Russian Tor exit node patches with malware the files downloaded

Pierluigi Paganini October 27, 2014

The researcher Josh Pitts of Leviathan Security Group identified a Russian Tor exit node that is patching the binaries downloaded by the users with malware.

Once again Tor network is under attack, the researcher Josh Pitts of Leviathan Security Group has identified a Tor exit node that was used to patch the binaries downloaded by the users, the threat actors were adding malware to the files dynamically.

The Tor is a system that allows to anonymize users’ online experience, but as explained many times this is possible under specific conditions because the manipulation of scripts running on visited website or file downloaded from an untrusted repository could reveal Tor user’s identity.

In this case we are faced with the danger of trusting files downloaded from unknown sources, but let’s consider anyway that an attacker could also use a similar technique compromising a legitimate website, and that compromising/setting an exit node to make the “dirty job” is always possible.

Many binaries are hosted without any transport layer security encryption, only in some cases it is possible to find signed files to prevent on-fly modification.

To mitigate suck kind of attacks encrypted download channels represents the best option  to avoid manipulation of the binaries.

“SSL/TLSis the only way to prevent this from happening. End-users may want to consider installing HTTPS Everywhere or similar plugins for their browser to help ensure their traffic is always encrypted,” said Pitts.

Pitts discovered the anomalous behavior of the Tor exit node while conducting a research on download servers that could be abused to patch binaries during download through a man-in-the middle attack.

“After creating and using a new exitmap module, I found downloaded binaries being patched through a Tor exit node in Russia. ” said Pitts in the blog post.

During that DerbyCon conference the researcher has presented how to run a MITM patching of binaries during download using BDFProxy. The Backdoor Factory framework (BDF) designed by the researcher allows him to patch executable binaries with shell code that the attacker could use to execute an arbitrary code without the user noticing any suspicious activity.

Unfortunately, this attack could be conducted by anyone on the Internet, and as demonstrated by Pitts, it could be effective to hack Tor anonymity controlling one or more exit nodes.

Internet users, consciously or not, download every day an impressive number of files, let’s think for example to software upgrades. If an attacker is able to control the download process for security updates he can infect a large number of machines simply injecting malware into the update channel.

The update process is considered the most scaring scenario by security experts, because the download file in many cases is considered trusted by default. The attack chain could also be improved using a digital signature mechanism which abuses of fake digital certificates.

Legitimate software vendors use to sign their binaries, any modification to the code will cause verification errors. This is the scenario observed by the research during his tests, an attacker running a MITM attack while the user is downloading a file can actively patch binaries with his own code.

“I tested BDFProxy against a number of binaries and update processes, including Microsoft Windows Automatic updates.  The good news is that if an entity is actively patching Windows PE files for Windows Update, the update verification process detects it, and you will receive error code 0×80200053.” states Pitts.

Tor exit node attack

The expert extended its analysis to Tor exit nodes discovering that a malicious node in Russia was actively patching any binaries he downloaded with a piece of malware. Fortunately, in time I’m writing the Tor exit node is the unique one running the attack.

“To have the best chance of catching modified binaries in transit over the Internet, I needed as many exit points in as many countries as possible. Using Tor would give me this access, and thus the greatest chance of finding someone conducting this malicious MITM patching activity,” Pitts wrote.

“After researching the available tools, I settled on exitmapExitmap is Python-based and allows one to write modules to check exit nodes for various modifications of traffic.  Exitmap is the result of a research project called Spoiled Onions that was completed by both the PriSec group at Karlstad University and SBA Research in Austria. I wrote a module for exitmap, named, and have submitted a pull request to the official GitHub repository. Soon after building my module, I let exitmap run.  It did not take long, about an hour, to catch my first malicious exit node.”

Pitts downloaded several legitimate binaries from trusted sources, including, and each of them came loaded with malware code that opens a port to listen for commands and starts sending HTTP requests to a C&C server.

The researcher informed officials of the Tor Project, who flagged the Tor exit node as bad.

“We’ve now set the BadExit flag on this relay, so others won’t accidentally run across it. We certainly do need more people thinking about more modules for the exitmap scanner. In general, it seems like a tough arms race to play,” wrote Roger Dingeldine, one of the original developers of Tor. 

The attack scenario described by Pitts is very common, user should be wary of the repository referenced for software download, making sure that they are using encrypted channels (TLS/SSL)

“The problem of modified binaries is not limited to Tor. We highlight the example because of some of the misconceptions people have about Tor providing increased safety. In general, users should be wary of where they download software and ensure they are using TLS/SSL. Sites not supporting TLS/SSL should be persuaded to do so,” Pitts said.

Pierluigi Paganini

Security Affairs –  (Tor exit nodes, hacking)

you might also like

leave a comment