Tor Anonymizer Network falls prey to man-in-the-middle attackHow the attack worksNo SafeguardsIncident Response
How the attack works
Tor allows users to surf the web anonymously by bouncing their connection between “relay” nodes before it exits back on to the open internet through an “exit” node, of which slightly more than 1,000 exist dotted around the world. Effectively deterring anyone from knowing your true identity and location. But the negative side being that not all of these relays and exit nodes can be verified at all times. It seems that one of these exit nodes in Russia has been wrapping all downloads passing through it with malware before passing it onto the relay nodes, thus making these programs potentially dangerous to any system that downloads them. This is so dangerous than even Windows update files that should ideally be protecting your machines can be actually carrying along malware with them along with the update file.
No Safeguards
While a machines own tools are strong enough to safeguard against such attacks, a user is bound to wonder why a Windows update file was being flagged as malicious. If the victim wonders about the Windows update being flagged with a error code and googles about this unspecified error codes, it wont be of any help. Josh Pitts, a security researcher for Leviathan Security says the unspecified error code can actually lead a user back into danger. “If you Google the error code, the official Microsoft response is troublesome,” he says. “The first link will bring you to the official Microsoft Answers website … If you follow the three steps from the official MS answer, two of those steps result in downloading and executing a MS ‘Fixit’ solution executable. “If an adversary is currently patching binaries as you download them, these ‘Fixit’ executables will also be patched. Since the user, not the automatic update process, is initiating these downloads, these files are not automatically verified before execution as with Windows Update. In addition, these files need administrative privileges to execute, and they will execute the payload that was patched into the binary during download with those elevated privileges.”
Incident Response
Users who care about their security and update themselves can stay secure, as will realise sooner or later that something is fishy. Also, the Tor project has red flagged the Russian exit node for this MitM. Users are requested to not use the Russian exit node and also check their computers for malwares possibly downloaded unknowingly through regular AV scans.