Stories
Slash Boxes
Comments

SoylentNews is people

Researcher Finds Tor Exit Node Adding Malware to Binaries

posted by azrael on Sunday October 26 2014, @02:26PM   Printer-friendly
from the some-layers-are-rotten dept.

jbWolf writes:

Josh Pitts of Leviathan Security Group has identified a Tor exit node that was actively adding malware to binary files dynamically. He ran across the misbehaving Tor exit node while performing some research on download servers that might be patching binaries during download through a man-in-the middle attack. An article about this can also be found at Threat Post.

 
This discussion has been archived. No new comments can be posted.
Researcher Finds Tor Exit Node Adding Malware to Binaries | Log In/Create an Account | Top | 18 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by frojack on Monday October 27 2014, @05:54AM

    by frojack (1554) on Monday October 27 2014, @05:54AM (#110436) Journal

    then patched binaries should have been detected coming out of other exit nodes as well, having passed through the same malicious intermediate node(s) on route.

    Well, if you (sitting Boston) access something via tor, that something may come from anywhere, say a Microsoft server, but it is delivered to the exit node, (say in Moscow) and then via the tor network and a circuitous route it is delivered to the requester in Boston. EXIT in this case indicates where your requests, or your email, or your web page request exits the TOR network, and travels across the internet.

    That is, the EXIT node, (in Moscow) is where the corrupted binaries ENTERED the tor network, because they were requested by someone in Boston. They don't just pop out of other exit nodes, they are routed back to the requester, you, in your lair in Boston.

    So an exit node, or an upstream provider of said exit node is the perfect place to insert corrupted binaries. And, because exit nodes are not that plentiful, its unlikely that the same corrupted binaries would appear anywhere else. When you in Boston get your requested software from Microsoft, by way of Moscow, you install it and it calls home, and presto, you are de-anatomized.

    In most cases, the packets would take the same route, but that isn't necessary. When you download something from anywhere, it is usually delivered via the same path to the requesting station. But as far as Microsoft is concerned the requesting station is that Exit Node in Moscow. So ALL the packets will got through that exit node in Moscow on their way to Boston.

    That makes the exit node or its upstream network provider the perfect place to insert corrupted binaries.

    --
    No, you are mistaken. I've always had this sig.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by zocalo on Monday October 27 2014, @08:43AM

    by zocalo (302) on Monday October 27 2014, @08:43AM (#110450)
    Thanks for the that - pretty much how I expected TOR to work, except I had the location of the exit node back to front. It does seem more logical that it would be that way around, now that I think about it, and also seems to confirm that any malicious patching of binaries would most probably have to happen at an exit node to be most effective. Theoretically, you could capture an entire binary in-transit and patch it within the network, but without any guarantee you would see the entire thing that would reduce the effectiveness of such a scheme.
    --
    UNIX? They're not even circumcised! Savages!

    • (Score: 2) by urza9814 on Thursday October 30 2014, @06:27PM

      by urza9814 (3954) on Thursday October 30 2014, @06:27PM (#111623) Journal

      Theoretically, you could capture an entire binary in-transit and patch it within the network

      Not unless you can break the encryption...

      Your requests and data -- including metadata like destination IP address -- are encrypted all the way from the source node to the exit node. The reason almost all attacks on Tor traffic are being done by the exit node is because that's the only place where you can get the request unencrypted.