Tor exit node found patching downloaded binaries with malware
A researcher has spotted a Tor exit node located in Russia which instead of delivering the software requested by users untouched, was adding malicious code to the binaries in question – code that made their computers open a port to send HTTP requests to and receive commands from a remote server.
Security researcher Josh Pitts of Leviathan Security Group has known for a while that binaries can be patched with additional code, whether malicious or not. In fact, he created a tool that can be used to do so and has presented it at this year’s DerbyCon, while also talking about possible MITM attacks aimed at equipping downloaded software with malware.
His recent discovery proved that there are people out there who actively use this method of attack.
“To have the best chance of catching modified binaries in transit over the Internet, I needed as many exit points in as many countries as possible,” he explained how he executed the research. “Using Tor would give me this access, and thus the greatest chance of finding someone conducting this malicious MITM patching activity.”
With the help of a specially written exitmap module, he discovered a malicious Tor exit that was patching binaries almost right away.
“Out of over 1110 exit nodes on the Tor network, this is the only node that I found patching binaries, although this node attempts to patch just about all the binaries that I tested. The node only patched uncompressed PE files,” he noted. “This does not mean that other nodes on the Tor network are not patching binaries; I may not have caught them, or they may be waiting to patch only a small set of binaries.”
The Tor Project has been notified of this, and they have “set the BadExit flag on this relay, so others won’t accidentally run across it.”
“Tor is a wonderful tool for protecting the identity of journalists, their sources, and even regular users around the world; however, anonymity does not guarantee security,” Pitts says, but the thing that worries him the most is attackers using this type of approach to deliver malicious security updates.
There is a solution to this problem: “Companies and developers need to make the conscious decision to host binaries via SSL/TLS, whether or not the binaries are signed,” he pointed out.
And regular users, but especially those in countries opposed to “Internet freedom” should be extra careful when downloading binaries hosted in the clear, and make a point to always check related hashes and signatures to see if they match before executing the binary.