Slashdot Mirror
Trojan Found in libpcap and tcpdump
msolnik writes "Members of The Houston Linux Users Group discovered that the newest sources of libpcap and tcpdump available from tcpdump.org were contaminated with trojan code. HLUG has notified the maintainers of tcpdump.org. See our reports here or here."
Emerge doesn't get tcpdump source from tcpdump.org, but from ibiblio.org.
How did it get into tcpdump.org's sources exactly? The HLUG page isn't clear.
And if I don't remember, this happened befrore. Of course this is one of the biggest strenghts of the Open Source Model.
Code is constantly audited, checked and corrected. If your closed source software has backdoors or trojans...well....who knows but on Open Source is easyly detected.
Use them.
"I'd rather have a full bottle in front of me than a full frontal lobotomy"
The program connects to 212.146.0.34 (mars.raketti.net) on port 1963
With that information, I suppose that it is easy to find out which Finnish 'author' included the trojan, and would be simple to track him down. But my question is how something like this could have been included in an open source code and released to the general public?
-- 7 string electric violin + live loop samplers
Its Denis Ritchie
And he only might have done it (can you tell?)
See http://www.acm.org/classics/sep95/ for more details
Isn't this one too many?
There was dsniff, BitchX, OpenSSH etc. and today tcpdump and libpcap?
Does anyone else think that someone has found a security hole in a popular unix daemon and is having some fun with it before notifying the authors. Or maybe there is a *VERY NASTY* exploit circulating privately?
At least that's what I think.
there's no-one to pay me to pay my staff for the lost man-hours caused by this
Did Microsoft pay you for lost man-hours when your staff battled Nimda or Code Red? Didn't think so.
so seeing as how there's no trojan cleaning program in linux, how does a person infected with the trojan rid his system of it? is it as simple as installing the non-trojan version?
I was just wondering how long these sources have been available with these many eyes making bugs shallow and so forth? I'm assuming it's less than 1 hour, because as I keep being told, everyone in the open source community checks all source code thoroughly before installing it, which is something that can't be done with closed source.
Yeah! Let's nail his ass! ..
Oh wait, perhaps he's just the tech guy working for the company which registered the domain "raketti.net", Kuopion Puhelin. It's a telecom and net operator after all.
The good blackhats have lots of compromised machines at their disposal, and are generally way too clever to leave such an obvious clue behind.
It's possible that this guy has something to do with it, but it's more likely that his machine is owned by the same person who managed to put the trojan out there.
Yes and no. The information you have successfully received from the Whois database is pointing to the phone company in Finland, which happens to be a host for raketti.net domain. Petri Siltakoski is just an administrative contact of the ISP (Raketti.Net). He has nothing to do with the web page set up by an individual who seems to have an account in this ISP.
I couldn't agree more, if those cheap-arsed hippies who write Linux would only pay up when there's a problem with their software like reputable commercial companies like Micros.. err, Oracl.. err actually, forget it.
Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
This was just sent ~1 min ago:
To : msolnik@hlug.org
Cc : wt-changes@wiretapped.net,
tcpdump-workers@tcpdump.org,
mcr@sandelman.ottawa.on.ca
Subject : tcpdump.org mirrors
----- Message Text -----
Hi guys,
I run the main mirror of tcpdump at wiretapped.net (no relation to wiretapped.us) in Australia. We rsync from cvs.tcpdump.org, and have removed the entire tcpdump.org tree and disabled rsync updates until we hear from Michael Richardson at tcpdump.org.
You may like to add this info to your Updates area, as the unavailability of the main mirror site may seem suspicious. It is not, as described above.
Because wiretapped.net itself is mirrored to a few other sites, it may take between 1 hour and 24 hours for this removal (and any subsequent re-addition) to take effect. We'll note when it goes back online at http://www.wiretapped.net/changelog.html
Hope this assists in preventing any further spread,
Grant
www.wiretapped.net
If some malicious coder could upload manipulated software, do you not think they could also spoof the MD5 sum also? From what I've seen, the checksum is usually just stored in a text file in the same directory.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
I thought the whole idea of the GPL was that you could take a program and modify it to your own needs so long as you release the source back to the community under the same license.
Sounds like that's what happened here!
The trojan code seems somewhat complex and unreadable at first glance. The variable names don't express much of the semantics. It even doesn't have any comments. No wonder no one notices if this kind of stuff is written into code. And this is very clear code.
/* Here's stuff for the trojan. */, but if all code is well documented, it's generally easier to understand and intentional obfuscation might be easier to spot.
