Security Researcher Discovers Tor Exit Node Adding Malware To Downloads

Security researcher Josh Pitts of Leviathan Security Group has discovered a Tor exit node that was adding malware to user downloads. The discovery highlights the danger of trusting files downloaded from unknown sources and the potential for attackers to abuse the trust users have in Tor and similar services.

Josh Pitts performed some research on download servers and identified some kind of Man-In-The-Middle method scenario in this attack. That means, an attacker with a MITM position can actively patch binaries–if not security updates–with his own code.

Pitts built a framework called BDF (Backdoor Factory) that can patch executable binaries with shell code in such a way that the binary will execute as intended, without the user noticing. He wanted to see whether anyone was conducting this kind of attack on the Internet right now, so he decided to have a look at Tor, the anonymity network.

"To have the best chance of catching modified binaries in transit over the Internet, I needed as many exit points in as many countries as possible.  Using Tor would give me this access, and thus the greatest chance of finding someone conducting this malicious MITM patching activity."

"After researching the available tools, I settled on exitmap.  Exitmap is Python-based and allows one to write modules to check exit nodes for various modifications of traffic.  Exitmap is the result of a research project called Spoiled Onions that was completed by both the PriSec group at Karlstad University and SBA Research in Austria.," Pitts said.

Pitts discovered that a node was actively patching any binaries he downloaded with a piece of malware. He downloaded binaries from a variety of sources, including, and each of them came loaded with malicious code that opens a port to listen for commands and starts sending HTTP requests to a remote server.

Pitts wrote "Out of over 1110 exit nodes on the Tor network, this is the only node that I found patching binaries, although this node attempts to patch just about all the binaries that I tested.  The node only patched uncompressed PE files. This does not mean that other nodes on the Tor network are not patching binaries; I may not have caught them, or they may be waiting to patch only a small set of binaries."

Pitts informed Tor project officials and they flagged the node as bad.

No comments

Powered by Blogger.