Comparing the hash file is a good precaution

An “exit node” for the TOR anonymization network located in Russia has been found to serve a modified version of the legitimate code requested by the user.

In order to become anonymous, TOR (The Onion Router) connections pass through multiple servers that relay the message in an encrypted form until an exit node is reached, which communicates directly with the destination.

A server of this kind has been used to deliver patched binaries, employed in malicious activities; when the user would issue the download request, a tampered executable would be returned, if the connection had gone through the respective Russian TOR exit node.

The bad server was discovered by Josh Pitts, penetration tester at Leviathan Security, who also created a binary patching framework, called BDF (the Backdoor Factory), that he presented this year at DerbyCon.

Modified binary can pass verification

Pitts already knew that a great number of binaries were hosted without benefiting from Transport Layer Security (TLS) encryption, and that most of them were not signed, which would prevent their modification in transit.

As such, an attacker could rely on the man-in-the-middle (MitM) technique to intercept the request from the user and return a different file than the original one expected by the recipient, without triggering alarms.

The researcher resorted to TOR to increase the chances of finding traces of this type of malicious activity being leveraged in the wild. It took no more than one hour of waiting to bump into a nefarious exit node.

More than 1,110 exit servers have been analyzed, and the one encountered by Pitts to be located in Russia seemed to patch almost all binaries the researcher tried to download; “the node only patched uncompressed PE files,” he wrote in a blog post.

According to the researcher, the original binary is wrapped with another one, and the attackers managed to preserve the icon on the file. Through this method, the simple self-checking mechanisms are bypassed in the case of Nullsoft Scriptable Install System (NSIS), a system that creates installers for the Windows platform.

Check the hash or stick to a protected connection

This is a significant issue, since TOR is employed for browsing anonymously by a large number of users, such as journalists in oppressive countries, activists, or whistle-blowers.

In order to mitigate this risk, developers should protect their binaries by delivering them through an encrypted connection, even if they are signed. On the other hand, users should find a way to check if the hash of the downloaded file is the same as the original one, before executing the program.

TOR Project has been informed of the problem and the relay server has been flagged as “bad,” alerting others to not run connections through it.

http://news.softpedia.com/news/TOR-E...s-463168.shtml