Related Links

Top 5 Stories


Did the FBI Use CIPAV Against Tor?

06 August 2013

Following the arrest of Eric Eoin Marques last week, websites in the darknet hidden services began to go down. A piece of javascript malware was found and posted to the internet. Researchers are now wondering if this is the first live sample of the FBI's fabled CIPAV malware.

The evidence suggesting that the discovered Javascript is an instance of CIPAV is so far entirely circumstantial – but enough for Wired to suggest "the code is likely the first sample captured in the wild of the FBI’s 'computer and internet protocol address verifier,' or CIPAV."

The existence of CIPAV has been known for five years, and its use by the FBI for more than ten. EFF obtained a description of its functionality in 2011 – it gathers user data including IP addresses, MAC addresses, various other items and information that would assist with “identifying computer users, computer software installed, [and] computer hardware installed”. It is pure spyware.

This fits with the behavior of the malware discovered on the Freedom Hosting websites. On the surface, the attack looks like a traditional drive-by scenario. The compromised web pages host an iframe that collects the javascript from an IP address in Virginia.

The payload in the fetched javascript is a variable called Magneto; but this is where its behavior diverges from standard drive-by. The payload would normally download a back door or rootkit. Magneto does no such thing. "It looks up the victim’s MAC address — a unique hardware identifier for the computer’s network or Wi-Fi card — and the victim’s Windows hostname," reports Wired. "Then it sends it to the Virginia server, outside of Tor, to expose the user’s real IP address, and coded as a standard HTTP web request."

A second piece of circumstantial evidence is the location of the malware's C&C IP address. Researchers have tracked it to a block of IP addresses thought by some to be permanently assigned to the NSA. This has led to suggestions that the NSA is behind the attack – a suggestion that Wired dismisses. "The NSA’s public website,, is served by the same upstream Verizon network as the Tor malware command-and-control server, but that network handles tons of government agencies and contractors in the Washington DC area." Wired maintains that the FBI remains the prime suspect.

However, one mystery is that the C&C IP is so easily traced within the malware. Ars Technica, which was reporting on the assumed NSA connection, commented, "The use of a hard-coded IP address traceable back to the NSA is either a strange and epic screw-up on the part of someone associated with the agency (possibly a contractor at SAIC) or an intentional calling card." One suggestion has been, "It's psyops – a fear campaign... They want to scare folks off Tor, scare folks off all privacy services."

However, a third possibility is that the authors simply didn't expect the malware to be discovered and analyzed – after all, if it really is CIPAV, then it is the first time in ten years of use that it has actually been discovered. "The code has been used sparingly in the past," writes Wired, "which kept it from leaking out and being analyzed or added to anti-virus databases." Now that it has been found, asks Wired, does it mean that the AV companies will analyze it and start detecting CIPAV?

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×