back to article Tor exit node mashes malware into downloads

A Tor exit node has been found slapping malware onto downloads as users exit the hidden network and enter the public web. Leviathan Security Group researcher Josh Pitts found the operator of the Russia-based node compromising binaries only a month after raising concerns of the possible attack. He created the Backdoor Factory …

  1. Hans 1

    This sucks, big time. Not that I use tor, however, I guess this can also be used to tamper with Linux and OS X executables. Is this only limited to tor network ? Any thoughts ?

    1. Anonymous Coward
      Anonymous Coward

      Won't work on Linux, binaries are signed when using the package repositories. If they get tampered with in-flight then the package manager will flip its shit.

      Maybe one day MS will catch up with 20 years ago. I mean, they only just started to supply virtual workspaces!

      1. Anonymous Coward
        Anonymous Coward

        Won't work on Windows either. The article hints that Windows Update will reject the compromised updates. At most its diversionary to install a compromised iFixIt tool with administrative rights.

        1. Anonymous Coward
          Anonymous Coward

          On Linux even the equivalent of a tampered iFixit would get refused. The package manager controls installs for the *entire* system, not just the vendor OS and a few vendor packages.

      2. Anonymous Coward
        Anonymous Coward

        Won't work on Linux... unless you're downloading something - like Firefox - directly from the source, because you don't want the version from your distro package repository. Central control is a half-ass solution to security.

        1. Anonymous Coward
          Anonymous Coward

          Err....if I don't want the version from my distro I can add a PPA (or equivalent) and that is also cryptographically signed. Any change to those binaries in-flight is detected.

          If one is downloading source, then one is an atypical user (probably a developer of some kind) and even then the source can be verified against a crypto signature in a very similar way to the package manager. It's just a bit more manual, which is no big deal to a developer.

          If I choose to add an *unsigned* repository or download an compile source without verification...then no amount of security will help as I have chose to bypass it.

          If one doesn't know about a topic, it's best to remain quiet and listen/read in order to learn.

          1. Mark 65

            Err....if I don't want the version from my distro I can add a PPA (or equivalent) and that is also cryptographically signed.

            Does that not assume that this process cannot be subverted i.e. the PPA signature? We are talking about people downloading through Tor after all.

  2. Pierson

    Same vulnerability both on and off TOR

    Of course, if your dowloads are vulnerable to MITM over TOR, then they're equally vulnerable to it over 'regular' Internet, too.

    The main difference is that on TOR, there is a somewhat higher chance that someone is attempting to actually attack your traffic at any given time.

  3. Mevi

    Never ever trusted TOR enough to use it

    Surely, adding multiple anonymous men-in-the-middle to your Internet traffic makes you an attractive, complacent and vulnerable target for malicious anonymous men-in-the-middle?

    1. Dr. Mouse

      Re: Never ever trusted TOR enough to use it

      The advantages of TOR come when you only use TOR. As soon as they exit onto the real internet, you are vulnerable.

      The "multiple anonymous men-in-the-middle" shouldn't be able to see your traffic, as it is all encrypted until it reaches it's endpoint. If the endpoint is an exit node, you loose that protection as soon as you exit. If the endpoint is a TOR node, your data can only be seen by it's intended recipient.

      1. Old Handle

        Re: Never ever trusted TOR enough to use it

        You can also use https to theoretically get protection for the last step, but of course that has been proven repeatedly to be imperfect.

        1. gollux

          Re: Never ever trusted TOR enough to use it

          Too much stench of the G-Man on it...

  4. Valeyard

    and yet..

    ..I still feel that it's safer to let criminals attach nasties in and my own ability to deal with such than go about my daily business where my own government can see it 'for my own good'

  5. Pascal Monett Silver badge

    "critical for users in countries targeted by their governments"

    I"m sorry, doesn't that mean EVERYBODY these days ?

  6. ElNumbre

    Big Hairy Onions

    People shouldn't be using TOR to download binaries anyway.


    1. Anonymous Coward
      Anonymous Coward

      Re: Big Hairy Onions

      There is an argument to be made about downloading tails via a TOR browser on a fresh VM instance.

  7. Terry Cloth

    Doesn't this mean every TOR user should run her own exit node?

    Seems to me, if you run an exit node that talks solely to your internal network, you're safe from this particular problem. Of course, for anonymity you also need to run an ordinary (transit?) node so your traffic gets mixed in with the general flow.

    And, of course, it doesn't protect you from an evil entry node, if vulnerable to the analogous problem. Hmmm, also problematic if you can't choose your exit node, or if that choice makes you identifiable. Could someone better informed on TOR internals comment?

    1. Myvekk

      Re: Doesn't this mean every TOR user should run her own exit node?

      I don't know all the internals, but YOU are the entry node, so if you become targeted by an evil entry node, you only have yourself to blame! :p

  8. as2003

    Uh, what?

    Wouldn't this 'FixIt' program be signed too? (And if not, it would be trivial to do so).

    Regardless, this MITM attack isn't exclusive to TOR, it's just as feasible to do with with regular internet.

    Furthermore, I wasn't aware that you can mark exit nodes as "BadExit". That's a pretty cool feature; one that doesn't appear in the regular internet.

    The story implies that TOR is dangerous - but as far as I can tell, it's actually safer than regular internet.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like