Josh Pitts of Leviathan Security Group has identified a Tor exit node that was actively adding malware to binary files dynamically. He ran across the misbehaving Tor exit node while performing some research on download servers that might be patching binaries during download through a man-in-the middle attack. An article about this can also be found at Threat Post.
This discussion has been archived.
No new comments can be posted.
Researcher Finds Tor Exit Node Adding Malware to Binaries
|
Log In/Create an Account
| Top
| 18 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 0) by Anonymous Coward on Sunday October 26 2014, @03:13PM
The NSA? Some other ingredient of the Federal alphabet soup? Another government? Or just some low life scuzz bucket thieves currently independent of formal government ties? "Evidence" could be planted in this way too of course.
With the corporate version you at least get the perception of having the option to uncheck the option to install the malware as with sourceforge, download.com, etc.
(Score: 3, Interesting) by zocalo on Sunday October 26 2014, @03:48PM
UNIX? They're not even circumcised! Savages!
(Score: 2) by frojack on Sunday October 26 2014, @08:39PM
All we know was that exit node was in Russia. We don'e know if it was a random IP or not. We don't even know if the patching was done at the exit node or not, because it was AN EXIT NODE.
It could have been the exit node's upstream provider.
You really can't affix blame just by knowing the exit node IP address. If it were in the US, everyone would be blaming the NSA, so in Russia you can probably blame the Russian authorities.
Because Joe Tor Enthusiast had no reason to do such a thing, you can assume that somewhere between the source and that exit node, someone had a reason to want to insert malware.
People try to run Exit nodes on normal internet connections, but even TOR does not recommend this [torproject.org]. They recommend a hosting company and they recommend you tell the hosting company exactly what you are doing, and don't try to sneak one under the radar.
No, you are mistaken. I've always had this sig.
(Score: 2) by zocalo on Sunday October 26 2014, @09:31PM
That is does seem like a single node is why I tend to this being a small scale operation - either a small cybercrime gang or perhaps a larger gang or organization (possibly NSA, or some equivalent) doing a proof of concept operation. The choice of an insignificant ISP for that would make sense, of course, and the use of cut-outs also makes it possible that location of server is not necessarily any indication of those operating it - the opposite is actually more likely from OpSec & PerSec perspectives - but this ISP seems a little *too* obscure. That's why I thought it a shame that the C&C server (the one the malware talks to over the normal web if I understand that bit of the write-up correctly) might have shed a tiny bit more light on things.
As an aside, not knowing the details of TOR operation, does anyonw know that if I were to download a binary via TOR would all the packets of that binary take the same route over the network, or could each packet potentially take different routes to the exit node? If the latter, then surely the only places it would be possible to correctly patch a binary would be either at the node that requests the original binary from the source or the exit node, as the rest would only have part of the binary?
UNIX? They're not even circumcised! Savages!
(Score: 2) by frojack on Monday October 27 2014, @05:54AM
then patched binaries should have been detected coming out of other exit nodes as well, having passed through the same malicious intermediate node(s) on route.
Well, if you (sitting Boston) access something via tor, that something may come from anywhere, say a Microsoft server, but it is delivered to the exit node, (say in Moscow) and then via the tor network and a circuitous route it is delivered to the requester in Boston. EXIT in this case indicates where your requests, or your email, or your web page request exits the TOR network, and travels across the internet.
That is, the EXIT node, (in Moscow) is where the corrupted binaries ENTERED the tor network, because they were requested by someone in Boston. They don't just pop out of other exit nodes, they are routed back to the requester, you, in your lair in Boston.
So an exit node, or an upstream provider of said exit node is the perfect place to insert corrupted binaries. And, because exit nodes are not that plentiful, its unlikely that the same corrupted binaries would appear anywhere else. When you in Boston get your requested software from Microsoft, by way of Moscow, you install it and it calls home, and presto, you are de-anatomized.
