Art by: Jing Jin

We all know that if you download files to your computer you are rolling the dice. Even the best consumer virus protection can miss potentially devastating malware. Commonly, the advice is to avoid any but known and trusted websites. But Leviathan Security Group researcher, Josh Pitts, discovered that this might no longer be as secure as it used to be, especially for anyone who uses the Tor network which includes many people in the Bitcoin community.

Pitts reported that he was performing some research on download servers to determine if download servers might be being used to patch binary files during downloads in a “man-in-the-middle” attack. This type of attack, also known as a “bucket brigade attack” allows an attacker to intercept messages in a public key exchange, retransmit them but also to substitute their own public key for the one requested. This makes it appear that the original parties are communicating. Anyone at all familiar with the blockchain can immediately see the potential problems this can present for anyone with cryptocurrencies in exchanges and wallets.

The problem was identified in a Tor exit node. Pitts discovered that a source in Russia was actively patching binaries and adding malware to the files dynamically. The major concern at this point for security experts is that it seems that attackers may be able to control the download mechanism for security updates in operating systems such as Windows and OS X. This would effectively lead to widespread problems for many  users over a relatively short period of time simply because most of us trust Microsoft and Apple when they tell us that they want to update our security, especially since these updates are vital to our cybersecurity. These companies commonly sign their binaries and any that appear to have been modified cannot be verified. But Pitts discovered that a hacker with a MITM position can actively patch binaries with their own code and while there is no current evidence that this can be accomplished with security updates the potential certainly exists.

Pitts was looking for anyone who might be setting up such an attack paradigm and needed as many exit nodes as possible and Tor, an anonymous network, because it is used widely by people around the world. In order to accomplish this, he built a BDF (Backdoor Factory) that could patch executable binaries with shell code that would still allow the binary to function as intended.


 “To have the best chance of catching modified binaries in transit over the Internet, I needed as many exit points in as many countries as possible.  Using Tor would give me this access, and thus the greatest chance of finding someone conducting this malicious MITM patching activity."

“After researching the available tools, I settled on exitmap.  Exitmap is Python-based and allows one to write modules to check exit nodes for various modifications of traffic.  Exitmap is the result of a research project called Spoiled Onions that was completed by both the PriSec group at Karlstad University and SBA Research in Austria. I wrote a module for exitmap, named patchingCheck.py, and have submitted a pull request to the official GitHub repository. Soon after building my module, I let exitmap run.  It did not take long, about an hour, to catch my first malicious exit node.”

When he discovered the exit node in question, he checked his findings by downloading binaries from numerous sources, including Microsoft own website and all of them turned up with malware attached. The malware opens a port to “listen” for commands and immediately begins sending HTTP requests to a remote server. Pitts notified the experts at the Tor Project who quickly set the BadExit flag on the relay. One of the original developers of Tor, Roger Dingeldine, said:

“We’ve now set the BadExit flag on this relay, so others won’t accidentally run across it. We certainly do need more people thinking about more modules for the exitmap scanner. In general, it seems like a tough arms race to play.”

Pitts also suggested that encrypted download channels be used by both users and site operators. He said that SSL/TLSis were the only way for this to be defended against. It is also advisable to install HTTPS Everywhere or similar plugins in browsers to keep traffic encrypted. Finally he said that the problem was apparently not widespread. There are more than 1000 exit nodes on Tor he only found one that was a problem, but stressed that does not mean there aren't other malicious exit nodes out there.