Stories
Slash Boxes
Comments

SoylentNews is people

Researcher Finds Tor Exit Node Adding Malware to Binaries

posted by azrael on Sunday October 26 2014, @02:26PM   Printer-friendly
from the some-layers-are-rotten dept.

jbWolf writes:

Josh Pitts of Leviathan Security Group has identified a Tor exit node that was actively adding malware to binary files dynamically. He ran across the misbehaving Tor exit node while performing some research on download servers that might be patching binaries during download through a man-in-the middle attack. An article about this can also be found at Threat Post.

 
This discussion has been archived. No new comments can be posted.
Researcher Finds Tor Exit Node Adding Malware to Binaries | Log In/Create an Account | Top | 18 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by zocalo on Sunday October 26 2014, @09:31PM

    by zocalo (302) on Sunday October 26 2014, @09:31PM (#110346)
    The IP address of the exit node is in the original article written by Josh Pitts (in the "Caught Red-Handed" section, just under the screen cap), but yes, the binary could have been patched at any point it was in transit. If that was the case though, and assuming that Pitts ran a lot of tests which certainly seems to be the case, then patched binaries should have been detected coming out of other exit nodes as well, having passed through the same malicious intermediate node(s) on route. Given that all the detected patched binaries come from a single exit node located at what appears to be a reasonably insignificant IP would seem to point to that node being directly responsible.

    That is does seem like a single node is why I tend to this being a small scale operation - either a small cybercrime gang or perhaps a larger gang or organization (possibly NSA, or some equivalent) doing a proof of concept operation. The choice of an insignificant ISP for that would make sense, of course, and the use of cut-outs also makes it possible that location of server is not necessarily any indication of those operating it - the opposite is actually more likely from OpSec & PerSec perspectives - but this ISP seems a little *too* obscure. That's why I thought it a shame that the C&C server (the one the malware talks to over the normal web if I understand that bit of the write-up correctly) might have shed a tiny bit more light on things.

    As an aside, not knowing the details of TOR operation, does anyonw know that if I were to download a binary via TOR would all the packets of that binary take the same route over the network, or could each packet potentially take different routes to the exit node? If the latter, then surely the only places it would be possible to correctly patch a binary would be either at the node that requests the original binary from the source or the exit node, as the rest would only have part of the binary?
    --
    UNIX? They're not even circumcised! Savages!
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by frojack on Monday October 27 2014, @05:54AM

    by frojack (1554) on Monday October 27 2014, @05:54AM (#110436) Journal

    then patched binaries should have been detected coming out of other exit nodes as well, having passed through the same malicious intermediate node(s) on route.

    Well, if you (sitting Boston) access something via tor, that something may come from anywhere, say a Microsoft server, but it is delivered to the exit node, (say in Moscow) and then via the tor network and a circuitous route it is delivered to the requester in Boston. EXIT in this case indicates where your requests, or your email, or your web page request exits the TOR network, and travels across the internet.

    That is, the EXIT node, (in Moscow) is where the corrupted binaries ENTERED the tor network, because they were requested by someone in Boston. They don't just pop out of other exit nodes, they are routed back to the requester, you, in your lair in Boston.

    So an exit node, or an upstream provider of said exit node is the perfect place to insert corrupted binaries. And, because exit nodes are not that plentiful, its unlikely that the same corrupted binaries would appear anywhere else. When you in Boston get your requested software from Microsoft, by way of Moscow, you install it and it calls home, and presto, you are de-anatomized.

    In most cases, the packets would take the same route, but that isn't necessary. When you download something from anywhere, it is usually delivered via the same path to the requesting station. But as far as Microsoft is concerned the requesting station is that Exit Node in Moscow. So ALL the packets will got through that exit node in Moscow on their way to Boston.

    That makes the exit node or its upstream network provider the perfect place to insert corrupted binaries.

    --
    No, you are mistaken. I've always had this sig.

    • (Score: 2) by zocalo on Monday October 27 2014, @08:43AM

      by zocalo (302) on Monday October 27 2014, @08:43AM (#110450)
      Thanks for the that - pretty much how I expected TOR to work, except I had the location of the exit node back to front. It does seem more logical that it would be that way around, now that I think about it, and also seems to confirm that any malicious patching of binaries would most probably have to happen at an exit node to be most effective. Theoretically, you could capture an entire binary in-transit and patch it within the network, but without any guarantee you would see the entire thing that would reduce the effectiveness of such a scheme.
      --
      UNIX? They're not even circumcised! Savages!

      • (Score: 2) by urza9814 on Thursday October 30 2014, @06:27PM

        by urza9814 (3954) on Thursday October 30 2014, @06:27PM (#111623) Journal

        Theoretically, you could capture an entire binary in-transit and patch it within the network

        Not unless you can break the encryption...

        Your requests and data -- including metadata like destination IP address -- are encrypted all the way from the source node to the exit node. The reason almost all attacks on Tor traffic are being done by the exit node is because that's the only place where you can get the request unencrypted.