In most cases, the packets would take the same route, but that isn't necessary. When you download something from anywhere, it is usually delivered via the same path to the requesting station. But as far as Microsoft is concerned the requesting station is that Exit Node in Moscow. So ALL the packets will got through that exit node in Moscow on their way to Boston.
That makes the exit node or its upstream network provider the perfect place to insert corrupted binaries.
No, you are mistaken. I've always had this sig.
(Score: 2) by zocalo on Monday October 27 2014, @08:43AM
UNIX? They're not even circumcised! Savages!
(Score: 2) by urza9814 on Thursday October 30 2014, @06:27PM
Not unless you can break the encryption...
Your requests and data -- including metadata like destination IP address -- are encrypted all the way from the source node to the exit node. The reason almost all attacks on Tor traffic are being done by the exit node is because that's the only place where you can get the request unencrypted.
(Score: 2) by hash14 on Sunday October 26 2014, @03:22PM
This is why we do it.
(Score: 2) by Lagg on Sunday October 26 2014, @10:53PM
Yeah, now if only people could figure out things like PGP. Oh well, I still get personal satisfaction from doing the signing.
http://lagg.me [lagg.me] 🗿
(Score: 0) by Anonymous Coward on Sunday October 26 2014, @03:44PM
is the soylent onion site working? http://7rmath4ro2of2a42.onion/ [7rmath4ro2of2a42.onion]
(Score: 2) by maxwell demon on Sunday October 26 2014, @08:46PM
The Soylent Onion? Is that the satire version of this site? ;-)
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Runaway1956 on Sunday October 26 2014, @04:06PM
Why are people downloading executables via TOR? I'm not a typical computer user, but then, neither are TOR users - are they?
My operating system is configured to download updates from a trusted repository. Actually, Windows is too - Windows Update connects to Windows servers to find it's updates.
Whether you operate a Unix-like or an NT system, who browses and/or searches for executables over TOR? If I want to install the latest version of "Your Browser Belongs To Us" toolbar, I navigate over the open net to the toolbar's homesite, and download their updated toolbar. Fast, easy, and efficient.
Tor? Sure, it will carry your executable to you, but its rather slow and inefficient, isn't it? That's why you don't torrent on TOR.
This seems a strange mix of paranoia and careless stupidity. Of course, law enforcement seems to have made a number of busts based on similar strange mixes of paranoia and carelessness.
(Score: 0) by Anonymous Coward on Sunday October 26 2014, @05:41PM
> Why are people downloading executables via TOR?
Because those executables might be contraband or at least considered proof of criminal intent in certain countries?
The sites they are on may even be completely blocked from within their countries.
> This seems a strange mix of paranoia and careless stupidity.
You are exhibiting the problem with the authoritarian mindset -- that your personal experience is representative of the way everyone lives and that people who don't conform to your narrowly prescribed understanding of life are stupid.
(Score: 3, Insightful) by Fnord666 on Sunday October 26 2014, @06:15PM
People who don't want everyone to know which executables they are downloading or using. Say for example people who live in places where the possession of software that might avoid censorship is a crime.
(Score: 2) by frojack on Sunday October 26 2014, @08:29PM
Agreed, It might be more innocent than that.
There are some people who run their entire internet access over tor, usually by an external tor appliance between their network and the internet.
When that happens, machines protected by that appliance will check for updates via tor. All internet access will go via tor.
They specifically mention windows machines looking for windows updates.
No, you are mistaken. I've always had this sig.
(Score: 2) by urza9814 on Thursday October 30 2014, @06:30PM
Yup. My phone does this. So any apps that are updated are being updated through Tor. I actually did try limiting Tor to specific applications, but I found that didn't work very well, a lot of apps would claim they had no connection at all. But if you do transparent proxying of ALL traffic, they work perfectly.
(Score: 0) by Anonymous Coward on Sunday October 26 2014, @09:22PM
In some moslem countries you can be imprisoned just for downloading programs they do not approve of
(Score: 0) by Anonymous Coward on Sunday October 26 2014, @10:40PM
I didn't realize Japan was a moslem country. [bbc.co.uk]