Researcher Finds Tor Exit Node Adding Malware To Downloads

Trailrunner7 writes: A security researcher has identified a Tor exit node that was actively patching binaries users download, adding malware to the files dynamically. The discovery, experts say, highlights the danger of trusting files downloaded from unknown sources and the potential for attackers to abuse the trust users have in Tor and similar services. Josh Pitts of Leviathan Security Group ran across the misbehaving Tor exit node while performing some research on download servers that might be patching binaries during download through a man-in-the middle attack.

What Pitts found during his research is that an attacker with a MITM position can actively patch binaries–if not security updates–with his own code. In terms of defending against the sort of attack, Pitts suggested that encrypted download channels are the best option, both for users and site operators. "SSL/TLSis the only way to prevent this from happening. End-users may want to consider installing HTTPS Everywhere or similar plugins for their browser to help ensure their traffic is always encrypted," he said via email.

I'm accessing this article through TOR

[i kan reed]

And I'm glad the article says everything is just fine and there are no problems. What a relief.

Checksums

[Anonymous Coward]

Or check the checksum

Re:Checksums

[thieh]

What assurances do you have that they are not patching the checksum as well?

Re:

[gweihir]

None. What you need is a digital signature instead.

Re:Checksums

[bug1]

What you need is a digital signature instead.

And make sure its signed by a large well known company that works at the government level. Then you are really safe !!!

Re:

[gweihir]

The stupidity of some people is staggering. You have really zero clue what you are talking about.

Re:

[bug1]

So the extra exclamation points didnt help to explain it then ?

Re:

[St.Creed]

I only start to get it after at least 4 exclamation marks.

Re:

[LordLimecat]

Gweihir is saying you dont understand how digital signatures work, and Im inclined to agree.

The file would be signed by the one distributing it, with a private key. Private keys are not disclosed to outside parties-- not even when you're getting your certificate issued by a trusted root. Even then, you simply generate a CSR, and hold the private key. The CSR and public key are sent to the certificate authority who signs them-- but as they NEVER see your private key, they have no ability to forge digital

Re:

[gweihir]

Thanks, that is what I meant. I find that as I get older, my tolerance for clueless people gets lower.

A side-note on this: That the CA never sees your private key is a myth. In practically all real-world situations, the CA generates your private key (stupid, yes, I know, but greed, a.k.a. "business", trumps reason in this world) with the one exception of a PGP web-of-trust. That is why PGP signatures are a lot more trustworthy when verifying binaries these days.

Re:

[LordLimecat]

In practically all real-world situations, the CA generates your private key (stupid, yes, I know, but greed, a.k.a. "business", trumps reason in this world) with the one exception of a PGP web-of-trust.

This just isnt true. Having worked with StartSSL, GoDaddy, Network Solutions, and a number of others-- all of them have you generate a CSR and keypair, and ask you to paste the CSR into a web form.

They NEVER generate your private key that I have seen, and I've been in consulting for nearly a decade.

Re:

[gweihir]

So they fixed that. Good. Is that for private customers or for corporate ones?

Re:

[avgjoe62]

How can an inability "stagger"? An inability is an innate characteristic of a person or thing. The person or thing possessing that characteristic can stagger, but the abilities (or inabilities) of that person (or thing) cannot stagger since they do not have legs.

Re:

[gweihir]

Unfortunately, this cannot be explained but has to be experienced.

Re:

[Bob_Who]

Unfortunately, this cannot be explained but has to be experienced.

Right. Existential malwariness.

Re:

[smallfries]

Stagger is also a verb, as in to cause staggering. Specifically to cause doubt in one's own view and to leave one reeling in disbelief. Literally: that persons sheer stupidity (as demonstrated through their inability to detect sarcasm) is of such magnitude that I am starting to doubt the world around me, as previously my world view did not include people of such low intellect. The cognitive dissonance between that world view and this one has left me spinning and powerless to resist.

Hope this helps. Addition

Re:

[gweihir]

It is not sarcasm if it misses the point. Then it is just stupid.

Re:

[Bob_Who]

It is not sarcasm if it misses the point. Then it is just stupid.

....or darts.

Re:

[gweihir]

Ok, that one was funny ;-)

Re:

[LordLimecat]

There was no misunderstanding of sarcasm. The original comment-- sarcasm and all-- indicated a fundamental lack of understanding of how digital signatures work.

Re:

[Bob_Who]

The inability of some people to detect sarcasm is also staggering.

In fairness, I think the sarcasm was encrypted.

Re:

[ne0n]

Just torrent it FFS, come on people. Then start an exit node on your network.

Re:

[Opportunist]

Huh? What? What did I say?

Re:

[ihtoit]

who is your trustworthy CA?

Answer should be: NONE, one compromised CA should prompt the realisation and/or assumption that they're ALL compromised.

Re:

[gweihir]

Who said anything about a CA? That idea is broken...

Re:

[ihtoit]

where else would you go to check the authenticity of what is essentially a random string salted based on a derived value of an arbitrary binary object?

Re:

[gweihir]

Not form a CA, that is for sure. But listen kid, this is a really complicated area. Read up on it, and the solution how to do it right may make itself known to you. (Yes, you just asked a beginner's question.)

Re:

[jythie]

While in theory a good idea, any security that requires the average user to take extra (and tedious) manual steps will become another point of failure. Checksums are not a solution, they are just a way for people to feel superior.

Defaults

[Richy_T]

Is "SSL connections only" an option with Tor? If so, it should be the default. Shouldn't be relying on the browser.

Re:

[thieh]

The problem is not everything can be accessed with SSL. Which makes me wonder why aren't we checking the files and checksum from different exit nodes. I don't think all of them patches the same malware do they?

Re:

[diamondmagic]

Nit: SSL 3.0 is deprecated and only supports lower-security algorithms. TLS 1.2 is the current, secure version of the standard.

Since a man-in-the-middle can negotiate TLS connections downward, SSL should be disabled entirely.

Re:

[jythie]

Yeah, SSL is not exactly a pancea since it is only really useful if you have a chain of trust you can use, which puts things in the hands of a few private points of failure.

Re:

[Richy_T]

True enough. But then a click-through disclaimer or somesuch should be required to proceed. Or you could go into the settings and turn it off.

Re:

[lgw]

"HTTPS only" is a plug-in, on by default in the Tor Browser Bundle. The Tor dev team is really focused on making the browsing experience as normal as possible to encourage use over strong security by default. JS is enabled by default, for example (noscript is the other plug-in bundled, but I think it's turned off by default - haven't looked at Tor for a few years).

I understand the desire of the Tor team to encourage many people to use Tor for normal, legal browsing, and ultimately that's the best security

Re:Defaults

[lgw]

Sorry, "HTTPS everywhere", not "-only" - it tries HTTPS first, which helps with a bunch of sites so you don't have to bookmark the https version specifically, but still falls back to HTTP when needed.

Everyone should use that plugin in normal browsing IMO - it will drive traffic to HTTPS, and really there's no reason for non-HTTPS sites anymore Slashdot are you listening, you HTTP-only weenies?

Re:

[ArcadeMan]

there's no reason for non-HTTPS sites anymore

Care to tell me how easy and free it is to do this for a hundred websites that brings zero profits?

Re:

[aztracker1]

See SNI [google.com] and StartSSL [startssl.com]

So if TOR nodes can easily do it

[phorm]

Who's to say that your friendly ISP or government agency isn't doing the same? Or even better yet, how about for OS updates.

Last time I checked even my linux *.list files were referencing HTTP hosts rather than HTTPS (not that HTTPS is really much better, when gov't agencies are concerned)

Might make sense to use an SSL-enabled connection and a key that's provided with the distro.

Re:

[Anonymous Coward]

Last time I checked even my linux *.list files were referencing HTTP hosts rather than HTTPS

If the packages are cross-checked against thumbprint files (which they really should be), then this sort of automatic infection system would fail unless it was somehow smart enough to remember the hashes and update the thumbprint files accordingly (which would require a LOT of state to maintain, as well as not being able to handle clients that download the thumbprint first). And if the packages are checked against G

Re:

[caseih]

What does SSL have to do with it? As you say yourself, as long as you are checking the signing key on each package, you can guarantee that the package is intact and genuine, not matter what the MITM tries to do. The worst that happens with http is that someone can determine which file you downloaded. Hence the injecting of malware can't happen to Linux packages (if the private key is secured by the distro maker). Couldn't happen to any signed executable either, but on Windows users often blindly allow p

I would hope your OS updates are signed

[Sycraft-fu]

Probably varies Linux distro to distro. In Windows, the MSU files are all signed by MS so the download path isn't of issue, since if it is compromised any alterations to the file would break the signature.

Re:

[Burz]

Who's to say that your friendly ISP or government agency isn't doing the same? Or even better yet, how about for OS updates.

Your OS should already check binaries before installation; This is done with digital signatures (i.e. GPG and such) so HTTPS isn't required for protection.

The threat TFA is about is when the user/admin uses an installation method that circumvents or ignores the signature check.

In the Linux realm most popular distros are reasonably secure, but I noticed that Fedora's signature regime is incomplete and so is open to a MITM attack where any number of packages can be selectively prevented from receiving securit

Re: So if TOR nodes can easily do it

[CPUmonster]

I would bet good money that the NSA is behind the exit node talked about in the article.

The big question

[techno-vampire]

Does the malware run under Linux? Unless they're able to infect Linux software, I really don't care because that's all I run.

Re:

[Anonymous Coward]

If you are downloading binaries through tor and not doing any sort of signature verification on it then exactly the same thing can happen on any platform, it doesn't matter that this specific malicious exit was targeting windows executables.

Re:

[techno-vampire]

It's very rare, now, that you download binaries and run them on Linux to install something. Most of the time, what you get is an rpm, a deb or whatever the equivalent is for your distro. Adding malware to such a package without making it uninstallable is not as easy as it is with a Windows executable. I won't say it can't be done, because I'm sure that it can, but I will say it's more work especially as the exact technique depends on what type of package you're working with. And, of course, that gets ev

SSL/TLS may not help if you use Cloudflare

[Animats]

Cloudflare offers a fake SSL service called "Flexible SSL". [cloudflare.com] Cloudfront gets a cert generated with a long list of domains. Users connect to Cloudfront, Cloudflare sets up a secure connection from the user's browser to Cloudflare, acts as a man-in-the-middle, and makes an unencrypted connection to the destination host.

And, of course, there's an exploit for this. [bh.ht.vc]

Even if you buy Cloudflare'ss "most secure" option, and have SSL to your own server using your own certificate, you have to give Clouldflare your SSL cert's private keys. Does Clouldflare take responsiblity for the security of your private keys? No. [cloudflare.com]

So do not use Cloudflare for sites which handle any valuable data, such as credit card numbers.

Re:

[Guspaz]

What does Cloudflare have to do with this article? Besides, Cloudflare does not require your private key if you use their "Keyless SSL" service,

Re:

[Animats]

This attack on binaries requires a MITM attack. The attacker must be in a position to intercept and modify the data. SSL only prevents that if it's end to end SSL. Using SSL over Cloudflare doesn't eliminate the possibility of an attack on binaries, because Cloudflare is a MITM itself. The exit from Cloudflare is vulnerable in exactly the way the exit from Tor is.

Re:

[Guspaz]

Unless you're using SSL settings that CloudFlare themselves caution is "less secure", the data is encrypted between the client and CloudFlare, and it's encrypted between CloudFlare and the origin server. There is no opportunity for a third party to modify the data, and the attack that you've described won't work.

Re:

[Guspaz]

If you don't trust them, then you shouldn't be using them in the first place. They have no incentive to be manipulating your data like that, their business model relies on customer trust.

Re:

[hackertourist]

My ISP apparently uses Cloudflare. The only information I have to this effect is the error page when I try to connect to a website that's down. So what can I do to avoid Cloudflare? Change ISPs and hope they don't use Cloudflare?

Re:

[hackertourist]

Hm. Ignore parent, Cloudflare is used by the website I'm trying to connect to, not my ISP. Not properly awake yet.

Re:

[NotInHere]

Yeah, but cloudflare is fair enough and warns TOR users with "Attention required"! :-)

Re:

[gweihir]

There is no cloud service provider that is approved for handling credit card information at this time. That is not an accident.

Re:

[hawguy]

There is no cloud service provider that is approved for handling credit card information at this time. That is not an accident.

It's not clear which flavor of "cloud" you're referring to.

If you mean IaaS, Amazon AWS is PCI certified:

https://aws.amazon.com/complia... [amazon.com]

If you mean PaaS, WIndows Azure is certified:

http://azure.microsoft.com/blo... [microsoft.com]

If you mean SaaS, Stripe is certified:

https://stripe.com/help/securi... [stripe.com]

Of course, even if the service provider is certified, it's up to the customer to ensure that their own implementation is compliant - the service provider certification is just one checkmark in the requirements.

