Some of the most noteworthy malware were likely considered a failure by their authors. Flashback, for instance, turned out to be pretty much worthless for its authors – when you’re trying to stay under the radar of fraud detection, being a huge and almost-overnight success is not so good. Over the weekend, another moment of sketchy code flying into radar range occurred, which may have exposed a component of the US Government’s CIPAV data gathering tool.
In case you’re not keeping a running list of the acronyms and codenames used to describe shadowy government surveillance tools (Is there a single page for this somewhere? That’d be super handy!) CIPAV stands for Computer and Internet Protocol Address Verifier. It was, at least in theory, meant to capture a variety of location data including MAC and IP address.
The existence of the tracking tool first came to light in 2007, in a court filing pertaining to a high school kid that made bomb threats. No samples were available at the time, so AV companies were left to speculate as to whether it would be detected. It’s likely that the tool has been used to a limited extent since at least 2002.
This weekend, a 0-day exploit was found that targets an older version of Firefox that’s used as part of a Tor browser package. This exploit was used to compromise a large number of “hidden services” sites within the Tor network, effectively cutting off a significant chunk of the Tor "onion". These compromised sites contained scripts to download a tracking tool that would identify the MAC address of the user’s machine, and send this information to an IP address in northern Virginia, which would give the receiver the user’s IP address as well.
Because this exploit affected so many different sites, it attracted a lot of attention. It’s unlikely that we will ever know for certain whom the real author was. Because the behavior of this script was so different from the usual financial motivation of malware, it seems likely that it was not the work of the usual suspects. And if this is indeed a tracking tool written by the government, there’s probably a lot of scurrying going on right now to significantly re-write the code so as to get themselves back under criminals’ radar.