Using an exitmap module he created, Josh Pitts, a researcher with Leviathan Security, has discovered that a Tor exit node in Russia is adding malware into downloaded binaries, according to a Thursday post.
In a Friday post, Roger Dingledine, the Tor Project director, wrote that a BadExit flag has been set to the relay to prevent others from accidentally running across it.
It is the only one of more than 1,110 exit nodes on the Tor Network found to be patching binaries, Pitts wrote, explaining the node attempts to patch nearly every binary he tested.
“The node only patched uncompressed PE files,” Pitts wrote in the post. “This does not mean that other nodes on the Tor network are not patching binaries; I may not have caught them, or they may be waiting to patch only a small set of binaries.”