Close Close Comment Creative Commons Donate Email Add Email Facebook Instagram Mastodon Facebook Messenger Mobile Nav Menu Podcast Print RSS Search Secure Twitter WhatsApp YouTube
PROPUBLICA Expose Corruption. Defend Truth. Support Investigative Journalism.
DONATE

Is the U.S. Government Behind “Torsploit”?

Is an exploit targeting Tor users sending identifying information to a server owned by the U.S. Government? (Image: <a href="http://www.flickr.com/photos/21273106@N00/3735077119/">Flickr</a>)

August 7: This post has been updated.

There’s a lot of chatter on the Internet about a Firefox security vulnerability that has been used to target users of the Tor Browser Bundle, the most commonly-used way to use the Tor anonymity network. Malware that took advantage of this vulnerability was recently discovered on several prominent “hidden services” — websites accessible only through a secure, anonymous Tor connection. The exploit has been given two nicknames: “Magneto,” a phrase that appears inside the exploit’s JavaScript code (a commonly-used method to name viruses and exploits) and “Torsploit,” a portmanteau of “Tor” and “exploit.”

But whatever it’s called, the malware infects Windows machines running many versions of Tor Browser. The hidden services in question contained an embedded script which could then execute code on an unsuspecting user’s machine. Then, according to the researcher who reverse engineered that code, the malware causes the infected computer to send its hostname, MAC address (hardware ID), and IP address to a server located in Virginia — defeating the anonymization provided by Tor.

A DomainTools utility referred to by Ars Technica and Wired claims that the IP address (65.222.202.54) is allocated to Science Applications International Corporation, a defense technology contractor. The utility attempts to identify the organization responsible a given block of IP addresses. The tool claims that SAIC is the organization that owns the “C block” containing the IP address coded into the malware (65.222.202.0/24).

(There are actually two IP addresses actually in question — 65.222.202.53 and 65.222.202.54 — and sources referred to in this post may state the IP address as one or the other. The 65.222.202.53 address is the web server that served the embedded JavaScript which infected machines with the Torsploit malware. Based on the reverse-engineered malware code, the 65.222.202.54 address is the Torsploit command and control server — the one to which it tries to phone home.)

Had it been the early ’90s, the IP address of Torsploit's command and control server would have suggested that it belongs to SAIC, but a change made over the years in how IP addresses are assigned makes it a much less convincing piece of evidence.

Back in the old days — when only a small part of the world used the Internet — IP addresses were distributed to service providers in a “class” system. Class A blocks (255.0.0.0) — for instance, MIT’s 18.0.0.0 — contain 16,777,216 addresses, Class B (255.255.0.0) blocks contain over 65 thousand, and so on. Class D (255.255.255.0) addresses would then represent the local network. Unfortunately, the class system was not scalable and would have eventually limited the number of service providers that could own IP address ranges. So the class system went out the door in 1993 and the Internet Engineering Task Force started using variable-bit “classless” lengths to define networks. Since that change, a large organization, like a telecom company, can own a wide variety of block sizes which wouldn’t fit into the older “A.B.C.D” class model — some that can even span several of the old ranges, such as 65.192.0.1 through 65.223.255.255. A small organization can own a very small block of public IP addresses that would have previously put them in a local network with other organizations — like 72.32.131.212 through 72.32.131.213.

These “major” IP address blocks are assigned either by the Internet Assigned Numbers Authority or by regional registries. The owners of these major blocks (usually telecom companies) can then sell smaller blocks to other organizations or individuals as they see fit. For instance, when a company running a handful of servers that need public IP addresses, they’ll likely pay their hosting company for a small block of address, who in turn likely buy their own, larger CIDR block from an upstream network/telecom provider.

It’s a reasonably well understood and documented system. In many cases, you can query the allocation record of IP addresses by doing a “WHOIS query” on the address. For example, a WHOIS query on the IP address for “www.propublica.org” (72.32.131.212) shows that the address is in a two-address range belonging to ProPublica and that this two-address range is in a larger network belonging to Rackspace Hosting.

But the DomainTools lookup utility mentioned by the press reports relies on the old “class” system. Susan Prosser, Vice President of Industry Relations at DomainTools confirmed that the DomainTools tool “goes to a Class C level, looking at the first address only.” That means that the it simply takes the owner (from WHOIS data) of the first IP in that “C block” (65.222.202.0 through 65.222.202.255) and assumes that this is the owner of the entire block, whether or not the block is actually owned by a single organization. So in Torsploit’s case, SAIC is listed as the “owner” even though — as we’ll see below — different portions of the block are actually assigned to different groups and not operated as one large “C block.”