Re:

[gweihir]

So they have managed that now? A pity. I wonder how much pressure was applied and how much money paid to get that.

Re:

[hawguy]

So they have managed that now? A pity. I wonder how much pressure was applied and how much money paid to get that.

If by "now", you mean 4 years ago, yeah, AWS managed it.

https://aws.amazon.com/blogs/a... [amazon.com]

I doubt it took any pressure from any single vendor since lacking PCI certification locked them out of a lot of potential customers.

Why do you say it's a pity? Is having security controls and processes validated by a third party auditor somehow a bad thing? Regardless of what you think of the PCI DSS, having an auditor validate security sounds like a good thing.

Re:

[gweihir]

It is a pity, because there is no way to give these services a PCI compliance and stay honest. It is just not possible to actually reach the required security-level.

Re:

[pavon]

While that is good information in general, SSL would help in this particular attack, as it would still block the Tor exit node from seeing the data.

Re:

[LordLimecat]

Even if you buy Cloudflare'ss "most secure" option, and have SSL to your own server using your own certificate, you have to give Clouldflare your SSL cert's private keys.

If you need the sort of service cloudflare provides, it wont matter who your actual provider is. ANYONE acting as a proxy for your HTTPS site will require your private key.

Re:

[Dins]

B-b-b-ut...

Completely off topic reply on a completely off topic post, but I for one am getting sick of this affectation of repeating consonants at the beginning of sentences to...I don't know...simulate stuttering? Where'd this come from? I don't know, but I've just started seeing it in the last several months and it's already pissing me off.

Ok, I feel better now. I will accept my -1 Off Topic mod points with pride.

Re:

[Bosconian]

Please reference many years of comics culture and style [prooffreader.com] that GP is emulating.

The repeated consonants or vowels, usually at the start of a sentence or thought, indicate heightened emotion--usually fear, trepidation, worry, or embarassment. The halting flow of the language is representative of those conditions, where the speaker's confidence is not sufficient to continue the strings of phonemes without retrying / restarting the word or phrase several times.

I hope this clears up your questions and possibly

Downloading unsigned binaries?

[l2718]

Digital signatures is exactly the technology that solves this problem. If you download binaries from the internet (especially if you have need to use Tor to get them!), check the signatures!

Now, it may be possible to also dynamically patch the signatures when these are downloaded -- but that requires much greater control since signatures can be obtained separately, and since Tor can mitigate the problem by routing different downloads through different exit notes.

Re:

[gweihir]

No, signatures cannot be "patched". The only way to do that is to have the original signature key available. Really, maybe acquire a bit of knowledge before coming up with BS scenarios?

Re:

[l2718]

I you really let me sit between you and the source of the download, I can mess with your download of the public key, and therefore replace signatures.

In other words, OS updates cannot be attacked this way (presumably OS vendor's the public key is included in the installation). But if you patch my download from www.example.com, you can also patch my download when I get the public key used by www.example.com to sign downloads.

Re:

[sinij]

Yes and no.
 
You could substitute hash, but if it is actually public-key signed then you'd have less luck. Your substitution would not originate from example.com OR would not belong to the same root CA.

Re:

[gweihir]

A hash is not a "signature". It is very important to remember that. A hash is a hash.

Re:

[disambiguated]

Minor nit-pick: A hash is not a hash. I'm sure you are aware, but just for clarity -- Cryptographic hashes are intended to make it very hard to modify the binary stream without changing the hash. Not all hashes have that property. If you know what the cryptographic hash is supposed to be (you trust the hash) then you can be confident the stream has not been modified if the hashes match (ignoring known weaknesses, e.g. in MD5.)

Re:

[gweihir]

Really, anybody talking crypto and not meaning a "crypto hash" when saying "hash" has no clue at all. You know, there are also non-cryptographic "ciphers" and even "signatures" that have nothing to do with crypto. Yet when talking crypto, the prefix is implicitly assumed.

But while we nit-pick, crypto-hashes also need some more properties in order to be secure (and insecure crypto-hash can of course drop all these, so to be exact, we would always need to say "secure crypto-hash"...;-), for example collision

Re:

[disambiguated]

Point taken -- thanks for the clarification. There are a few comments in this thread that seem to be saying that you can't trust that something hasn't been altered, even when the hash matches, but it's hard to tell what they're saying.

Re:

[gweihir]

I fully agree on that.

