Slashdot Mirror
Trojan Found in libpcap and tcpdump
msolnik writes "Members of The Houston Linux Users Group discovered that the newest sources of libpcap and tcpdump available from tcpdump.org were contaminated with trojan code. HLUG has notified the maintainers of tcpdump.org. See our reports here or here."
And if I don't remember, this happened befrore. Of course this is one of the biggest strenghts of the Open Source Model.
Code is constantly audited, checked and corrected. If your closed source software has backdoors or trojans...well....who knows but on Open Source is easyly detected.
Use them.
"I'd rather have a full bottle in front of me than a full frontal lobotomy"
"It's the one problem with the open-source community - there's no-one to pay me to pay my staff for the lost man-hours caused by this. "
Doesn't the money come from the money you`ve saved by not having to pay for any software? What did your business plan mention about this? Just a blank page, right? Try it out and see what happens? Well, it's your money!
there's no-one to pay me to pay my staff for the lost man-hours caused by this.
But then again, you had to pay no-one for the man hours you saved by using the open-source code.
Isn't this one too many?
There was dsniff, BitchX, OpenSSH etc. and today tcpdump and libpcap?
Does anyone else think that someone has found a security hole in a popular unix daemon and is having some fun with it before notifying the authors. Or maybe there is a *VERY NASTY* exploit circulating privately?
At least that's what I think.
there's no-one to pay me to pay my staff for the lost man-hours caused by this
Did Microsoft pay you for lost man-hours when your staff battled Nimda or Code Red? Didn't think so.
It is also true that only because this is an open sorce project was such code found. People seem to forget that there is no realy eficient way of checking closed software for sevurity holes. Ontop of that companies are more than likly to place back doors in programs as actual features that are not mentioned in documentation, or only glazed over. My exaple for this was in a Busines programe that I wourk with had the "option for you to enter a code into one of the text fields if you set the computers date to a specific date and then you would be able to edit all records, thus by pasing the simple code that it uses. I fould out about the feature when the was a problem with some of the records and since the files are encoed I wasn't going to search through them in any easy way so I cantacted the programes distributor and they told me of this feature. Just think how meany othe progs out there have stuff like that.
"Good" being the operative keyword.
It would be best not to download the author's public key from the same place you get the source, or else you might as well be fucked. "Gee! It checks out alright, it must have come from my vendor!" Not necessarily.
The good blackhats have lots of compromised machines at their disposal, and are generally way too clever to leave such an obvious clue behind.
It's possible that this guy has something to do with it, but it's more likely that his machine is owned by the same person who managed to put the trojan out there.
If some malicious coder could upload manipulated software, do you not think they could also spoof the MD5 sum also? From what I've seen, the checksum is usually just stored in a text file in the same directory.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
md5sum doesn't guarantee anything other than saying that the version you downloaded was the one that the author/host put out there for you to download (and not someone else's). If the author/host put a trojan in it, the md5sum will be for the trojan'd software.
In the end, it still comes down to whether or not you (can) trust the author/host.
The trojan code seems somewhat complex and unreadable at first glance. The variable names don't express much of the semantics. It even doesn't have any comments. No wonder no one notices if this kind of stuff is written into code. And this is very clear code.
/* Here's stuff for the trojan. */, but if all code is well documented, it's generally easier to understand and intentional obfuscation might be easier to spot.
Even (or especially) free software developers should use more descriptive variable names and comment their code well. It makes the code much more readable for analysis, both security or quality reviews.
Well, ok, crackers probably want to obfuscate their code with
I'd recommend the rule: "One comment per statement, except when really unnecessary." Many people think it's silly, but those people haven't had to read a lot of other people's code.
Hmm, I wonder why they used port 1963...author's birth year? Nah, that would be too old for a typical cracker.
"It's the one problem with the open-source community - there's no-one to pay me to pay my staff for the lost man-hours caused by this. "
And this is different from Closed Source how ?
