Categories: Cyber CrimeHacking

Russian Tor exit node patches with malware the files downloaded

The researcher Josh Pitts of Leviathan Security Group identified a Russian Tor exit node that is patching the binaries downloaded by the users with malware.

Once again Tor network is under attack, the researcher Josh Pitts of Leviathan Security Group has identified a Tor exit node that was used to patch the binaries downloaded by the users, the threat actors were adding malware to the files dynamically.

The Tor is a system that allows to anonymize users’ online experience, but as explained many times this is possible under specific conditions because the manipulation of scripts running on visited website or file downloaded from an untrusted repository could reveal Tor user’s identity.

In this case we are faced with the danger of trusting files downloaded from unknown sources, but let’s consider anyway that an attacker could also use a similar technique compromising a legitimate website, and that compromising/setting an exit node to make the “dirty job” is always possible.

Many binaries are hosted without any transport layer security encryption, only in some cases it is possible to find signed files to prevent on-fly modification.

To mitigate suck kind of attacks encrypted download channels represents the best option  to avoid manipulation of the binaries.

“SSL/TLSis the only way to prevent this from happening. End-users may want to consider installing HTTPS Everywhere or similar plugins for their browser to help ensure their traffic is always encrypted,” said Pitts.

Pitts discovered the anomalous behavior of the Tor exit node while conducting a research on download servers that could be abused to patch binaries during download through a man-in-the middle attack.

“After creating and using a new exitmap module, I found downloaded binaries being patched through a Tor exit node in Russia. ” said Pitts in the blog post.

During that DerbyCon conference the researcher has presented how to run a MITM patching of binaries during download using BDFProxy. The Backdoor Factory framework (BDF) designed by the researcher allows him to patch executable binaries with shell code that the attacker could use to execute an arbitrary code without the user noticing any suspicious activity.

Unfortunately, this attack could be conducted by anyone on the Internet, and as demonstrated by Pitts, it could be effective to hack Tor anonymity controlling one or more exit nodes.

Internet users, consciously or not, download every day an impressive number of files, let’s think for example to software upgrades. If an attacker is able to control the download process for security updates he can infect a large number of machines simply injecting malware into the update channel.

The update process is considered the most scaring scenario by security experts, because the download file in many cases is considered trusted by default. The attack chain could also be improved using a digital signature mechanism which abuses of fake digital certificates.

Legitimate software vendors use to sign their binaries, any modification to the code will cause verification errors. This is the scenario observed by the research during his tests, an attacker running a MITM attack while the user is downloading a file can actively patch binaries with his own code.

“I tested BDFProxy against a number of binaries and update processes, including Microsoft Windows Automatic updates.  The good news is that if an entity is actively patching Windows PE files for Windows Update, the update verification process detects it, and you will receive error code 0×80200053.” states Pitts.

The expert extended its analysis to Tor exit nodes discovering that a malicious node in Russia was actively patching any binaries he downloaded with a piece of malware. Fortunately, in time I’m writing the Tor exit node is the unique one running the attack.

“To have the best chance of catching modified binaries in transit over the Internet, I needed as many exit points in as many countries as possible. Using Tor would give me this access, and thus the greatest chance of finding someone conducting this malicious MITM patching activity,” Pitts wrote.

“After researching the available tools, I settled on exitmapExitmap is Python-based and allows one to write modules to check exit nodes for various modifications of traffic.  Exitmap is the result of a research project called Spoiled Onions that was completed by both the PriSec group at Karlstad University and SBA Research in Austria. I wrote a module for exitmap, named patchingCheck.py, and have submitted a pull request to the official GitHub repository. Soon after building my module, I let exitmap run.  It did not take long, about an hour, to catch my first malicious exit node.”

Pitts downloaded several legitimate binaries from trusted sources, including Microsoft.com, and each of them came loaded with malware code that opens a port to listen for commands and starts sending HTTP requests to a C&C server.

The researcher informed officials of the Tor Project, who flagged the Tor exit node as bad.

“We’ve now set the BadExit flag on this relay, so others won’t accidentally run across it. We certainly do need more people thinking about more modules for the exitmap scanner. In general, it seems like a tough arms race to play,” wrote Roger Dingeldine, one of the original developers of Tor. 

The attack scenario described by Pitts is very common, user should be wary of the repository referenced for software download, making sure that they are using encrypted channels (TLS/SSL)

“The problem of modified binaries is not limited to Tor. We highlight the example because of some of the misconceptions people have about Tor providing increased safety. In general, users should be wary of where they download software and ensure they are using TLS/SSL. Sites not supporting TLS/SSL should be persuaded to do so,” Pitts said.

Pierluigi Paganini

Security Affairs –  (Tor exit nodes, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

3 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

10 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

21 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.