor to track down the true IP addresses it’s designed to obscure.

(One exception was when the US government found itself defending the methods with which agents, without a warrant, managed to pull back the curtain and reveal the location of the hidden website for Silk Road.)

Some observers have suggested that court documents hint at the possibility of the FBI having planted a drive-by installation of some kind of malware to unmask the two men who allegedly possessed child porn.

As Motherboard reports, Stanford computer science and law expert Jonathan Mayer spotted a passage that journalist Nate Raymond had uncovered in the filings and which Mayer says confirms that the FBI deployed malware – what’s called a “Network Investigative Technique” in the court filing – to obtain the men’s real IP addresses.

Confirmed: the FBI deployed malware on another seized Tor hidden service. Nice docket sleuthing by @nateraymond. pic.twitter.com/5gtwqPeFbW

— Jonathan Mayer (@jonathanmayer) July 14, 2015

Foiling Tor to pull out the true identities behind the terrorists, paedophiles, gun-runners, drug dealers, sex traffickers and other serious criminals on the Deep Web has picked up steam in the past few years, as has interest in the FBI’s techniques to do it.

But while the FBI used some sort of IP-revealing trick, that doesn’t necessarily mean there’s zombie malware running riot through the world, downloading onto innocent people’s computers.

As Naked Security’s Paul Ducklin points out, the FBI doesn’t necessarily need to install malware to have a good chance of figuring out who or where you really are.

It doesn’t require a drive-by download or a true drive-by-install onto the computers of all visitors to the Dark Web site.

The FBI appears to have enough tools in its kit that agents don’t need to permanently plant something onto your computer.

Rather, a transient, one-shot shellcode payload is sufficient – no persistence needed (that’s a fancy word for software that unexpectedly keeps on running after you reboot, or log out and back in, or even just after you close your browser).

Just a link that ties some anonymous traffic to a specific computer during one specific time slot, paired with whatever other evidence the prosecution presents, would surely be enough to press charges.

While there’s been a lot written about how difficult it is for law enforcement agencies such as the FBI to deal with the Dark Web, the reality is that in the past few years, we’ve seen:

• The Dark Web isn’t necessarily all that tough to map. One researcher, for example, has been making a map, pulled from the places on the normal, indexed internet where users talk about the Dark Web and direct each other to specific hidden sites. Granted, while many parts aren’t all that hard to find or visualise, mapping this land still entails tracking a fast-moving target: some 10% of sites posted on Pastebin are deleted within 48 hours, given that most are set up temporarily by criminals to point to illegal services before quickly being deleted.
• We might be overestimating how many sites are out there. It’s been estimated that the Dark Web only has about 7000 active sites at any one time. How much of those are devoted to images of child abuse? There’s an interesting, though unverified, post on Reddit from an admitted pedophile who says there are very few, in spite of what the media describes as a Deep Web awash in child porn:
  

  Of the hundred or so advertised onion [child porn] sites, only about 5 are imageboards or communities actively trading [child porn]. The rest of the sites are stories, links, and other non [child porn] material. Lack of new material and few onion [child porn] sites the past years made users open to trying the honeypot site to see if a server with new material was made.

• NASA’s mission to explore the universe now includes the Deep Web. It recently joined up with the Defense Advanced Research Projects Agency (DARPA) on its Memex program, which is working to “access and catalog this mysterious online world.” Memex tools were actually used by law enforcement to track down sex traffickers for about a year before Memex was revealed.
• A number of investigations have used undercover policy, malware and/or clever technology. One example is Silk Road, once one of the top markets for illicit drugs and other contraband and services. The FBI didn’t foil Tor to get at Silk Road just once, mind you: it took it down multiple times. The site’s reboot, Silk Road 2.0, was taken down after a successful, 6-month attack on Tor.

It matters whether the recent bust involved a so-called watering hole attack, which would have downloaded malware onto the computer of every one of the unnamed site’s 200,000+ visitors, many of whom well may have been innocent when it comes to possessing child porn.

If that’s what the FBI did in fact use, it was not only an impressive feat – given that it was done with only one search warrant – but also a worrisome one from a legal standpoint, given that such a so-called “general warrant” is extraordinarily broad.

But the fact is, we don’t really know how the FBI got the true IP addresses of the men it indicted.

All we know is that it’s got far more than just one way to peel an onion.

Image of laptop courtesy of Shutterstock.