Slashdot Mirror
Trojan Added to TCP Wrappers Source on FTP
P.J. Hinton wrote in to
send us a link to a CERT advisory explaining that the sources
to TCP wrappers were actually replaced
with a nice new and improved version. Complete with a trojan.
It was caught fairly quickly after it was uploaded, but it's
still kinda scary. Update: 01/22 01:07 by CT :
Several people sent the Bugtraq post
over at Linux Today. A lot more details clarifying the situation.
Sounds like a real wanker thing to do.
I'm the nerdy geek butt-head who was first today. Nayda Nady nah nah. Flame away!!! I'm a dork OK!
This is just the reason why we need solid and unrestricted encryption software...
HAHAHAHAHA, I AM THE ONE WHO UPLOADED THE VIRUS, AND ITS ON YOUR SYSTEMS NOW TOO.
bring back the death sentence for hackers for acts of this nature.
busted in front of all the slashdotters..
Rather than just say were were warned a while ago, I'll put August 1984 as the date of publication. Is that long enough ago? Publicly available source has been susceptible to idiocy for a long time, and people have been saying that its being open also would allow detection. It was indeed detected, just as many bugs have been detected in public code. Now trace the server logs and bill the idiot.
you dont know if he call himself a hacker.... :)
no you are moron who think that virus is same
as trojan
Great ideas. I'm a Brit myself, and we have all sort of things reserved especially for these people kept in the Tower of London. ;o)
Could this be Micro$oft's first attack? Perhaps just a test? This is one of the few ways that OSS could be destroyed. If the programmers/developers spent all their time removing/fighting trojans, their would be no time to spend on improving or creating programs.
Wanted: Linux version of Mcafee and Trojan Condom.
I recall WU-ftpd 2.3 was infested with a troyan.
They bumbed version to 2.4 after that.
This occurence is not the first, I am sure.
--P
Would this have ever been caught if the author did not sign his distributions? That seems to have been the only tripwire in place. And from what I have read, PGP signatures are not common.
But if the hacker chose his target a little more carefully, this trojan may never have been detected.
So the first step is to request all authors sign their work.
Is there anything else that can be done, to lay a second tripwire? I am image that if one lock is good, two are better. But I don't know what other measures can be taken.
So maybe they got one. Whose to say that there arent thousands or more? Maybe even YOU are running a daemon with a backdoor. How would you know? You dont examine every part of the source.
Of course, you can assume if you got it from a reputable download site then the source has been checked by someone.
HAHAHAHAHA, I AM THE ONE WHO UPLOADED THE VIRUS, AND ITS ON YOUR SYSTEMS NOW TOO.
"Oh no! I've got a virus! My poor computer is going to burst into flames even as I type this!"*SHRIEK*
Get real. Slashdot has got to be the worst place to try to spoof someone like this. (Great haven for trolls, though...)
1) It's not a virus, it's a Trojan Horse. Not the same thing.
2) This is _source_code_ right? Code that was corrected and replaced within less than a day? How many people have downloaded that cource, incorporated that code into something usable, compiled it, and are executing it right at this moment? Maybe a couple of dozen?
(Granted, there is a slim chance there are people who have downloaded that code, are using it in their products, and have not yet seen the CERT advisory. But I doubt there will be any of that code in circulation within 48 hours.)
Jay (=
(No cookie still, and probably justifying yet another troll attempt in the future...)
If this was a WinNT trojan again.. most of the people here would be asking where they could find this program.. But when it is unix it is just almighty bad!.. I think that is just wrong and stupid.
Is there anything else that can be done, to lay a second tripwire? I am image that if one lock is good, two are better. But I don't know what other measures can be taken.
Multiple signatures, for one.
Have an interested third-party (maybe the FSF, or a new organization dedicated to this kind of validation for OSS products) who can authenticate the original signature as coming from the author and sign it themselves (putting the sealed envelope into another sealed envelope).
I think the evolution of open-source development will take such things into account. If sneaking Trojans into publically available source becomes more of an issue, then project leaders or coodinators will probably incorporate emcryption/authentication or checksums into distributed source or binaries.
The open source development model serves here, too; if a Linux vendor will not take the steps necessary to secure their product, then we have the choice of going to another one (or getting the code ourselves).
Jay (=
Lets first someone test it for quite a while to save YOUR ass from trojans.
