Rogue Tor exit node injects malware into downloaded binaries

News by Doug Drinkwater

A security researcher has discovered a 'bad' Russia-based Tor exit node which was being used to inject malware into downloaded binary files.

Josh Pitts, a researcher at the Leviathan Security Group, warned at DerbyCon last month how insecure binaries are often unsigned and hosted without transport layer security (TLS) encryption – leading to the possibility that these could be subject to man-in-the-middle (MITM) patching of binaries during the download process, thus turning them into malware.

Speaking at the conference, he admitted that this technique of ‘patching' binaries “might already be in use” – although he noted that he only had circumstantial evidence at that time.

One month on and the researcher has now revealed how he has found one exit node from a server in Russia that was actively patching downloading uncompressed Windows PE (Portable Executable) files and dynamically adding malware to these files. He found this after scanning 1,100 Tor exit nodes with the custom-created Backdoor Factory (BDF) research tool.

 “Out of over 1110 exit nodes on the Tor network, this is the only node that I found patching binaries, although this node attempts to patch just about all the binaries that I tested.  The node only patched uncompressed PE files. This does not mean that other nodes on the Tor network are not patching binaries; I may not have caught them, or they may be waiting to patch only a small set of binaries,” he said in his analysis.

Pitts added that users should be wary of downloading code that is not protected by SSL/TLS, even if the binary library is digitally signed, and urged users to use HTTPS when downloading executable off a remote server.

“All people, but especially those in countries hostile to ‘Internet freedom,' as well as those using Tor anywhere, should be wary of downloading binaries hosted in the clear - and all users should have a way of checking hashes and signatures out of band prior to executing the binary,” he wrote.

Pitts alerted the Tor Project to the issue, and the group has since flagged it as a ‘bad' exit node.

“We've now set the BadExit flag on this relay, so others won't accidentally run across it,” said Roger Dingeldine, one of the original developers of Tor, in a message to Tor mailing list subscribers on Friday.

He warned that users should “not blindly trust unauthenticated bits they get from the Internet”, while Pitts said that “anonymity does not guarantee security.”

Security firm Symantec has since confirmed that the exit node has links to the Miniduke Trojan, which affects Windows XP, Windows 2000, Windows Vista and Windows 7. It is already detecting it as ‘Backdoor.Miniduke!Gen4'.

Responding to the news, Dr Gareth Owen, senior lecturer at the School of Computing, University of Portsmouth, told “Using Tor to access non-https web-sites is very dangerous as any attacker can modify the traffic you received, from simply inserting ads to intercepting form data. 

“Downloading binaries, documents or any kind of files through Tor from a non-https site puts you at significant risk of being de-anonymised or being provided with malware.  It's trivially easy to patch binaries on the fly - traditional viruses have been doing it for years. It's little surprise to learn that an enterprising hacker is doing it on a Tor exit node - it's a novel way to infect computers.”

Mikko Hypponen, the acclaimed security researcher at CTO at F-Secure, added in an email exchange with SC that this shows the 'threat is not just theoretical'.

"We've always known that an attack like this is possible. We've always known you shouldn't be downloading binaries via Tor without using VPNs.

"However, this is a demonstration that this threat is not just theoretical. It is actually happening for real."

Meanwhile, in related news, users are being advised to avoid a fake Tor website ( – and have been warned on a new ransomware attack targeting.

“Several people contacted The Tor Project recently because some software told them to install the Tor Browser to access a website. There is no affiliation between these criminals and Tor,” a company spokesperson said.

“The computer is probably infected with what's called ransomware. This is a kind of malicious software which restricts access to the files and demands a ransom. In this case the authors of the ransomware CryptoLocker set up a website which is only reachable by using Tor. That is why people are thinking that the software is somehow related to The Tor Project.”

Tor is short of The Onion Router and is widely used by the likes of journalists, activists and criminals in order to conceal their IP address and mask their web browsing activities. The software has been scrutinised by both the US and Russian governments, with the latter offering a £60,000 bounty to any local people or businesses who can crack its encryption.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews