Tor exit node hacked to inject malicious code in downloads

A Russian researcher has uncovered a malicious exit node, which is claimed to allow hackers to inject potentially malicious code when users download files.

According to Josh Pitts, security researcher at Leviathan Security, for some time, at least one exit node, based in Russia, has been quietly modifying programs downloaded through Tor.

The malicious exit node wrapped the downloaded programmes for Windows in malware, malicious code and rendered them risky to any computer using them.

However, Microsoft’s own tools can spot a corrupted download, while an unspecific error code may risk users.

Pitts added: "If you Google the error code, the official Microsoft response is troublesome.

"The first link will bring you to the official Microsoft Answers website …

"If you follow the three steps from the official MS answer, two of those steps result in downloading and executing a MS ‘Fixit’ solution executable."

Further, researcher noted that the attack would be unsuccessful is the connection was encrypted and authenticated using SSL/TLS.

"If an adversary is currently patching binaries as you download them, these ‘Fixit’ executables will also be patched.

"Since the user, not the automatic update process, is initiating these downloads, these files are not automatically verified before executionas with Windows Update.

"In addition, these files need administrative privileges to execute, and they will execute the payload that was patched into the binary during download with those elevated privileges."

In the wake of revelation, Tor Project has flagged the Russian exit node as malicious in a bid to assure that well updated users will not come across it for second time.

Sign up for our regular news round-up!

Give your business an edge with our leading Tech Monitor

Sign up