5

Can I get "hacked" by a Tor node? My computer is sending packets through the Tor nodes and receiving packets from them as well. Can I be sure that there are no Tor nodes that manipulate the packets sent through them and could infect my computer with malware?

esnowrackley
  • 103
  • 3
Fidel Hogsed
  • 91
  • 3
  • Not really worthy of a full answer since I have yet to learn more on the subject, but what I think you're looking for would be 'Drive-By Hacking' and can be done through Tor, and is currently in use by a branch of the United States investigative services. [Source](http://www.wired.com/2014/08/operation_torpedo/). – esnowrackley Aug 09 '14 at 04:21

2 Answers2

6

Some Tor exit nodes are known to be hostile, typically injecting advertising Javascript into any unencrypted web page that passes through them. There's no reason such nodes can't inject attack Javascript or other malware.

Barring a security flaw in the Tor software itself, an entry or relay node cannot attack your computer (other than trivial attacks such as traffic flooding) because they can't perform the encryption needed to modify packet contents (only the exit node can).

In general, any traffic you send through Tor should be encrypted, to prevent the exit node from sniffing or tampering with it.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • 1
    Just a comment to clarify, the exit node also can't modify encryption in any way it just happens to be the last node to decrypt the message out of Tor. As Mark implies in his last statement; Tor is not a substitute for secure browsing. If you send it in un-encrypted it comes out un-encrypted. – RoraΖ Aug 08 '14 at 11:28
  • If I understand the answer correctly, [Spoiled Onions](http://www.cs.kau.se/philwint/spoiled_onions/) would be such bad exit nodes, and the link above provides the research papers on why and how they work. These papers even provide a list of known "Spoiled Onions" despite being published in January of 2014, may still be helpful. – esnowrackley Aug 09 '14 at 04:28
0

YES ! I will explain why .

Last August spikes in Tor client downloads were traced to a large click-fraud and Bitcoin-mining botnet called Sefnit. The malware was using TOR to communicate with hackers in order to transmit stolen data and receive additional commands.

At the same time Members of the Tor Project noticed that the number of Tor clients online went up from 50,000 to 2.5 million in less than 3 weeks . They checked with OS vendors to see whether any of them had started bundling Tor with their offerings and came up empty. Similarly they checked if the number of journalists , activists using Tor has increased . However, none of these above factors were found to be true . Eventually , after some more serious digging, they came to the conclusion that the millions of new Tor clients were part of a botnet whose owners had recently decided to use the Tor network for some reason. These Tor clients got bundled into some new software which got installed onto millions of computers pretty much overnight.

https://blog.torproject.org/blog/how-to-handle-millions-new-tor-clients

These malwares uses command and control connectivity via Tor .onion links using HTTP .

Tor officials are taking steps to alleviate the effects of the botnet on the TOR network. Tor users have been encouraged to upgrade to the newest version of Tor, which includes a new handshake feature .

  • 1
    Your answer claims that TOR was used to host the C&C servers for a malware, not that a TOR node is infecting a user with anything. The fact that the amount of TOR clients jumped so high shows that the malware installed and used TOR, not that the malware was delivered via TOR. – Chris Murray Sep 24 '14 at 10:38