Even (or especially) free software developers should use more descriptive variable names and comment their code well. It makes the code much more readable for analysis, both security or quality reviews.
Well, ok, crackers probably want to obfuscate their code with
I'd recommend the rule: "One comment per statement, except when really unnecessary." Many people think it's silly, but those people haven't had to read a lot of other people's code.
Hmm, I wonder why they used port 1963...author's birth year? Nah, that would be too old for a typical cracker.
I'm going to try to walk you through this with baby steps.
let me make sure to put pillows over the sharp corners of the table.
this was found, just last night, because of the change in the md5 checksum.
this md5 checksum changed because the file changed.
this file changed because someone changed it
so in conclusion, this file has not been like this for a year
hope you were able to keep up
"It's the one problem with the open-source community - there's no-one to pay me to pay my staff for the lost man-hours caused by this. "
And this is different from Closed Source how ?
Doesn't the money come from the money you`ve saved by not having to pay for any software? What did your business plan mention about this? Just a blank page, right? Try it out and see what happens? Well, it's your money!
Same place it will come from if you use Closed Source software, using Open Source products does not mean zero cost IT, it means lower cost IT. If your company did plan for these things, then it will make no difference what products you are using.
Fascism should more properly be called corporatism, since it is the merger of state and corporate power - Benito Mussoli
If you read the article more carefully, you will notice that the binaries aren't trojaned. This is a trojan in the build scripts only. So ironically, only the paranoids who build from source (but aren't paranoid enough to demand an MD5) got hit by this.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
The reason this is a problem is that nebulous shrug of an answer to the question "Who are you trusting to provide this code which you execute?" It could be an anonymous PGP/GPG key, but to violate people's trust would mean that trusted token is no longer trusted, and thus it would identify the other risks out there.
Imagine the tcpdump distributions were signed by an anonymous key. We could look over the code, and decide to trust that key. Later, people would be able to tacitly trust that key to sign tcpdump tarballs. One day, the tcpdump code will fail to match the signature: it will be caught before being executed, and the trojan will be discovered quickly. Later, another trojan will appear, but the signature will match. A few people will be bit, but the key will be exposed and others will be able to quickly identify their risk.
At the VERY LEAST, use MD5 sums on the files like FreeBSD ports!
--- Nothing clever here: move along now...
the article is called 'reflections on trusting trust' and Ken Thompson wrote it upon inception of the ACM distinguished scientist award. now, we all know you are full of shit (since you can't even spell his name right) but claiming that 'each version of login was compromised' is so far off base that it't not even funny.
follow the link posted already, read it and try to understand what he fundamentally tries to tell you. then go and read aleph1's 'smashing the stack for fun and profit' and try to get a glimpse of what 'hacking' was considered in the 80s.
It's Ken Thompson. How do I know? His name is right beneath the title of the article you linked.
This apparently misleading (albeit well-intentioned) comment gets modded +4 interesting, meaning that almost everyone will see this poor guy's name.
/. An early poster makes assumptions and gets modded way the hell up, then all the rebuttals pointing out he's talking out of an unreliable orifice wallow in the low point range.
All the replying posts pointing out that it's a phone company/ISP and it's almost certainly nothing to do with this chap are at 2 or below, meaning that many people won't see them and this individual's name is now besmirched.
And, by the way, this happens all the bl**dy time on
Yeah, I know it's off-topic. Just wanted to rant about something that irritates me. Return to your normally-scheduled bits and pieces.
well, I have not installed these sniffing proggies, so it should be okay.
Darn... apt-get even makes your box more secure than before even if you haven't actually installed the bad packages? This must be the Holy Grail! And it should be okay? Not only that you have not installed tcpdump and libpcap, what definitely makes it okay, you don't even trust apt-get to really solve your (non-existing) problem... Now I wanna join the apt-get cult... Where can I register?
I bet you recommend penicillin over other medicine even when you got no infection! Or do you use apt-get then as well? Doesn't make any difference anyway...
(For the record: I use Debian GNU/Linux among other stuff...)
Do this: Download gpg from gnupg.org. Build it. Generate yourself a key. Try to get some of your friends to sign it. submit it to keyserver.net. Sign your code with that key. While you're at it, start using kmail, evolution, or mozilla with enigmail and start signing your emails too. Do it religiously.
Check sigs when you download code too.
And looking through his user profile, he's also a rocket scientist. Wow.
If you read the article more carefully, you will notice that the binaries aren't trojaned.