Doesn't the money come from the money you`ve saved by not having to pay for any software? What did your business plan mention about this? Just a blank page, right? Try it out and see what happens? Well, it's your money!
Same place it will come from if you use Closed Source software, using Open Source products does not mean zero cost IT, it means lower cost IT. If your company did plan for these things, then it will make no difference what products you are using.
Fascism should more properly be called corporatism, since it is the merger of state and corporate power - Benito Mussoli
The reason this is a problem is that nebulous shrug of an answer to the question "Who are you trusting to provide this code which you execute?" It could be an anonymous PGP/GPG key, but to violate people's trust would mean that trusted token is no longer trusted, and thus it would identify the other risks out there.
Imagine the tcpdump distributions were signed by an anonymous key. We could look over the code, and decide to trust that key. Later, people would be able to tacitly trust that key to sign tcpdump tarballs. One day, the tcpdump code will fail to match the signature: it will be caught before being executed, and the trojan will be discovered quickly. Later, another trojan will appear, but the signature will match. A few people will be bit, but the key will be exposed and others will be able to quickly identify their risk.
At the VERY LEAST, use MD5 sums on the files like FreeBSD ports!
--- Nothing clever here: move along now...
I think the worst thing is that the server the trojan connects to is still operating :
$ nc -vvv 212.146.0.34 1963
mars.raketti.net [212.146.0.34] 1963 (?) open
M sent 0, rcvd 1
The program connects to 212.146.0.34 (mars.raketti.net) on port 1963 and reads one of three one byte status codes:
A - program exits
D - forks and spawns a shell and does the needed file descriptor manipulation to redirect it to the existing connection to 212.146.0.34.
M - closes connection, sleeps 3600 seconds, and then reconnects
maybe someone should contact the machine administrator before more people get owned.
ex$$
This apparently misleading (albeit well-intentioned) comment gets modded +4 interesting, meaning that almost everyone will see this poor guy's name.
/. An early poster makes assumptions and gets modded way the hell up, then all the rebuttals pointing out he's talking out of an unreliable orifice wallow in the low point range.
All the replying posts pointing out that it's a phone company/ISP and it's almost certainly nothing to do with this chap are at 2 or below, meaning that many people won't see them and this individual's name is now besmirched.
And, by the way, this happens all the bl**dy time on
Yeah, I know it's off-topic. Just wanted to rant about something that irritates me. Return to your normally-scheduled bits and pieces.
Normally a md5 checksum is stored in a different server... or at least it should be,
rm -rf /home/leia
irssi
fragroute, dsniff, fragrouter
BitchX
This message says Recently there have been a spat of well publicized attacks against what I would consider to be the backbone of the open source movement - it's source code distribution system. Hackers have been penetrating people who download, say, OpenSSH and then compile it to use on their systems by trojaning OpenSSH itself. This strikes at the very HEART of Open Source by making the act of installing the software a weakness. Because Open Source has no one distribution point, there are many places for someone to verify if they want to install software securely. Because there are no vendors, the sites people download software from are usually not provided with a dedicated security staff.
This is serious, guys and gals. Use the source, Luke - but what if I can't trust the source any more? Open Source has to find a method to get around this problem; see this post.
"There are already a million monkeys on a million typewriters, and Usenet is NOTHING like Shakespeare." - Blair Houghton
Okay, I've been confused about this MD5 thing. Most often, the MD5s are either in a file in the ftproot, or in the readme if you've owned the server enough to stick a trojan in the source code, can't you just put in the MD5s of your altered source? I thought the main reason for checksums was to check for corrupt/missing data after the download, which was way more important in the noisy line modem days.
Note that THE DATE ON THE FILE DOESN'T MATTER. It was trojaned last night, not last year.
The fact that someone so ineptly trojaned the source, not even bothering to generate a new md5sum, suggests that it's someone out to make it obvious looking. Someone who has a reason to discredit open source. Someone like a former script kiddie employed by microsoft...
Never mind that russian crackers were wondering round MS servers for MONTHS back in 2000...
