Tor users advised to run malware checks -

Tor users advised to run malware checks

Douglas Crawford

Douglas Crawford

October 28, 2014

At least one Tor relay node has been caught modifying programs downloaded for Windows, adding malicious code to them.

A special form of Man in the Middle attack (MitM), the malicious relay node (or nodes) is based Russia, and was spotted by security researcher Josh Pitts (who explains details of the attack here). It is unknown how long the problem has persisted.

Pitts tested the BDFProxy tool (similar to the software used by the malicious Tor node to wrap downloads in malware) ‘against a number of binaries and update processes, including Microsoft Windows Automatic updates,’ and was alarmed to find that although the Microsoft Update process was able to spot the original download had been tampered with, it tried to solve the issue by downloading a patch which was then also tampered with, but which were not verified by Windows Update,

If an adversary is currently patching binaries as you download them, these ‘Fixit’ executables will also be patched. Since the user, not the automatic update process, is initiating these downloads, these files are not automatically verified before execution as with Windows Update. In addition, these files need administrative privileges to execute, and they will execute the payload that was patched into the binary during download with those elevated privileges.

It should be noted that this kind of MitM attack is not specific to Tor (your ISP or VPN provider could do it), but because you have no way of knowing who is running the Tor relay nodes your data passes through, Tor users are particularly at risk.

The simplest way to protect against such an attack is to ensure that you are connected to a trusted download site using an SSL encrypted connection (the web address starts with https:// and you see a padlock icon in your address bar).

The Tor Browser includes the HTTPS Everywhere extension by default, which automatically forces connection via HTTPS if possible, but if no HTTPS is available it will default to regular unencrypted HTTP.

Pitts also notes that ‘all users should have a way of checking hashes and signatures out of band prior to executing the binary.’ We explain how to do check hashes here, although it should be remembered that hackers can pwn (hack) unencrypted websites and post fake integrity hashes. The use of digital signatures is more secure.

In the meantime, anyone who has downloaded software or updates over the Tor network is recommended to check their computer for malware…