Posted on 10/24/2014 6:54:44 PM PDT by Utilizer
A security researcher has identified a Tor exit node that was actively patching binaries users download, adding malware to the files dynamically. The discovery, experts say, highlights the danger of trusting files downloaded from unknown sources and the potential for attackers to abuse the trust users have in Tor and similar services.
Josh Pitts of Leviathan Security Group ran across the misbehaving Tor exit node while performing some research on download servers that might be patching binaries during download through a man-in-the middle attack. Downloading any kind of file from the Internet is a dodgy proposition these days, and many users know that if they’re downloading files from some random torrent site in Syria or The Marshall Islands, they are rolling the dice. Malware runs rampant on these kinds of sites.
But the scenario that worries security experts much more involves an attacker being able to control the download mechanism for security updates, say for Windows or OS X. If an attacker can insert malware into this channel, he could cause serious damage to a broad population of users, as those update channels are trusted implicitly by the users’ and their machines. Legitimate software vendors typically will sign their binaries and modified ones will cause verification errors. What Pitts found during his research is that an attacker with a MITM position can actively patch binaries–if not security updates–with his own code.
(Excerpt) Read more at threatpost.com ...
Related link:
http://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries/
There is no escape. The internet is a rigged game.
Use a virtual machine.
I guess you could boot from a Linux live cd after disabling your hard drive(s) in the bios.
Like a Pachinko machine!
Sure, why not use a VM?
If it gets whacked use another copy.
I’ll see your ‘eh?’ and raise you a ‘wtf?’.
It strikes me that no one should be updating their Operating System software using an anonymized TOR connection. . . which is what a TOR is used for. It is a network for persons who want to connect to the Internet anonymously. If you want to update your software, connect without the TOR. Then return to your secret surfing after your software has been updated.
Perhaps software pirates might want this for stolen software? If so, they might deserve what they get.
“There is no escape. The internet is a rigged game.”
I agree. I never use it.
ROFL...Oh so you get the OSMOSIS version of Free Republic? Expensive isn’t it?
Seriously this is all greek to me or should I say geek...what this means?
Shocking.
Or maybe, well duh.
I dunno; I just always stay off the internet. Its not a good place.
OK, not certain which part you do not understand so I will go by some assumptions of necessity.
TOR is a system by which you can (to a huge extent) use the internet very securely since they use a number of very secure providing locations which are configured to not allow anyone to track your location or the sites you visit. In layman’s terms.
MS-Windows users have been using this network for secure lines when they perform their OS “upgrades” to ensure they only download software that is supposed to be uninfected by malware, but it turns out that a few of the servers in the TOR network have been compromised, and have been modifying software on-the-fly that people have been downloading without the knowledge of the originating agency (M-soft) or the user since the indicators such as the hashtag verifier have also been compromised.
The result has been that instead of getting a “pure” upgrade from the MS people, they have been getting infected software without any warnings from the system or the virus-scanning utilities. This is why this information provided in the referenced article is so important, so people are informed that they might have unintentionally been infected despite the precautions taken to protect their machines.
Hope that is not too muddled to understand. :)
As I understand it, there are internet nodes that can operate anonymously, bypassing the standard nodes normally used. These TOR "nodes" will allow a user to operate anonymously by acting as a PROXY sending on the users' requests, with a spoofed address, and then handling the return responses and returning them to the correct addressing, and not leave a traceable trail of where the users goes on the Internet.
A few of the "exit nodes," those returning the data to the user, are intercepting upgrade packets for software or operating system security upgrades, and secretly acting as Man-in-the-middle servers, taking the incoming packets from their originating true servers coming from, say Microsoft, adding malware, and then sending them on to the users. They are apparently also spoofing the security certificates in some way. That is difficult to believe.
Does that help?
It was probably a government node.
Not only can you wack the vm if it is comprised, you can alsocreate it so that state information is never saved. That way, it is always a pristine image each time it boots.
It's good that the modified Windows update files failed their integrity checks and were not installed, but they should never have been downloaded at all.
I just checked, and Windows fixit file downloads are from http://diagnostics.support.microsoft.com. That's not even an https connection.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.