Phew, glad to hear that, I was worried the trojaned sources actually built trojaned binaries - glad you got that cleared up for us.
Try NetBSD... safe,straightforward,useful.
Okay, I've been confused about this MD5 thing. Most often, the MD5s are either in a file in the ftproot, or in the readme if you've owned the server enough to stick a trojan in the source code, can't you just put in the MD5s of your altered source? I thought the main reason for checksums was to check for corrupt/missing data after the download, which was way more important in the noisy line modem days.
I'm just typing out loud here.
Yes, there'd almost certainly have to be a cost associated with this, and I'd think it would be paid by the people who wanted source code, but didn't want to have to worry about checking it for Trojans etc..
The source could still be publically available for comment and review to add to those being paid to perform the analysis.
Seems like this might be a good service, once the idea is fleshed out more...
There'd also need to be some definition of "guaranteed" (or maybe just a different word :0) that fit this scenario, most people don't want to set themselves up to be sued.
Give a hand, not a hand-out.
You don't seem that confused to me! :-) Your point is entirely valid, if the checksum is on the compromised FTP server, it's not going to be much help. If it's on a seperate webserver, there's a chance it'll be valid, but using a checksum, while being a quick and reasonably simple way of checking such downloads, should never be taken as a guarantee. They only thing they will guarantee, is that the copy you have on your hd is the same as the copy that's on the server. Only if you can trust the source of the checksum are they useful in such circumstances, otherwise take them with a pinch of salt.
Try NetBSD... safe,straightforward,useful.
In the meanwhile, I suggest that you run all your untrusted software in a sandbox like Systrace which is available for the BSDs and Linux.
This screenshot shows Dug Song detecting the trojan in the Fragroute distribution. Systrace allows you to run completely untrusted applications in a sandbox. The security policy is created on the fly with the user deciding what an application is allowed to do.
We need to be much more careful about the software that we run.
login as root (or whoever can run tcpdump)
/. your local rooted base. /usr/bin/tcpd echo 'A' (i think that was the quit code)
/. editor)
tcpdump -n host 212.146.0.34 &
telnet 212.146.0.34 1963
if tcpdump sees the connection since it isn't ignoring port 1963, if you don't see the connection, then your tcpdump is ignoring port 1963
and well, its always nice to
the people at 212.146.0.34 should change it to something like
if this test is wrong, well, so be it, i'm still new at this linux thing, but i'm better at linux then i am at spelling (boy, i should be an
--Anonymous Coward
1. Just grab the source and build it. This is no better than grabbing a binary and running it, as far as security goes.
2. Grab the source, check the MD5 sum, and then build it. This is no better than grabbing the binary, checking the binary's MD5 sum, and then running it.
3. Grab the source, diff it against the previous source you were running, and at least glance at the diffs to see if anything looks suspicious. This is the only way that using source gives you more security than using the binary.
People using source for security who are in category 1 or 2 are just fooling themselves.
I moved the binaries on the tcpdump.org web site, so that the "download" links won't work.
"ls -c" says that the modified binaries were installed at Nov 11 10:14:00 2002 GMT.
Preliminary inspection says that the CVS repository is O.K.
Interesting that there is no mention of this on the tcpdump.org website, one would think they would at least post something about it.
The right way to do things is for the person who makes the release package (e.g., the tarball, or the rpm, or whatever) to digitally sign it. They should do the signing on a machine other than the web server or FTP server. Ideally, they do the signing on their development machine, which is safetly tucked away on a network that crackers can't get to.
Don't think for a second that Microsoft hasn't put back
Microsoft *have* inserted a backdoor into the CryptoAPI for the NSA.
To be useful the MD5 file should be signed, and the GPG key that signed it should be one that you know and trust. Even that may not be enough if the key owner can be tricked into revealing his private key, or the trojan horse can be introduced into the code on the code owners development machine, but it does add one layer of depth to your security.
The first time I had a server hacked (mountd exploit, xmas '99) the machine details were sold on IRC, probably in exchange for credit card numbers, to a somewhat clueless Singapore exchange student who proceeded to delete all of my syslog files so that when I logged in remotely the root mailbox was full of complaints about missing logfiles. The rooted system was up for about a week, during which time it probed several thousand IPs for basic exploits, hosted an IRC channel through eggdrop (together with names of the hacker's friends and passwords), all on a machine with no rootkit installed and very little attempt to hide activity.
