A compromised exit node on the secretive Tor network has been found to inject malware into download binary files.
According to Josh Pitts, a researcher at the Leviathan Security Group, the exit node, based in Russia has been changing downloaded files and wrapping them in malware. The problem has also affected Windows Update files coming through the node.
Pitts discovered the problem while researching threats posed by binary files that are unencrypted. In a presentation at the DerbyCon security conference, the researcher demonstrated how binary files without TLS encryption could be tampered with during a download.
Around 90 per cent of websites do not use encryption to protect downloaded files, Pitts said, and this meant that hackers could mount a man-in-the-middle attack and insert malware.
At the presentation, Pitts only had circumstantial evidence that this was happening so he set to work to scan 1,100 Tor exit nodes using a custom tool called Backdoor Factory.
"Out of over 1110 exit nodes on the Tor network, this is the only node that I found patching binaries, although this node attempts to patch just about all the binaries that I tested. The node only patched uncompressed PE files. This does not mean that other nodes on the Tor network are not patching binaries; I may not have caught them, or they may be waiting to patch only a small set of binaries," he said in a blog post.
Administrators of the Tor network have flagged the node as a BadExit, after Pitts discovery. This should prevent users from visiting the node.
"We've now set the BadExit flag on this relay, so others won't accidentally run across it," said Roger Dingeldine, one of the original developers of Tor, in a mailing list message.
Pitts said that internet users, especially those in countries hostile to internet freedom should be wary to downloading binaries "in the clear".
"All users should have a way of checking hashes and signatures out of band prior to executing the binary," he said.