Prosser recommended that “for any delegation beyond that, it is best to do an IP Whois look up for the reassigned subnets,” which would “return the Net Range of the directly assigned party,” and any information about further reassignments and allocations. Doing a few WHOIS queries of our own, we can take a look at the allocation chain for a few of the IP address blocks in the 65.22.202.0 range. (Click on the IP addresses to see the command and the output that goes along with it.)

IP Range Owner Notes
65.222.202.0 - 15 "SCIENCE APPLICATIONS INT" This is likely the value that is being picked up by DomainTools as the "owner" of the entire "C block". In reality, SAIC only appears to own the first 16 IP addresses in the 65.222.202.0 block.
65.222.202.16 - 31 "Old Dominion Internet"  
65.222.202.32 - 47 "FTS2001/US Government" FTS2001 likely represents telecom services under the "Federal Telecommunications System" 2000 & 2001 contracts.
65.222.202.48 - 55 (None) This range (which contains our addresses in question) appears to have no allocation associated with it other than the large Verizon UUNET65 block.
 → 65.222.202.53 "MCI Communications Services, Inc. d/b/a Verizon Business UUNET65" IP address of the web server which served the Torsploit JavaScript component.
 → 65.222.202.54 "MCI Communications Services, Inc. d/b/a Verizon Business UUNET65" IP address of the reported malware command & control server.
65.222.202.56 - 63 "UNIVERSAL MACHINE CO OF POTTSTOWN INC"  
65.222.202.64 - 79 "KITRON"  
65.222.202.80 - 87 "MORNINGSIDE SPORTS FARM"  
65.222.202.88 - 95 "MetTel, Inc."  
65.222.202.96 - 103 "GUIDESTAR"  
65.222.202.104 - 111 "Walt Disney Company"  
65.222.202.112 - 127 "Dental Concepts"  
65.222.202.128 - 135 "GARP RESEARCH & SECURITIES"  
65.222.202.136 - 143 "ASSURED PACKAGING INC"  
65.222.202.144 - 151 (None) This range appears to have no allocation associated with it other than the large Verizon UUNET65 block.
65.222.202.152 - 159 "CONSCIOUS SECURITY"  
65.222.202.160 - 175 (None) This range appears to have no allocation associated with it other than the large Verizon UUNET65 block.

Looks like the IP addresses of Torsploit’s servers don’t have any specific records other than the UUNET telco, which is now operated by Verizon Business. But this “block” is a massive range — 65.192.0.0 through 65.223.255.255, comprising some 2,097,152 addresses. That’s a large, nonspecific swath of internet that tells us nothing but that these IPs might use some Verizon Business service, or some client of Verizon Business. Many of the neighboring IP addresses, however, do contain information about network providers or customers — including SAIC and the US Government — that the IP ranges have been allocated to. We’ve asked Verizon Business if there is any further information on any reassignment or allocation regarding the command & control server’s IP address, but have not received a response.

A further rumor reported over Twitter and a cybersecurity message board was that one IP address belonged to the NSA, but this may simply be because the “www.nsa.gov” web servers — 65.196.127.225 and 65.196.127.226 — are in the same huge UUNET65/Verizon Business block. (A WHOIS of those IP addresses shows that it belongs to a “LG-TEK” network — 65.196.127.0 through 65.196.127.255 — within the larger UUNET65/Verizon Business block.)

From the available evidence, it seems like it’s jumping the gun to say that the web and command & control servers associated with the exploit are owned by the U.S. government. Here’s all we know for sure:

  1. Verizon Business is the entity responsible for allocating the IP addresses, since they belong to the huge 65.192.0.1 - 65.223.255.255 IP address block that is allocated to them. But without more specific allocation information, that’s no evidence that the IP addresses map to servers on a network that Verizon Business directly controls.
  2. The IP addresses in question are numerically near IP address blocks belonging to SAIC and the U.S. Government.
  3. The IP addresses in question are also numerically near IP address blocks belonging to a variety of businesses, many centered around northern Virginia but with some entries as far as Pennsylvania and California. Because of the way IP addresses are assigned, “numerically near” doesn’t necessarily mean “geographically near.”

Until we know more, reports about the government’s role in the exploit that are based only on IP address data should be taken with a grain of salt.

We’ve left messages with SAIC and Verizon Business and will update this post when we know more.

Update (8/7): Portions of this post have been updated to clarify that both purported IP addresses — 65.222.202.53 and 65.222.202.54 — are linked to Torsploit.

Disclosure: Mike Tigas is the developer of Onion Browser, an iOS web browser that utilizes the Tor anonymity network. He is the 2013 Knight-Mozilla OpenNews Fellow at ProPublica.

Portrait of Mike Tigas

Mike Tigas

Mike Tigas was the Lead Product Developer, DevOps and Security at ProPublica. He is also the developer of Tabula, a data extraction tool for PDF files, and Onion Browser, an open source web browser for iOS which uses the Tor anonymity network.

Latest Stories from ProPublica

Current site Current page