{"id":6713,"date":"2014-10-28T10:00:20","date_gmt":"2014-10-28T14:00:20","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=6713"},"modified":"2014-10-28T10:00:20","modified_gmt":"2014-10-28T14:00:20","slug":"rogue-tor-exit-node-server-added-malware-to-legitimate-downloads","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2014\/10\/28\/rogue-tor-exit-node-server-added-malware-to-legitimate-downloads\/","title":{"rendered":"Rogue Tor &#8216;exit node&#8217; server added malware to legitimate downloads"},"content":{"rendered":"<p style=\"text-align:center;\"><a href=\"http:\/\/www.pcworld.com\/article\/2839152\/tor-project-flags-russian-exit-node-server-for-delivering-malware.html\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/10\/tor-logo-100049034-gallery.png\" alt=\"\" \/><\/a><\/p>\n<p>The Tor Project has flagged a server in Russia after a security researcher found it slipped in malware when users were downloading files.<\/p>\n<p>Tor is short for The Onion Router, which is software that offers users a greater degree of privacy when browsing the Internet by routing traffic through a network of worldwide servers. The system is widely used by people who want to conceal their real IP address and mask their web browsing.<\/p>\n<p>The suspicious server was an \u201cexit node\u201d for Tor, which is the last server in the winding chain used to direct web browsing traffic to its destination.<\/p>\n<p>Roger Dingledine, Tor Project\u2019s project leader and director, wrote the Russian server has been labeled a bad exit node, which should mean Tor clients will avoid using the server.<\/p>\n<p>The Russian server was found by Josh Pitts, who does penetration testing and security assessments with Leviathan Security Group. He wrote he wanted to find out how common it was to find attackers modifying the binaries of legitimate code in order to deliver malware.<\/p>\n<p>Binaries from large software companies have digital signatures that can be verified to make sure the code hasn\u2019t been modified. But Pitts wrote most code isn\u2019t signed, and even further, most don\u2019t employ TLS (Transport Layer Security) during downloading. TLS is the successor to SSL (Secure Sockets Layer), which encrypts connections between a client and a server.<\/p>\n<p>He suspected attackers were \u201cpatching\u201d binaries during man-in-the-middle attacks and took a look at more than 1,110 Tor exit nodes.<\/p>\n<p>Pitts only found one Tor exit node that was patching binaries. The node would modify only uncompressed portable executables, he wrote.<\/p>\n<p>\u201cThis does not mean that other nodes on the Tor network are not patching binaries; I may not have caught them, or they may be waiting to patch only a small set of binaries,\u201d he wrote.<\/p>\n<p>The broad lesson for users is that they should be wary of downloading code that is not protected by SSL\/TLS, even if the binary itself is digitally signed, Pitts wrote.<\/p>\n<p>\u201cAll people, but especially those in countries hostile to \u2018Internet freedom,\u2019 as well as those using Tor anywhere, should be wary of downloading binaries hosted in the clear\u2014and all users should have a way of checking hashes and signatures out of band prior to executing the binary,\u201d he wrote.<\/p>\n<p>via <a href=\"http:\/\/www.pcworld.com\/article\/2839152\/tor-project-flags-russian-exit-node-server-for-delivering-malware.html\" target=\"_blank\">Rogue Tor &#8216;exit node&#8217; server added malware to legitimate downloads | PCWorld<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Tor Project has flagged a server in Russia after a security researcher found it slipped in malware when users [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[7,9],"tags":[849,1094],"class_list":["post-6713","post","type-post","status-publish","format-standard","hentry","category-security","category-software","tag-privacy","tag-tor"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-1Kh","jetpack-related-posts":[{"id":6684,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/10\/21\/tor-based-anonymizing-router-gets-pulled-from-kickstarter-for-rules-violations\/","url_meta":{"origin":6713,"position":0},"title":"Tor-based anonymizing router gets pulled from Kickstarter for rules violations","author":"NCCT","date":"October 21, 2014","format":false,"excerpt":"Anonabox, a piece of home networking equipment designed to allow you to connect to the Internet anonymously, had raised nearly $600,000 in pledges on Kickstarter\u2014blowing its $7500 goal out of the water. But on Friday, Kickstarter suspended the project, according to Ars Technica. Wired reports that Kickstarter put a stop\u2026","rel":"","context":"In &quot;Networking&quot;","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":119,"url":"https:\/\/nccomputertech.com\/techtalk\/2012\/11\/28\/new-linux-rootkit-injects-malicious-html-into-web-servers\/","url_meta":{"origin":6713,"position":1},"title":"New Linux rootkit injects malicious HTML into Web servers","author":"NCCT","date":"November 28, 2012","format":false,"excerpt":"A newly discovered form of malware that targets Linux servers acting as Web servers allows an attacker to directly inject code into any page on infected servers\u2014including error pages. The rootkit, which was first publicly discussed on the Full Disclosure security e-mail list on November 13, appears to be crafted\u2026","rel":"","context":"In &quot;Networking&quot;","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6071,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/30\/privacy-focused-tails-os-compromised-how-to-stay-safe-until-its-patched\/","url_meta":{"origin":6713,"position":2},"title":"Privacy-focused Tails OS compromised: How to stay safe until it&#8217;s patched","author":"NCCT","date":"July 30, 2014","format":false,"excerpt":"Vulnerabilities in the Tails operating system could reveal your IP address, but you can avoid trouble by taking a couple of precautions. Tails, a portable operating system that employs a host of privacy-focused components, plans to patch flaws contained in I2P, a networking tool developed by the Invisible Internet Project\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8453,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/07\/07\/zeusvm-malware-building-tool-leak-may-cause-botnet-surge\/","url_meta":{"origin":6713,"position":3},"title":"ZeusVM malware building tool leak may cause botnet surge","author":"NCCT","date":"July 7, 2015","format":false,"excerpt":"The Internet could see a new wave of botnets based on the ZeusVM banking Trojan after the tools needed to build and customize the malware program were published online for free. The source code for the builder and control panel of ZeusVM version 2.0.0.0 was leaked sometime in June, according\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5750,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/11\/one-click-test-finds-gameover-zeus-infections-on-pcs\/","url_meta":{"origin":6713,"position":4},"title":"One-click test finds Gameover Zeus infections on PCs","author":"NCCT","date":"June 11, 2014","format":false,"excerpt":"Users can test by simply visiting a Web page if their computers have been infected with Gameover Zeus, a sophisticated online banking Trojan that law enforcement officers temporarily disrupted last week. The one-click test was developed by security researchers from antivirus vendor F-Secure and takes advantage of the malware\u2019s aggressive\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":9452,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/11\/19\/internal-bug-discovery-security-now-693\/","url_meta":{"origin":6713,"position":5},"title":"Internal Bug Discovery &#8211; Security Now 693","author":"NCCT","date":"November 19, 2018","format":false,"excerpt":"https:\/\/youtu.be\/ClVI9PMQGCY Australia vs Encryption, Google+ Bugs Hasten its Demise -- Australia's recently passed anti-encryption legislation -- Details of a couple more mega-breaches including a bit of Marriott follow-up -- A welcome call for legislation from Microsoft -- A new twist on online advertising click fraud -- The DHS is interested\u2026","rel":"","context":"In &quot;Microsoft&quot;","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/ClVI9PMQGCY\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/6713","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=6713"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/6713\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=6713"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=6713"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=6713"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}