Malware Spread Via Tor Exit Node

OnionDuke is a piece of malware that is attached to an executable downloaded from certain Tor exit nodes. For those unfamiliar with it, Tor (The Onion Router) is a tool for anonymous web browsing. By browsing through their client your data is encrypted and then sent through a random set of Tor servers until it reaches its final destination. For example, if I'm based in SF and want to access a server hosted in Canada, my signal may be routed through servers in USA, Mexico, Sweden, and Russia, before it reaches my final destination in Canada. Location cloaking, as described above, is a great tool for political dissidents, journalists, even malware analysts. Unfortunately, anonymous web browsing via Tor can also be used by cyber criminals.

An issue has recently been identified with a Tor exit node in Russia, injecting malware into what would be perfectly safe executables. Here's a summary of the infection path: a safe executable is downloaded, but when it passes through this exit node, a piece of malware is added to the package. Once you run your .exe file, the malicious code separates itself from the safe executable and runs in the background. Meanwhile, the .exe originally downloaded will run as expected and won't trigger any alarms.

Image via F-Secure

This issue highlights a common theme in security; a degree of risk comes with downloading anything from the internet. At their worst, downloads can contain malware, but they are more likely to contain some type of spyware or adware.

Our suggestion is to scan all downloads for malware, regardless what browser or proxy you are currently using. We make it very easy to accomplish this, with simple plugins for both Chrome and Firefox plugins that can automatically scan downloads, harnessing the power of over 40 antivirus engines. If you use any other browser, you can simply drag and drop to scan any file for malware with Metascan® Online for free. Metascan also allows system administrators to easily integrate the multi-scanning technology into an existing web proxy to enable anti-malware scanning of downloads.


Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.