Researcher Finds Tor Exit Node Adding Malware to Binaries

The Kaspersky Lab Security News Service ^ | October 24, 2014 , 12:07 pm | Dennis Fisher

[Utilizer]

A security researcher has identified a Tor exit node that was actively patching binaries users download, adding malware to the files dynamically. The discovery, experts say, highlights the danger of trusting files downloaded from unknown sources and the potential for attackers to abuse the trust users have in Tor and similar services.

Josh Pitts of Leviathan Security Group ran across the misbehaving Tor exit node while performing some research on download servers that might be patching binaries during download through a man-in-the middle attack. Downloading any kind of file from the Internet is a dodgy proposition these days, and many users know that if they’re downloading files from some random torrent site in Syria or The Marshall Islands, they are rolling the dice. Malware runs rampant on these kinds of sites.

But the scenario that worries security experts much more involves an attacker being able to control the download mechanism for security updates, say for Windows or OS X. If an attacker can insert malware into this channel, he could cause serious damage to a broad population of users, as those update channels are trusted implicitly by the users’ and their machines. Legitimate software vendors typically will sign their binaries and modified ones will cause verification errors. What Pitts found during his research is that an attacker with a MITM position can actively patch binaries–if not security updates–with his own code.

[Kackikat]

Amazing...I actually understood most of that information, thank you. You should be teaching.

[Tainan]

Utilizer - Thanks very much. Your explanation is comprehend-able to me.

Appreciate the time and help.

[Utilizer]

Quite welcome. Hope you got some useable information from the information the article was discussing.

Cheers!