Downloaded binaries through a Russia-based Tor exit node has been found to patch malware onto binaries, according to a blog post by Leviathan Security.
The findings, by Josh Pitts, are based on his research on Man-in-the-Middle binary patching using the Backdoor Factory patching framework. Pitts also checked if Windows Update packages wrapped in Windows Portable Executable (PE) format are patched with the malicious code.
It resulted in tampering with Windows PE packages that would make the Windows Update system flag them with the 0Ã—80200053 error code. To make the error on Windows Update packages desist, Microsoft advised its users to download and execute the Microsoft “Fixit” tool, among other solutions.
“If an adversary is currently patching binaries as you download them, these FixIt executables will also be patched,” Pitts said. “Since the user, not the automatic update process, is initiating these downloads, these files are not automatically verified before execution as with Windows Update.”
There is also the issue of privilege elevation once the “patched” executable is downloaded in this scenario.
“In addition, these files need administrative privileges to execute, and they will execute the payload that was patched into the binary during download with those elevated privileges,” Pitts said.
So far, only one Tor exit node from over 1100 has been found patching malware on downloaded binaries but this doesnâ€™t exclude other exit nodes
â€œI may not have caught them, or they may be waiting to patch only a small set of binaries,” Pitts said.
The Onion Router Project has been notified about the issue.