Rogue Tor node wraps executables with malware

Josh Pitts of Leviathan Security Group has uncovered a malicious Tor exit node in Russia. The node wraps Windows executable files inside a second, malicious Windows executable. The wrapping is only attempted on uncompressed Windows PE (Portable Executable) files.

Tor is an anonymizing network which can be used, for good or ill, to hide the source of a request of a server. The recipient of the user request, in this case the site from which a file is being downloaded, would see the exit node as the originator of the communications. At no point in the path of a communication through Tor are both the real source and destination IP addresses unencrypted, and the routes through the Tor network are randomized, making eavesdropping within the network difficult at a minimum.

According to Pitts, the attack would fail if SSL/TLS were used to encrypt and authenticate the connection. Code signing would not necessarily block the attack unless the client system knew to check the signature of the downloaded EXE. Pitts demonstrates the example of Windows Update, which checks signatures rigorously. Pitts expresses concern that the Microsoft documentation for the Windows Update error could lead the user to further problems.

In combination with a broader whitelisting system, such as those from Bit9 or Microsoft's AppLocker, either code signing or file hashes would detect this attack.

Pitts is the author of a framework called BDF (Backdoor Factory) which, like this malicious node, patches binary files on the fly. He presented BDF at the recent DerbyCon 4.

Hat tip to Dennis Fisher on ThreatPost.