Users of internet anonymiser Tor are being advised to secure their connections and check their computers for malware, after a security researcher discovered that the service was being used to inject potentially malicious code into downloads over the service.

Tor allows users to surf the web anonymously by bouncing their connection between “relay” nodes before it exits back on to the open internet through an “exit” node, of which slightly more than 1,000 exist dotted around the world.

But for an unknown length of time, at least one exit node, based in Russia, has been silently altering programs downloaded through Tor, according to Josh Pitts, a security researcher for Leviathan Security.

Programs for Windows, when downloaded through the malicious node, were silently wrapped in malware, malicious code, rendering them dangerous to any computer running them. Concerningly, even files downloaded through Windows update were affected.



While Microsoft’s own tools are capable of spotting a tampered download, Pitts says the unspecific error code can actually lead a user back into danger. “If you Google the error code, the official Microsoft response is troublesome,” he says. “The first link will bring you to the official Microsoft Answers website … If you follow the three steps from the official MS answer, two of those steps result in downloading and executing a MS ‘Fixit’ solution executable.

“If an adversary is currently patching binaries as you download them, these ‘Fixit’ executables will also be patched. Since the user, not the automatic update process, is initiating these downloads, these files are not automatically verified before execution as with Windows Update. In addition, these files need administrative privileges to execute, and they will execute the payload that was patched into the binary during download with those elevated privileges.”

The attack is a particular type of “man in the middle” attack, in which the connection is passed through a malicious third party which attempts to capture or alter information. For a typical user, such attacks are difficult to pull off, requiring the attacker to breach the users connection. But if a connection regularly goes through an untrusted third party – as with Chinese users, who have to contend with their country’s “great firewall”, or with Tor users – such an attack becomes much easier.

The Tor Project has flagged the malware-spamming Russian node as malicious, ensuring that properly updated users won’t encounter it again. But, says the project lead, Roger Dingledine, “it seems like a tough arms race to play … the better approach is to have applications not blindly trust unauthenticated bits they get from the internet.”

Tor users can limit their exposure to such attacks by ensuring they use encrypted connections before downloading programs over the network. Pitts adds that “All users should have a way of checking hashes and signatures out of band prior to executing the binary”, to ensure that the file they downloaded is the same as the one they requested.