They call it NIT, everyone else calls it spyware

Oct 1, 2015 02:35 GMT  ·  By

The FBI has been using tracking malware for over a decade now, and when it's not catching school bombers, it uses it to apprehend suspects that like to delight themselves with child pornography.

Their most recent victim is Luis Escobosa, a US citizen living in Staten Island, New York, who, according to FBI documents obtained by The Register, has been using TOR to access, view, and download sexually-explicit images depicting children.

The documents reveal an FBI operation in which the Bureau deployed spyware on a Web server that was hosting child pornography images, server which they've previously seized using a court order.

Because the server was hosted on the Dark Web and its logs did not contain any useful evidence to indict other users, instead of shutting down the website and moving on to their next case, the FBI investigation team decided to put a variant of the Metasploit Decloaking Engine inside the server's Web pages.

The Metasploit kit is a basic NIT (Network Investigative Technique), the "legal" word for what most security experts would call spyware.

Turning on the Flash plugin inside Tor gave away the suspect's true location

The kit which lay hidden on the site, used a loophole found in the Tor browser, which sometimes establishes direct connections when dealing with Flash content, instead of using the Onion protocol.

If you were wondering, the Flash plugin comes turned off by default in all Tor Web browsers. For this particular reason, if you ever read a tutorial on how to properly use a Tor browser to browse the Dark Web, in most cases you'd see a recommendation to never activate the Flash plugin.

In his search for child imagery, Mr. Escobosa downloaded the NIT as a Flash file from the FBI-seized server, which exploited this vulnerability and revealed the suspect's real location, despite using Tor to hide his identity. This tells us that the site contained videos as well, and not just images, since Mr. Escobosa had to manually activate his Flash plugin.

The FBI quickly obtained his location from his ISP, raided his house, and seized his computer. In his Tor browser's cache, the FBI agents also found image thumbnails from the seized website. This is also strange, since the Tor browser is supposed to wipe all browsing history and adjacent files.

The FBI also subjected Mr. Escobosa to a lie detector test to find out if he ever engaged in physical acts with a child. He passed and is now free on bail for a $150,000 / €134,350 bond.