Researchers discover Spoiled Onions: Evil Tor exit relays spying on Facebook users

First, Microsoft remotely deleted Tor from 2 million PCs to take down the Sefnit botnet, then researchers found a few malicious exit relays running in Russia for MitM attacks.

Tor, The Onion Router that helps protect users' privacy, just can't catch a break lately. First, Microsoft remotely deleted Tor from Windows machines during an attempt to takedown the Sefnit botnet. Then the research paper, Spoiled Onions: Exposing Malicious Tor Exit Relays [pdf], explained how evil nodes in Russia were being used to spy on Facebook users, as well as Tor users browsing other sites.

Microsoft deleting Tor

In an attempt to takedown the Sefnit botnet, Microsoft remotely removed Tor Sefnit malware from about 2 million Windows machines. Win32/Sefnit has been a problem for the Tor network since last August. Geoff McDonald of the Microsoft Malware Protection Center wrote, "Based on the Tor Network's connecting-user estimates, evidence suggests this resulted in more than four million Sefnit-installed Tor client services pushed in just over two weeks."

*Update: "A Microsoft Spokesperson" clarified:

Microsoft Malware Protection Center (MMPC) has protections to remove the services started by the Sefnit malware, but it does not uninstall Tor, remove any Tor binaries, or prevent users from using Tor.

Also, this video has third party confirmation from Jacob Applebaum and Roger Dingledine, both members of the Tor project, discussing Microsoft’s “clean-up” efforts in regards to Sefnit. In the video, Applebaum mentioned Microsoft removed the Sefnit-added Tor clients as part of the efforts. However, Dingledine immediately clarified stating “they actually removed the bot and left the Tor clients because they weren’t sure whether they should remove it,” to which Applebaum responded “whoops.”

Although "Tor is a good application used to anonymize traffic and usually poses no threat," McDonald added that "Tor has a history of high-severity vulnerabilities."

Some of these vulnerabilities can be exploited for the remote execution of arbitrary code without authentication - essentially giving an attacker access to take over the machine remotely. This Tor service is a security risk to the machines even after Sefnit has been removed, since it is probable that a serious security vulnerability will be identified in the future. In summary, this means that a malicious actor may be able to infect millions of machines with any malware at some point in the future.

Sefnit installs Tor v0.2.3.25, which "does not self-update," so Microsoft included the malware signature in its "Malicious Software Removal Tool and delivered through Windows Update/Microsoft Update." McDonald explained:

The security problem lies in the fact that during a Sefnit component infection, the Tor client service is also silently installed in the background. Even after Sefnit is removed, unless specific care is taken, the Tor service will be left and still regularly connect to the Tor Network. This is a problem not only for the workload it applies to the Tor Network, but also for the security of these computers.

Although Sefnit/Tor was remotely removed from 2 million machines, Microsoft said "more work is needed to address an estimated 2 million machines that have yet to be reached. Many of the unreached machines are likely not running Microsoft security software, and we need your help to reduce this risk further."

What does Tor Project think about Microsoft's move? Andrew Lewman, Tor's executive director, told the Daily Dot, "It sounds scary until you realize users opt-in for the most part and agree to have their OS kept 'secure' by Microsoft."

Back in August, after malicious JavaScript targeted Windows machines running a Firefox 17 version customized for Tor, that zero-day vulnerability prompted the Tor Project to recommend kicking Windows to the curb. "Really, switching away from Windows is probably a good security move for many reasons." Instead, "consider switching to a 'live system' approach like Tails."

Spoiled Onions

Karlstad University researchers Philipp Winter and Stefan Lindskog monitored 1,000 Tor exit relays for four months and found 25 evil exit relays. "These exit relays engaged in various attacks such as SSH and HTTPS MitM, HTML injection, and SSL stripping."

They used a Python-based exit relay scanner to determine that someone in Russia running exit relays was spying on Facebook users as well as Tor users browsing other sites. The attacker issued a fake and malicious digital certificate in order to engage in man-in-the-middle (MitM) attacks. They found two exit relays that interfered with network traffic because of DNS censorship, basically meaning they blocked pornography, and one that was misconfigured.

Tor maintains a list of known bad Tor relays, but Spoiled Onions listed "all malicious or misconfigured exit relays we discovered since September 2013." The researchers wrote that while the list might appear scary, "it is important to understand that these are merely 25 out of more than 1,000 relays over four months!" That is "a very small fraction which means that Tor users are not likely to encounter many such relays 'in the wild'. Furthermore, Tor's path selection algorithm prefers faster relays over slower ones"; so since the malicious exit relays "contributed little bandwidth," very few Tor users probably used them.

And even if you, as a user, happen to select a malicious exit relay, it doesn't mean that everything is lost. TorBrowser ships with extensions such as HTTPS-Everywhere which are able to foil some HTTPS-based attacks. Finally, all of the attacks we found are of course not limited to the Tor network. You might very well be more exposed to these attacks on any public WiFi.

On the Tor Project blog, the researchers wrote, all the security best practice knowledge "you already know from Firefox or Chrome also applies to TorBrowser. In particular, I'm referring to Firefox's warning page you might see every now and then. It says something along the lines of 'This Connection is Untrusted' or 'This is not the site you are looking for'. These warning pages should tell users that the connection to the site isn't quite right."

Finding 25 malicious exit relays in four months "really isn't a lot," the researchers pointed out. So Tor users, try not to freak out. They advised that if you see a warning about a potential attack, don't blow it off. "The important thing to remember is: if that happens when you go to Facebook, Twitter, or your favorite website, you really shouldn't ignore the warning and try to log in. Otherwise, somebody might have just gotten your password."

Lastly, in Spoiled Onions [pdf], researchers Lindskog and Winter wrote:

To make the Tor network safer, we first developed exitmap; an easily extensible scanner which is able to probe exit relays for a variety of MitM attacks. Furthermore, we developed a set of patches for the Tor Browser Bundle which is capable of fetching self-signed X.509 certificates over different network paths to evaluate their trustworthiness. We believe that by being armed with these two tools, the security of the Tor network can be greatly increased. Finally, all our source code is freely available:

The Spoiled Onion research is fairly complex and you might like to read it in full here [pdf]. Personally, I still recommend using Tor to help protect your privacy.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Cybersecurity market research: Top 15 statistics for 2017