You don't seem that confused to me! :-) Your point is entirely valid, if the checksum is on the compromised FTP server, it's not going to be much help. If it's on a seperate webserver, there's a chance it'll be valid, but using a checksum, while being a quick and reasonably simple way of checking such downloads, should never be taken as a guarantee. They only thing they will guarantee, is that the copy you have on your hd is the same as the copy that's on the server. Only if you can trust the source of the checksum are they useful in such circumstances, otherwise take them with a pinch of salt.
Try NetBSD... safe,straightforward,useful.
1. Just grab the source and build it. This is no better than grabbing a binary and running it, as far as security goes.
2. Grab the source, check the MD5 sum, and then build it. This is no better than grabbing the binary, checking the binary's MD5 sum, and then running it.
3. Grab the source, diff it against the previous source you were running, and at least glance at the diffs to see if anything looks suspicious. This is the only way that using source gives you more security than using the binary.
People using source for security who are in category 1 or 2 are just fooling themselves.
Interesting that there is no mention of this on the tcpdump.org website, one would think they would at least post something about it.
The right way to do things is for the person who makes the release package (e.g., the tarball, or the rpm, or whatever) to digitally sign it. They should do the signing on a machine other than the web server or FTP server. Ideally, they do the signing on their development machine, which is safetly tucked away on a network that crackers can't get to.
One thing that would be useful would be for the author to either GPG/PGP sign the file with the MD5 sums with a trusted signiture or sign the actual source/binary tarballs themselves. A lot of linux vendors seem to be doing this recently.
J
If you read the script properly, you'll see it does trojan the binaries built from it. "The (relevant) gencode.c diff:" part shows how it filters out the port used by the trojan.
Maybe somebody has already posted this idea as a project on sourceforge..
There have been too many of these incidents lately, and it's giving OSS a bad odor. We must be carefull. Telling the rest of the world closed binaries are infected often as well does not help. The damage is already done.
This is my idea to prevent most of these jokers tricks.
In stead of placing the checksums next to the source on the same server we nead to place it some where safe. A number of centralized servers with a sole purpose to serve these sums, in several locations, on preferably differend operating systems. This combined with the use of eg PGP.
All distro's, for those who have not already, must apply a simple program ala portage and apt that checks against multiple PGP-key servers before the build commenses.
Now, how to make sure the admin of the project is the one signing the source on his machine.............
Why are other peoples sig's always more witty ???
All the replying posts pointing out that it's a phone company/ISP and it's almost certainly nothing to do with this chap are at 2 or below, meaning that many people won't see them and this individual's name is now besmirched.
The sad part of this is the fact that we (people who have moderator points to give away) can't really fix the problem even after we're told about it. I could go back and mod down the misleading post, but then some metamoderator would see that I modded down what appears at face value to be an "interesting" post and I would be the one who was bitch-slapped for abusing my moderator points. All we can really do is mod up the replies, making the whole thread +5 in order to dilute the bad moderation.
Such as, what if a cracker got into my machine and set up (amongst other things) a patched version of md5sum, that knew which files had been altered, and what their orignal md5sums were, so I couldn't rely on that for my security? This paranoia went as far as worrying about whether it would be possible for someone to alter gcc, such that not only would it add malware functions to anything I compiled, but also to work out when it was being used to compile a compiler, and install this same such functionality into that. I spent ages trying to convince myself that that would be far too complex to do, maybe even impossible * , but at the same time tried to work out ways to bootstrap a C compiler that I could believe was indeed utterly trojan-free.
<sigh> I expect there's a word for that, and I'm sure it's not one I want to hear :P
* -I'm sure that it could be made to use certain cues, such as filenames, etc, to decide that it was compiling part of a specific compiler, such as another copy of gcc, and only do the modification on that. But I'm sure you can't write an algorithm to detect that a piece of code constitutes a compiler, let alone part of one (because of course, gcc only works on one source file at a time, not whole projects).
Be careful! New moon tonight.