There is an exit node set up on the Tor anonymity network that can maliciously modify the files that go through it.
Josh Pitts, a researcher with the Leviathan Security Group, has been analyzing ways to alter binary files during download with the aid of man-in-the-middle (MitM) attacks.
Cybercriminals most likely used the techniques similar to the one he disclosed, but he only had circumstantial evidence, he said in a presentation at the DerbyCon security conference.
Along those lines Pitts developed a module for Exitmap, a Python-based tool that allows users to check Tor exit nodes for traffic modifications. One hour after he started running the tool, Pitts found a “very active” Russian exit node wrapping binary files that passed through it with malware.
By wrapping the legitimate file with their malicious binary, the attackers can bypass mechanisms designed to check the file’s integrity.
“Out of over 1110 exit nodes on the Tor network, this is the only node that I found patching binaries, although this node attempts to patch just about all the binaries that I tested,” Pitts said in a blog post. “The node only patched uncompressed PE files. This does not mean that other nodes on the Tor network are not patching binaries; I may not have caught them, or they may be waiting to patch only a small set of binaries.”
The exit node ended up reported to the Tor Project.
“Companies and developers need to make the conscious decision to host binaries via SSL/TLS, whether or not the binaries are signed. All people, but especially those in countries hostile to ‘Internet freedom,’ as well as those using Tor anywhere, should be wary of downloading binaries hosted in the clear — and all users should have a way of checking hashes and signatures out of band prior to executing the binary,” Pitts said.
Tor Project Leader Roger Dingledine said they have set the “BadExit” flag on the offending relay to protect users.
“We certainly do need more people thinking about more modules for the exitmap scanner. In general, it seems like a tough arms race to play and as you say, the better approach is to have applications not blindly trust unauthenticated bits they get from the Internet,” Dingledine wrote in a comment addressed to Pitts.
Before finding solid proof that someone is actually “patching” files, Pitts analyzed error messages that can appear.
Some software developers sign their files to make sure no one can tamper with them. In the case of Windows, if someone tries to modify Windows Update PE files, the update process triggers an error and the components do not install because of a verification mechanism implemented by Microsoft. Pitts said the same error shows if the file ends up truncated during download.
Those who encounter this issue are in some cases advised by Microsoft to download patches, or so-called “FixIt” solutions, that should address the problem.
Pitts believes this could end up leveraged by someone who is adding malware to files as users download them.
If the attacker can attach malware to these patches, he doesn’t have to worry about the malicious file ending up flagged because it ends up downloaded and executed by the user; it doesn’t go through the update process which verifies the files. Furthermore, the malicious payload executed with administrator privileges because that is how official patches from Microsoft end up executed.
Another piece of evidence that has led the researcher to believe someone could be altering files by using methods similar to the one he described is related to NSIS (Nullsoft Scriptable Install System), a professional open source system designed for creating Windows installers.
NSIS includes a self-checking mechanism to ensure files compiled with do not end up altered. By analyzing the error code displayed in case a corrupt file ends up detected, Pitts found users searched for it on Google. While in most cases the error likely ended up triggered because of the binary truncation during download due to a poor Internet connection, there’s also the possibility some of the files ended up maliciously altered by cybercriminals, he said.