Re:

[sinij]

To clarify:

Scenario A: MitM insert malware into download of Foo installer. If your only defense is to manually check published hash, and website where published hash is displayed is not protected, what would prevent MitM attacker from also altering published hash that you see? Convoluted attack, but feasible.

Scenario B: Now, if you use public-key signature to sign Foo installer it becomes much harder to compromise. MitM attacker could alter your download, and sign it with their own signature, but unless t

Re:

[gweihir]

Yes, once. And you may need to create a whole fake history. For example, I downloaded the Linux kernel signing key a long time ago. Unless all my downloads since then have been tampered with, it is good. Sure, if you just only ever download the public part of the signature key together with the binary and never bother to check any signatures on that key, you are screwed. But if you even bother to find out a bit about how PGP signatures work, then they work pretty well.

Re:

[gweihir]

You are certainly correct. That is why it is very important to not call a hash a "signature". Basically the only benefit of a hash is that you can verify correct download (if nobody tampered with the connection).

Re:

[gweihir]

This is an old and well-known attack. Your inane response just shows that you have no clue at all.

Re:

[gweihir]

I had Roger Dingledine explain that to me about 12 years ago. Your argument is simplistic and ignores reality. There is no way to "infiltrate" Tor. It is expected that people try that and the design is quire resistant against it.

But your language already shows that you are nothing but a clueless troll and you are probably jerking off to the things you write here.

Re:

[gweihir]

If you own the majority of the exit nodes, that is not an "infiltration", that is a "take-over". But yes, that is possible. It is why the Tor project is trying all the time to get more exit-nodes from different people in different countries. Also possible are traffic analyses if you own a large part of the relays or of the Internet itself. The Tor project has research papers on these attacks and has a pretty good idea where the thresholds lie.

Use HTTPS?

[fustakrakich]

And get nailed by a fake cert? How does this sidestep the trust issue?

Re:

[Anonymous Coward]

Much harder to obtain a fake cert than tweak a HTTP stream. They'd need a compromised CA trusted by the majority of the Tor users.

We covered this

[Anonymous Coward]

I thought the general consensus by now was that Tor is essentially a honeypot for the NSA & FBI...

Re:

[gweihir]

You thought wrong.

Of course, that recommendation is BS...

[gweihir]

The only thing that really works is verifying PGP signatures. SSL is broken and the Tor node may well have legitimate certificates at its disposal.

Re:

[Burz]

The only thing that really works is verifying PGP signatures. SSL is broken and the Tor node may well have legitimate certificates at its disposal.

Actually, its HTTPS and its use of PKI (many unaccountable CAs) that is broken.

Re:

[LordLimecat]

SSL is also broken, hence the recent warnings about SSLv3 and the recommendations to use TLS 1.2.

FinFisher Anyone?

[Anonymous Coward]

Is there any wonder why when I use Tor I always compare files with that obtained via a VPN or at another site to see if they match, I have been doing this long before digital signed executables came on the scene.

Bitcoin users also MITM by exit nodes recently

[qubezz]

There have been several reports of Bitcoin users that use online wallets and exchanges, even over https, getting MITM attacked when using Tor. They visit the wallet site, get bad certificates but continue anyway, and poof, their Bitcoins in the service are gone and their passwords are known by the attacker. With recent SSL vulnerabilities or clever redirection, the cert errors could be avoided also. For other sites, users can be piped through a "universal phisher" to steal any credentials.

Clearly Tor users are under attack by exit nodes, many of them running automated tools against many web destinations.

Re:Bitcoin users also MITM by exit nodes recently

[NotInHere]

if you
1) use an online wallet
2) accept bad certs
you certainly live a risky life.

This is not really big news.

[MartinG]

Tor provides anonymity. It does not provide authenticity or secrecy, and doesn't pretend to. If you want those things, you should use something else in addition to tor. For example, TLS or SSH might suit your needs.

Re:

[felipou]

Tor provides anonymity. It does not provide authenticity or secrecy, and doesn't pretend to.

Not only it doesn't provide these things, it potentially cripples then by adding a random computer as a Man In The Middle! What did you guys expect?

Also, seeing that people who usually perform activities of this type (spreading malware) should be the ones most interested in TOR, I see some signs as to the kind of organizations who would attempt to do this...

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[tiberus]

Thanks, now I'm having flashbacks of Chuck Norris jokes in the Barrens on Drak'thul.