The evidence suggesting that the discovered Javascript is an instance of CIPAV is so far entirely circumstantial – but enough for Wired to suggest "the code is likely the first sample captured in the wild of the FBI’s 'computer and internet protocol address verifier,' or CIPAV."
The existence of CIPAV has been known for five years, and its use by the FBI for more than ten. EFF obtained a description of its functionality in 2011 – it gathers user data including IP addresses, MAC addresses, various other items and information that would assist with “identifying computer users, computer software installed, [and] computer hardware installed”. It is pure spyware.
This fits with the behavior of the malware discovered on the Freedom Hosting websites. On the surface, the attack looks like a traditional drive-by scenario. The compromised web pages host an iframe that collects the javascript from an IP address in Virginia.
The payload in the fetched javascript is a variable called Magneto; but this is where its behavior diverges from standard drive-by. The payload would normally download a back door or rootkit. Magneto does no such thing. "It looks up the victim’s MAC address — a unique hardware identifier for the computer’s network or Wi-Fi card — and the victim’s Windows hostname," reports Wired. "Then it sends it to the Virginia server, outside of Tor, to expose the user’s real IP address, and coded as a standard HTTP web request."
A second piece of circumstantial evidence is the location of the malware's C&C IP address. Researchers have tracked it to a block of IP addresses thought by some to be permanently assigned to the NSA. This has led to suggestions that the NSA is behind the attack – a suggestion that Wired dismisses. "The NSA’s public website, NSA.gov, is served by the same upstream Verizon network as the Tor malware command-and-control server, but that network handles tons of government agencies and contractors in the Washington DC area." Wired maintains that the FBI remains the prime suspect.
However, one mystery is that the C&C IP is so easily traced within the malware. Ars Technica, which was reporting on the assumed NSA connection, commented, "The use of a hard-coded IP address traceable back to the NSA is either a strange and epic screw-up on the part of someone associated with the agency (possibly a contractor at SAIC) or an intentional calling card." One suggestion has been, "It's psyops – a fear campaign... They want to scare folks off Tor, scare folks off all privacy services."
However, a third possibility is that the authors simply didn't expect the malware to be discovered and analyzed – after all, if it really is CIPAV, then it is the first time in ten years of use that it has actually been discovered. "The code has been used sparingly in the past," writes Wired, "which kept it from leaking out and being analyzed or added to anti-virus databases." Now that it has been found, asks Wired, does it mean that the AV companies will analyze it and start detecting CIPAV?