A researcher has identified an exit node on the Tor anonymity network which is set up to maliciously modify the files that go through it.
Josh Pitts, a researcher with the Leviathan Security Group, has been analyzing ways to alter binary files during download with the aid of man-in-the-middle (MitM) attacks. In a presentation he made at the DerbyCon security conference this year, the expert noted that cybercriminals had probably been using techniques similar to the one he disclosed, but he only had circumstantial evidence.
To put his theory to the test, Pitts developed a module for Exitmap, a Python-based tool that allows users to check Tor exit nodes for traffic modifications. Roughly an hour after he started running the tool, the researcher identified a “very active” Russian exit node that was wrapping binary files that passed through it with malware.
By wrapping the legitimate file with their malicious binary, the attackers can bypass mechanisms designed to check the file’s integrity.
“Out of over 1110 exit nodes on the Tor network, this is the only node that I found patching binaries, although this node attempts to patch just about all the binaries that I tested,” Pitts said in a blog post. “The node only patched uncompressed PE files. This does not mean that other nodes on the Tor network are not patching binaries; I may not have caught them, or they may be waiting to patch only a small set of binaries.”
The Russia-based exit node was reported to the Tor Project.
“Companies and developers need to make the conscious decision to host binaries via SSL/TLS, whether or not the binaries are signed. All people, but especially those in countries hostile to ‘Internet freedom,’ as well as those using Tor anywhere, should be wary of downloading binaries hosted in the clear—and all users should have a way of checking hashes and signatures out of band prior to executing the binary,” Pitts said.
Tor Project Leader Roger Dingledine says they have set the “BadExit” flag on the offending relay to protect users.
“We certainly do need more people thinking about more modules for the exitmap scanner. In general, it seems like a tough arms race to play and as you say, the better approach is to have applications not blindly trust unauthenticated bits they get from the Internet,” Dingledine wrote in a comment addressed to Pitts.
Circumstantial evidence of attacks
Before finding solid proof that someone is actually “patching” files, Pitts analyzed error messages that can appear in such cases.
Some software developers sign their files to make sure they cannot be tampered with. In the case of Windows, for instance, if someone tries to modify Windows Update PE files, the update process triggers an error and the components are not installed because of a verification mechanism implemented by Microsoft. According to the expert, the same error is shown if the file is truncated during download, the most plausible scenario, and if the Microsoft certificate verification process is broken, an unlikely case.
The thread on this topic on the official Microsoft Answers website has been viewed over 34,000 times, which indicates that this is a common problem. Those who encounter this issue are in some cases advised by Microsoft to download patches, or so-called “FixIt” solutions, that should address the problem.
Pitts believes this could be leveraged by someone who is adding malware to files as they are downloaded by users. For example, the attacker first alters the Windows Update files. These files are not executed because of the integrity verification mechanism from Microsoft. However, the error will make users visit the Microsoft Answers website where they are advised to download the patches.
If the attacker can attach malware to these patches, he doesn’t have to worry about the malicious file being flagged because it’s downloaded and executed by the user; it doesn’t go through the update process which verifies the files. Furthermore, the malicious payload is executed with administrator privileges because that is how official patches from Microsoft are executed.
Another piece of evidence that has led to the researcher to believe someone could be altering files by using methods similar to the one he described is related to NSIS (Nullsoft Scriptable Install System), a professional open source system designed for creating Windows installers.
NSIS includes a self-checking mechanism to ensure that files compiled with it are not altered. By analyzing the error code that’s displayed in case a corrupt file is detected, Pitts noticed that a lot of users searched for it on Google. While in most cases the error was likely triggered due to the binary being truncated during download due to a poor Internet connection, there’s also the possibility that some of the files were actually maliciously altered by cybercriminals, the expert said.
