Researcher Finds Tor Exit Node Adding Malware to Binaries

tor cloud

A security researcher has identified a Tor exit node that was actively patching binaries users download, adding malware to the files dynamically. The discovery, experts say, highlights the danger of trusting files downloaded from unknown sources and the potential for attackers to abuse the trust users have in Tor and similar services.

Josh Pitts of Leviathan Security Group ran across the misbehaving Tor exit node while performing some research on download servers that might be patching binaries during download through a man-in-the middle attack. Downloading any kind of file from the Internet is a dodgy proposition these days, and many users know that if they’re downloading files from some random torrent site in Syria or The Marshall Islands, they are rolling the dice. Malware runs rampant on these kinds of sites.

But the scenario that worries security experts much more involves an attacker being able to control the download mechanism for security updates, say for Windows or OS X. If an attacker can insert malware into this channel, he could cause serious damage to a broad population of users, as those update channels are trusted implicitly by the users’ and their machines. Legitimate software vendors typically will sign their binaries and modified ones will cause verification errors. What Pitts found during his research is that an attacker with a MITM position can actively patch binaries–if not security updates–with his own code.

Pitts built a framework called BDF (Backdoor Factory) that can patch executable binaries with shell code in such a way that the binary will execute as intended, without the user noticing. He wanted to see whether anyone was conducting this kind of attack on the Internet right now, so he decided to have a look at Tor, the anonymity network, which is used by people around the world.

“To have the best chance of catching modified binaries in transit over the Internet, I needed as many exit points in as many countries as possible.  Using Tor would give me this access, and thus the greatest chance of finding someone conducting this malicious MITM patching activity,” Pitts wrote in his explanation of the research.

“After researching the available tools, I settled on exitmap.  Exitmap is Python-based and allows one to write modules to check exit nodes for various modifications of traffic.  Exitmap is the result of a research project called Spoiled Onions that was completed by both the PriSec group at Karlstad University and SBA Research in Austria. I wrote a module for exitmap, named, and have submitted a pull request to the official GitHub repository. Soon after building my module, I let exitmap run.  It did not take long, about an hour, to catch my first malicious exit node.”

The exit node in question was in Russia, and Pitts discovered that the node was actively patching any binaries he downloaded with a piece of malware. He downloaded binaries from a variety of sources, including, and each of them came loaded with malicious code that opens a port to listen for commands and starts sending HTTP requests to a remote server.

Pitts informed officials at the Tor Project, who quickly flagged the exit node as bad.

“We’ve now set the BadExit flag on this relay, so others won’t accidentally run across it. We certainly do need more people thinking about more modules for the exitmap scanner. In general, it seems like a tough arms race to play,” Roger Dingeldine, one of the original developers of Tor, wrote in a message on a Tor mailing list Friday.

In terms of defending against the sort of attack, Pitts suggested that encrypted download channels are the best option, both for users and site operators.

“SSL/TLSis the only way to prevent this from happening. End-users may want to consider installing HTTPS Everywhere or similar plugins for their browser to help ensure their traffic is always encrypted,” he said via email.

Pitts said that the relay in Russia was the only one he found that was exhibiting this malicious behavior, but that doesn’t mean it’s not happening elsewhere.

“Out of over 1110 exit nodes on the Tor network, this is the only node that I found patching binaries, although this node attempts to patch just about all the binaries that I tested.  The node only patched uncompressed PE files. This does not mean that other nodes on the Tor network are not patching binaries; I may not have caught them, or they may be waiting to patch only a small set of binaries,” he said.

This isn’t the first time that attackers have been found using such an attack in the wild. In 2012 the Flame malware was seen using a complicated technique that involved the attackers using a forged Microsoft certificate to impersonate a Windows Update server and distribute Flame to more users. That attack involved a lot of moving parts and was a highly targeted attack, whereas the Tor attack Pitts found is applicable to a much wider potential population.

“The problem of modified binaries is not limited to Tor. We highlight the example because of some of the misconceptions people have about Tor providing increased safety. In general, users should be wary of where they download software and ensure they are using TLS/SSL. Sites not supporting TLS/SSL should be persuaded to do so,” Pitts said.

Suggested articles


  • Taylor on

    I did a quick command-f for torrents, and was surprised to find no defense already posted... Guess it's up to me then. The way torrent downloads (the protocol?) work is inherently safe in this context. When you download a torrent, you are getting lots of little pieces from the other peers that are downloading at the same time you are. Unlike a tor exit node, the torrenting protocol has some kind of assurance that you are downloading the same file-set that everyone else is getting. This is no assurance that the contents of whatever you have chosen to download are not full of malware, but it does mean that you are at the very least getting the same thing that everyone else is getting. In the case detailed in this article, the protocol picks a random exit node for your traffic, but that single node might be compromised and is already in a unique position to perform a man in the middle attack on your traffic. Torrents by definition of the protocol actually provide a kind of insurance against this kind of attack! So just remember kids: tor =! torrent
  • Kratoklastes on

    This attack is not possible unless people install Tor (or whatever soft is the problem) without checking the hash checksum of the file they download; otherwise a MITM attack would actually have to hijack the source site. That said: anyone who simply uses, e.g., wget, to fetch both an install package and its hash checksum, faces the prospect that they are fed both by a MITM. That's why it's appallingly bad practice to do that, and anybody who does so is a moron. The vulnerability of some hash functions (like MD5) to hash collisions, means that people who continue to sign their softs with MD5 are also idiots (or are doing so in ignorance of the vulnerability of MD5, which means they're incompetent or malicious). SHA-1 (which was used in Tor until about 2008) is likewise not entirely trustworthy - although the collision attack remains largely theoretical, and takes O(2^63) time. And it goes without saying: if you install any software from a repository other than its author, you stand a much higher probability of being fed stuff that will phone home or otherwise compromise your datasec... and it will be entirely your own fault. Someone who is sufficiently concerned aboiut surveillance to bother downloading TOR, ought to have the wit to do so in a way that does not lift their skirts.
  • Anon on

    What about using tor with an encrypted VPN?
  • EJ on

    This part of the post is silly: "Looking at Google Trends, this error message is quite common". Trends shows relative strength of term, but you have no idea how popular it is. It's significantly less popular than Inspector Gadget, for instance: The criminal part of this story is that Microsoft serves binaries and support articles over HTTP, not HTTPS.
  • heh on

    md5 or sha256 check ? if you're using tor you are already afraid that they might be intercepting you or your packages... who wouldn't double check their downloads coming from such a network ? ....
  • Dom De Vitto on

    Good point ! I'd better start live patching the download & checksum pages so they match the executables... :-) Dom

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.