Blog

Tor is originally supposed to aid journalists and activists to gain more anonymity on the net. But being more anonymous does not imply more security using the Tor Network for downloading binary data(executables like EXE, etc.), if you are, there is no encryption and transfer validation (MD5 Checksum, PGP Signature, etc.) available. The possibility of altering downloaded binaries was demonstrated by Leviathansecurity : http://www.youtube.com/watch?v=LjUN9MACaTs

The attacker is using a binary patch framework like BDF and a proxy server(e.g. BDFPoxy) to alter any unencrypted binary on the fly by inserting a precompiled rootkit code into code caves(areas filled with 0 in the binary). This practice seems to have become more common than expected, that's why many mainstream Linux distributors were most of the time/always using checksums for binaries and others at least started doing the same. You should be cautious using proxy servers and services like Tor.

To prevent this kind of attacks always use a strong SSL encryption, if you are downloading a file and validate it with a MD5-Checksum or PGP Signature if possible.

Wintendo users are lucky this time : Leviathansecurity tells Windows PE Updatefiles were getting now recognized as modified by the verification process. This does not apply to other binaries which are downloaded manually or by any other automated user-defined UpdateTool. You should always check, if your download is valid, by using a provided MD5 Checksum.

Since the common Linux user will compile any binaries from source, he/she should not come across this kind of problems (e.c.: crosscompilers, etc.) . The common procedure should look like this : dl source -> patch -> configure -> compile . Always check compressed data with a MD5 Checksum or PGP Signature. If you are using distributions with precompiled binaries you should not be afraid since those files get commonly validated during the update process(using apt, yum, etc.).

Because most apps are not available as source code on Mac, users are could get a more common target for those forms of attack using non-official packages, for instance. As in the Unix Universe it is standardized to check downloads with a MD5-Checksum or PGP Signature, the update process of an OSX system should not be harmed at all. If possible, you should always validate your manually downloaded binaries.

Source: http://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries/

How to protect yourself :

Windows: - a Firewall with execution/mem system hook support; means you can control if a process is allowed to do different things just like SELinux for example.

- An antivirus software which checks and updates frequently.

- Manage the rights for users and processes

- Validate your downloads.

Linux:

- Use PaX/Grsec Kernel + UBAC + SELinux. You need to follow the guidelines of your Linux distributor. I would recommend to start off with a Fedora/Debian/Ubuntu and switch to Gentoo or vanilla if you gained enough knowledge to handle a Linux system on your own.

- Do not compile source and execute it's binaries if you are not aware of what it is doing.

- Validate your downloads.

OSX:

- Configure your environment : OSX comes with an implementation of SELinux(MLS) and other security fixes. Compared to Linux it is easy to set up having a graphical user interface.

- Manage process, user, file system, etc. rights and directives for any application/process which could be critical for your system security.

- Validate your downloads.