[syncerr]

Targets Firefox version 17 and lower. This is the version (17.0.7) that you're required to use for TOR on Windows.[1]

It would take a long time to walk through what's being done, and even that isn't likely to be helpful. There's a lot of Array, Int32Array, and ArrayBuffer allocation and retrieval. It's possible one of the larger strings is for injecting code into memory. It doesn't look at the guid stored in the cookie or the query param. If it is a memory injection, your guess is as good as mine.[2]

Just my sense for staring at this for an hour. I know JavaScript, but I'm not a security expert.

  Original iframe w/ ?requestID=<guid>: http://pastebin.com/HcGRQk2N (with HTML)
  content_1.html: <connection reset> (only used for versions of Firefox less than 17)
  content_2.html: http://pastebin.com/7sTk8bgx
  content_2.html?????: http://pastebin.com/t9x4GHr1 (same as content_2.html)
  content_3.html: http://pastebin.com/GGCny4Vb
  error.html: <connection reset> (it's likely meant to fail)

[1] https://www.torproject.org/projects/torbrowser.html.en https://www.mozilla.org/en-US/firefox/organizations/faq/

[2] http://pastebin.com/gVna4pi2 (NB: it gets modified before used)

[computer]

Here's an annotated version of the code: http://pastebin.mozilla.org/2777139

It includes a hexdump of the shell code, showing it's building an HTTP request to somewhere. So it's likely identifying Tor users through non-Tor connections.

[tmbeihl]

Based on my poking around, the guid provided is included in the shell code to be loaded into memory. I'm not sure if it is a windows only exploit or not. There is an ID of ws2_32IPHLPAPIPA6 that is also included as part of the shellcode.

[tmbeihl]

Maybe 2 0-days being used? Looks like buffer overflow in firefox js + win32 exploits? I don't do much win 32, so maybe someone else should take a peek