Basically I got lucky the first time, and ever since then I've been paranoid, in hopes there won't be a second time. But with a smart hacker and a good root kit, I think even with my paranoia that I could miss a hacker on my machine for a long time, so I suspect it is only a matter of time before some well known developer gets hacked and has signed sources distributed with a trojan horse inside.
LibBT: BitTorrent for C - small - fast - clean (Now Versio
One thing that would be useful would be for the author to either GPG/PGP sign the file with the MD5 sums with a trusted signiture or sign the actual source/binary tarballs themselves. A lot of linux vendors seem to be doing this recently.
J
I downloaded and installed libpcap and tcpdump on Nov 1. The versions I have came from tcpdump.org. md5sum shows that they have the correct checksum and not the trojaned checksum as reported on the Houston LUG page. A grep of the sources for the port number and ip found in the trojan reports null. It looks like the trojan files were placed on tcpdump.org after Nov 1, 2002.
FreeSpeech.org
MD5 checks work nicely. Sure pgp in theory is better but since md5's are cached locally, and a helluva lot faster to check the chances that they will actually be used and verified are seemingly quite good.
Which is to say in practice MD5 has caught rather a lot of these problems, and in quite timely manner.
As irrelevant as various source-distributions (e.g. lunar, source-mage and Gentoo) are at present in other respects, they make a nice 'canary' in the coal mine :-).
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
Barclay family motto:
Aut agere aut mori.
(Either action or death.)
Yeah... my servers front end my home network, so they are turned on 24/7 and right now are connected through redundant DSL connections to the Internet. So mine make a somewhat attractive target.
Since I am basically a lazy sysadmin, my approach had been to use really obscure hardware for my server. To accomplish that I bought a Rebel Netwinder on the theory that any exploit out for x86 would probably take months to be ported to the StrongARM (the StrongARM instruction set is both restrictively small, and completely anal about non-aligned memory accesses, so hand-coded assembly is a pain to write if you are trying to take advantage of a stack overflow of some kind.)
Recently I've swapped the rebel box for another Intel server, this time running RH7.3, and I bought a subscription to RHN to keep it up to date. Since RHN manages all of the security updates and dependencies, all I have to do is log on once a week or so and request the updates. So now I get to be lazy in two regards; first it is much easier to add new software (StrongARM porting being not my cup of tea), and secondly RHN takes care of the security updates.
I imagine that Debian users would argue likewise for apt-get.
LibBT: BitTorrent for C - small - fast - clean (Now Versio
Oops, forgot to answer that. I did log on to IRC and tracked down a couple of the users listed in the eggdrop config files. The original channel was no longer active, but there were a few people with the same IDs logged in on another channel; but the channel content was so spooky that it kind of freaked me out at the time. For about five minutes the only thing in the channel were various people sending messages like 'CCs', or 'eggable accts'. Then suddenly some guy posted a message saying approximately: 'so and so is a lousy copier', then 'I may as well give this out as a freebie since I don't want him to get all the use of it', followed by some guy's name, address, SSN, phone, and credit card numbers.
At that point I decided I was in the middle of things I didn't want to be in. I did call the person to let them know that his credit card information had been stolen, and to watch his receipts, but basically dropped it there. As far as I know the FBI only cares about computer hacking if there has been at least $1k of damage. I had about a day to rebuild my server (before replacing it a month later with the Rebel), but nothing close to $1k; no deleted files or anything.
I did track down the person's Nick which basically turned into a Google search, but since he'd been using that Nick for a long time and in many different places, it was very easy to do. The Nick seemed to belong to a student at UCB, previously a student in Singapore, but the evidence was pretty loose, and in any case I doubt I could have done more than make a few legal threats. Ultimately I decided to chalk it all down as a learning experience and let it go (but I still have the backup tapes of the hacked machine if I ever need them.)
Handing out other peoples passwords wouldn't have been possible. Eggdrop stores them in encrypted form so even with the contents of the password file there wasn't anything I could do to retrieve their plain text passwords.
LibBT: BitTorrent for C - small - fast - clean (Now Versio
All the replying posts pointing out that it's a phone company/ISP and it's almost certainly nothing to do with this chap are at 2 or below, meaning that many people won't see them and this individual's name is now besmirched.
The sad part of this is the fact that we (people who have moderator points to give away) can't really fix the problem even after we're told about it. I could go back and mod down the misleading post, but then some metamoderator would see that I modded down what appears at face value to be an "interesting" post and I would be the one who was bitch-slapped for abusing my moderator points. All we can really do is mod up the replies, making the whole thread +5 in order to dilute the bad moderation.