December 1, 2016 By Larry Loeb 2 min read

It has been a rough week for privacy-focused web browser Tor, or The Onion Router. Its underlying software was affected by browser malware, and cybercriminals were found to be hiding ransomware on the Tor network.

On Tuesday, the Tor mailing list reported the existence of a zero-day Firefox exploit that had been seen in the wild. While the researchers have yet to determine its exact function, they reported that the exploit had gained access to VirtualAlloc in kernel32.dll.

Fighting Fire With Firefox

Dan Guido of security firm Trail of Bits took a closer look at the code provided to the list. He found that it was a standard use-after-free exploit, not a heap overflow as some had surmised. He also discovered that it affected the scalable vector graphics (SVG) parser in Firefox. Since the Tor browser is built upon Firefox, any problem with Firefox is a problem for Tor.

“This type of exploit is much harder to write in Chrome and Edge due to memory partitioning, an exploit mitigation that Firefox lacks,” Guido said on Twitter, adding that he believed the creator wrote the exploit from scratch. Another researcher, meanwhile, noted that the payload delivered by the exploit was almost the same as the one the FBI used in 2013 to track child pornographers.

In the Tor newsletter, Roger Dingledine wrote that the Mozilla security team had located the bug and was working on a patch, which was later delivered to users. According to SecurityWeek, users can also prevent many websites from exhibiting their full functionality by disabling JavaScript.

How Browser Malware Works

Making matters more dicey, Cisco Talos researchers also noted that a new variant of Cerber ransomware was using redirections via Google and a Tor2Web proxy service to evade detection and mitigation. It did so by trying to hide the command-and-control (C&C) servers involved in the scheme.

Threatpost reported that the phishing emails designed to trigger the start of the infection process contained hyperlinks, not attachments. These links are disguised as files that would be attractive to victims, such as pictures and order details.

The specific URL to which the hyperlink resolves uses Google redirection, which redirects the victim to the malicious payload hosted on the Tor network. But how do the fraudsters get the victim onto the Dark Web without a Tor browser being present? That’s where the Tor2Web proxy service comes in.

Once fully redirected and connected, a Microsoft Word document is downloaded. It has a malicious macro attached to it that downloads the Cerber ransomware. Talos advised that organizations should block all Tor2Web and Tor traffic unless there is a specific and very important need for such services.

Ars Technica reported that Mozilla and Tor worked together to create an emergency patch for the zero-day vulnerability, but some damage may have already been done. Both episodes are black eyes for Tor. The community values its privacy, and any criminal enterprise using Tor to carry out its schemes only brings unwanted attention.

More from

DHS awards significant grant to improve tribal cybersecurity

4 min read - The Department of Homeland Security (DHS) has awarded $18.2 million in grants through the Tribal Cybersecurity Grant Program to boost cybersecurity defenses among Native American Indian Tribes. The program takes a big step in addressing the unique digital threats faced by tribal communities — a dedicated effort to improve cybersecurity infrastructure across these regions. The $18.2 million grant is just one component of DHS's broader strategy to enhance national cybersecurity. Administered by the Federal Emergency Management Agency (FEMA) in partnership…

ChatGPT 4 can exploit 87% of one-day vulnerabilities: Is it really that impressive?

2 min read - After reading about the recent cybersecurity research by Richard Fang, Rohan Bindu, Akul Gupta and Daniel Kang, I had questions. While initially impressed that ChatGPT 4 can exploit the vast majority of one-day vulnerabilities, I started thinking about what the results really mean in the grand scheme of cybersecurity. Most importantly, I wondered how a human cybersecurity professional’s results for the same tasks would compare.To get some answers, I talked with Shanchieh Yang, Director of Research at the Rochester Institute…

ONCD releases request for information: Open-source software security

3 min read - Open-source software is a collective partnership across the development community that requires both private and public buy-in. However, securing open-source software can be tricky. With so many different people working on the coding, security measures are often overlooked, increasing the chances that a vulnerability will fall through the cracks and be exploited. The Open-Source Software Security Initiative (OS31) aims to provide governance over open-source security processes. After the Log4Shell vulnerability, securing open-source software became a top priority for the federal…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today