Although, just think if:
1. PGP key can be successfully forged.
2. Trojan will be implemented in a smart way,
not stupid visible: if(!strncmp(date,"Fri, 13",6))
FormatDriveC("bye");
AND in a piece of code which is not as often
review as TCP stack.
How many of you review low level assembler routies present in Linux? What if byte-codes
were used pretending to be a data?
The real trojans will come, be sure.
And this probably will enable some nifty worms.
keep thy eyes open.
For all we know Windows instability could be one big hack put in by a disgruntled employee. :)
-Anonymous Loser
My annoyance is that the hotmail account that the list of compromised machines is being sent to is still active.
I emailed hotmail, asking them to turn it off. See that take three weeks.
- Sam Trenholme
How do you know all them nasty buffer overflow's werent just secret backdoors? :) A lot of them were and are around and were and are being exploited...
Theres no reason to put the backdoor in plain site in the source. And even when found it could just be put down to not programming security consciously instead of direct malevolence.
> How many of you review low level assembler
> routies present in Linux? What if byte-codes
> were used pretending to be a data?
Linux/ flavours of Unix are written in C, the whole C and nothing but the C. Why do you think C was developed? You must be a youngen.
AndyM
If there is any testing to be done, it is on how you are still alive without a brain.
If MS wanted to make Linux look bad, or try to fsck up OSS there are much better ways of doing it.
Now run away and play with your popsicle sticks untill you get a clue.
I haven't confirmed this, but it seems like Rob has put some code in to keep the first few posts from showing up in the order of submitting. I've posted several articles to stories that said something like 1 or 2 comments on the main page and still somehow got the first post. After a while, the other posts would show up (and no, they didn't have lower scores).
--
Jason Eric Pierce
Researching a different topic I came across an interesting CERT advisory regarding loadable kernel modules. One common response to Mettler was that any kernel hack would require recompiling the kernel, and restarting the system. With loadable modules, system restart isn't necessary -- the kernel can be modified in place, as it runs.
In all three instances, confirming source, object, or image against a trusted verion would help in detection. Kernel compromise is a frightening prospect as it undermines the trustworthyness of the entire system. Booting a fresh kernel, however, removes the damage (you then have to keep the rogue modules out).
What part of "gestalt" don't you understand?
Well, FreeBSDers check the MD5 every time they use the ports system to install something. What's even better is that since the FreeBSDers all have their own copy of the MD5, simply changing it on the site won't help.
I read the internet for the articles.
I think people found out quite fast, but how the hell did it get there in the first place? :)
/bye
Bram at grmbl dot com
People using html in email should be shot.
An 3l33t hax0r with an IQ about 100 higher than that of the average 3l33t hax0r, of course. Most 3l33t hax0rs I've seen around couldn't write a Hello World program, much less backdoor a tcp wrapper.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
I wasn't talking about intelligent people who crack systems recreationally. I was talking about "3l33t hax0rs," which yes, would imply people who "tYpE L1k3 this." VERY few of them know the first thing about programming.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
First, the change was easy enough to detect - the distribution is signed by Venema's PGP key. If a person downloading the source bothered to check the signature it would have been immediately obvious that something was screwy.
Second, it *was* detected and corrected very rapidly.
All in all, a success story.
- Ken
That is absurd.
- Ken
As far as I'm aware, this is the first incident where some deliberate foul play was detected and handled. Guess those wacky OSS advocates were right. =)
--
rickf@transpect.SPAM-B-GONE.net (remove the SPAM-B-GONE bit)
"People will pay big bucks for the luxury of ignorance."
Now that I find disturbing :-)
Matthew.
The first tripwire in this sort of attack is, as you suggest, signing of packages and sources you upload. As long as a cyptographically-strong signature (such as PGP) is used, this is usually enough to assure you that the sources haven't been modified. This will not protect against Trojans inserted by the legitimate authors, though, which is why a second tripwire is needed: source review. I'm not a network security expert, and I'm not really capable of reviewing packages: so I trust the PGP signature (at least for my home computer). But I also know that many sysadmins who run sensitive systems are properly paranoid and will not only check the PGP signature but ALSO scrutinize the source themselves. It's one of those paranoid sysadmins who caught the TCP-Wrapper Trojan, and it's one of those paranoid sysadmins who will catch the next Trojan inserted into Open-Source software.
