Dark net sites fall, compromised, after child porn arrest

Updated: Irish authorities have arrested a 28 year-old man dubbed by the FBI as the "largest facilitator of child porn on the planet" and widely suspected of running the most popular hosting service underpinning the darknet.

Eric Eoin Marques was currently held in Ireland on foot of an extradition request by the FBI under which he faced four charges relating to alleged child pornography offences with a total of 30 years jail.

His arrest Saturday coincides with mass outages across the darknet affecting popular services like Tor Mail, HackBB and the Hidden Wiki which were run on Freedom Hosting, a company largely suspected to be operated by Marques.

Those websites and others on the darknet offered a higher degree of anonymity to users and server administrators than other sites on the public web as they were accessible only via the Tor routing service.

Prior to Marques arrest, a new JavaScript exploit (posted to Pastebin) targeting Mozilla FireFox version 17 – which was contained in a recent Tor Browser Bundle  – appeared on some Freedom Hosting darknet sites including Tormail.

The exploit, under investigation by Reddit users, Tor developers, and Mozilla, appeared only to attempt to reveal the identities of Tor users visiting Freedom Hosting sites by way of an iframe script that quietly generated a universally unique identifier and redirected users to a Verizon Business IP address located near Washington DC.

The discovery of the exploit days before Marques' arrest fueled suspicions that the attack was orchestrated by US authorities in a bid to identify users of Freedom Host child pornography sites.

One of the earliest accounts of the exploit came from an administrator of the infamous 4Pedo forum who warned users that "unknown JavaScript" had been inserted across Freedom Hosting darknet sites including popular email service Tormail.

The exploit targeted FireFox vulnerability (MFSA 2013-53) that was patched in the latest versions of Firefox including Firefox Extended Support, Mozilla security lead Daniel Veditz (@dveditz) said.

"Since this attack was found on Tor hidden services presumably that is because the Tor Browser Bundle is based on Firefox ESR-17. Users running the most recent TBB have all the fixes that were applied to Firefox ESR 17.0.7 and were also not at risk from this attack," he said.

TOR Browser 0day in the wild exploits a use-after-free in JavaScript module & bypasses ASLR with advanced heap manipulation! #Tor #0day #Pwn

— VUPEN Security (@VUPEN) August 4, 2013

While Tor developers continue to work on ways to protect their users, developer Jacob AppleBaum said users should disable JavaScript which is enabled by default for usability purposes.

Freedom Hosting was the most popular hosting service on the Tor network. It came under public spotlight in 2011 after vigilantes aligned with the Anonymous collective warned the service to remove child pornography material residing on its servers and subsequently hacked child pornography site Lolita City and identified its users.

In total some 40 sites linked to child pornography were forced offline in the attacks.