Tor users have been told to secure their connections and check their computers for malware, after a security researcher discovered that the service was being used to inject potentially malicious code into downloads.

Josh Pitts, a security researcher for Leviathan Security said that one Tor exit node, based in Russia, has been silently altering programs downloaded through Tor.

Programs for Windows, when downloaded through the malicious node, were silently wrapped in malware, even files downloaded through Windows update were affected.

While Microsoft’s own tools could spot a tampered download, Pitts says the unspecific error code can actually lead a user back into danger.

“If you Google the error code, the official Microsoft response is troublesome,” he says. “The first link will bring you to the official Microsoft Answers website … If you follow the three steps from the official MS answer, two of those steps result in downloading and executing a MS ‘Fixit’ solution executable.

In the attacker is patching binaries as you download them, these ‘Fixit’ executables will also be patched. Since the user, not the automatic update process, is initiating these downloads, these files are not automatically verified before execution as with Windows Update. In addition, these files need administrative privileges to execute, and they will execute the payload that was patched into the binary during download with those elevated privileges, he said.

The Tor Project has flagged the malware-spamming Russian node as malicious, ensuring that properly updated users will not encounter it again. But, says the project lead, Roger Dingledine, “it seems like a tough arms race to play … the better approach is to have applications not blindly trust unauthenticated bits they get from the internet.”