More information on the malicious software that infected Tor Browser through Freedom Hosting’s servers, which were then seized by law-enforcement: it turns out that infected browsers called home to the NSA. Or, at least, to an IP block permanently assigned to the NSA.
Initial investigations traced the address to defense contractor SAIC, which provides a wide range of information technology and C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance) support to the Department of Defense. The geolocation of the IP address corresponds to an SAIC facility in Arlington, Virginia.
Further analysis using a DNS record tool from Robotex found that the address was actually part of several blocks of IP addresses permanently assigned to the NSA. This immediately spooked the researchers.
“One researcher contacted us and said, ‘Here’s the Robotex info. Forget that you heard it from me,'” a member of Baneki who requested he not be identified told Ars.
The use of a hard-coded IP address traceable back to the NSA is either a strange and epic screw-up on the part of someone associated with the agency (possibly a contractor at SAIC) or an intentional calling card as some analyzing the attack have suggested.
Researchers say Tor-targeted malware phoned home to NSA [Sean Gallagher/Ars Technica]