So the only Open-Source Trojan that will really succeed is one put in place by a conspiracy of EVERY single sysadmin worldwide... I'm not worried.
This message has been brought to you by the Sysadmin Conspiracy: There Is No Sysadmin Conspiracy (tinsc).
-----
The real meaning of the GNU GPL:
"The Source will be with you... Always."
...if it was a setup to show the OSS strength? IT seems too easy.
To whom is the email sent?
Who first discovered the trojans?
Was it someonet that downloaded the code?
Was it one of the sysadmins scanning the logs?
Answers to some of these questions will tell.
Good judgement comes from experience, and experience comes from bad judgement.
- W. Wriston, former Citibank CEO
I repeat--the TCP Wrappers source attack isn't scary at all.
The hack went in on the 21st. It's now the 22nd, barely.
This is scary? It took one day to detect and handle a security problem? Closed source products can have security issues for years and years before their existence becomes public knowledge. Took them a day.
Indeed, it is only when attacks become "open source" in a sense that they're cured.
Once you pull the pin, Mr. Grenade is no longer your friend.
Who (or address) was the knucklhead where this came from? I'm thankful for MD5's. May the infinite pings of a thousand sysadmins infest his dialup connection.
when some jackass makes himself look like a fool with a false-first posting :)
but i agree with Effugas: it's not that bad to have such a thing in open source software than in some closed source one; first one (open) can be handled for example by viewing source or choosing carefuly download site; but protect ourselves agains bugs/viruses/trojans distributed in closed source software is far more harder
hany
if we have fine crypto system with keys exchange then every piece of software could be signed by author/packager/producer/... and we should be able to authenticate the person and then trust him or download software from someone else
our slogan should be: sign what you produce ... soon :)
(i will
hany
I fully agree with you
hany
There was MD5 sum for this package and there was detached PGP signature.
But how often you care to check signatures when you are downloading a package. And it seems that anything at all can contain trojans.
Read a nice article by Ken Thompson about trojan in C compilier. Have you checked MD5 sum when you downloaded GCC binary last time? And as Thompson shows, recompiling GCC from sources with untrusted compilier doesn't help you.
That's a fallacious argument, since you can't prove that we have found all backdoors in OSS. The hypothesis is a self-fulfilling one...
My
Dum Da-da Da Dumm!
USA-Democracy is 270 million YESes and NOes a day, not one every four years.
Mr. Grenade doesn't become your friend until after you pull the pin.
$0.02
I'm finding over time its prudent to let others raid Freshmeat for me and discover security flaws or even bugs before I bother downloading.
Why what you say might very well be true, it doesn't say anything about the previous person's statement. Most of the general population are also not skilled programmers.
He (I assume) was saying that cracking does not strongly correlate to programming skills, not that it correlates more or less than some other activity.
Most of the crackers I've talked to are what the BBS world used to call ruggies, or rugrats. About 1-5% of them may, someday, grow up to be skilled programmers. Most people with the knowledge to develop new cracking techniques are also grown up enough not to use it.
Need a Python, C++, Unix, Linux develop
"Lets first someone test it for quite a while to save YOUR ass from trojans."
This trojan horse was not inserted by the authors of the package. Instead, it was inserted by someone that broke into the ftp site. This would be the same as breaking into MS web site and uploading a patch infected with a trojan horse. Waiting x amount of time has nothing to do with this.
"1. PGP key can be successfully forged."
??? PLEASE...who are you kidding. Do you know anything about cryptography. Forging a PGP sig is so unlikely that it would be more feasable for the offenter to physicaly force you to hand over your private key.
"FormatDriveC("bye");"
Go away troll - Linux/Unix does not use drive letters.
"How many of you review low level assembler routies present in Linux?"
_WHY_ would I do this?? Obviously you are from the MS world of closed source where you do not have access to the source code.
\forall code \in C, \frac{\Delta readability(code)}{\Delta t} < 0
Sure, it's cool that the problem was identified and snuffed in a day or so.
How the hell did it happen to begin with? CERT is always so coy about *that*.
Dropping this into tcpd is like tugging on Superman's cape. Someone is gonna get serious props from the kiddieZ for this one.
--------
Bill Gates Is My Evil Twin.
It probably just put the idea in someone head... :)
Either that, or it's a conspiracy
this space intentionally left blank