Slashdot Mirror
More trojan horse issues
Linux Weekly News is
reporting more trojan horse activity, this time hitting
util-linux.
Looks like someone read that
Bruce Perens Article.
Assume that win.tue.nl is not safe for the moment.
← Back to Stories (view on slashdot.org)
I have a masqing demand dial gateway (freebsd running of a floppy) to my isp, If logging in caused a dial I'd be watchiing a tcpdump of the traffic instantly.
... the mail would go through, but I'd like to see this lamer route to 192.168.X.X
but if the link was already up
How is this happening? Has the site told how the trojan got in there in the first place? Is it an inside job or did someone crack it?
Here's the address that the trojan would have sent its e-mails to: wlogain@hotmail.com. Feel free to do whatever you want with this fucker. FYI, do not download binaries when you have the sources to eyeball. I always do this. Be safe than sorry.
Yeah, ok, so NT has some DoS attacks that take it down. Big deal. When was the last time you heard of a root compromise for NT, or something like THIS. Your OS code tainted by an outsider. Oooohhh Open Source is SO much more secure. I can tell.
What this says to me is that the attacks on the servers are becoming so difficult now that they have to actually go attacking the software just to get an opening.
Duskglow (not logged in and the darn thing forgot my cookie.) - prism@pacifier.com
Why would anyone want to root a machine that doesn't have reliable remote login?
moron.
And for each one of your 5 or 10 who have a clue, there's another who has a clue and is a black hat who will do things like THIS.
Doesn't RPM support signed rpms? Maby this is the way to go.
Simply way to eliminate all future trojans:
- - ;)
Add a required md5 field for all new package announcement on freshmeat. Let's say util-linux got announced on FM with it's required md5sum. You download it from ftp.win.tue.nl, and know right away it's a trojan by checking with the md5 for that package on FM. No sweet, and it can't be easier than that "md5sum file.tgz"
No more trojan. Every software announcement site should do that. And then we'd be the most secure OS, no way for anyone to get a trojan without every end user being able to see it, without any C skill or anything.
drow@darkelf.net
-----------------------------------------------
fc7091131ef7e46b0f654454a49023ad (this post's md5 key
- RF (dfelker@cnu.edu)
Now I feel like a moron. just downloaded/installed it YESTERDAY. oh man. is there another place to get it that is potentially safe? (and this time I'll grep the files for hotmail :)
I knew util-linux 2.9g-trojan sounded like a strange version number.
I thought of something at lunch today. What if the OSS world went to a policy where all OSS production-level software were stored on permanent storage (write-once CD for instance) when posted to common download sites? That way, people who are downloading production-level releases wouldn't run the risk of getting a Trojan horse.
Also, it occurs to me that people responsible for this kind of idiocy might be prosecuted under various property-damage laws. Not so much for "damaaging" publicly-distributed code (they have the right to modify it if they choose,) but for "damaging" areas of hard disks that were declared off-limits or read-only to them and therefore do not belong to them.
There's a long-standing view, at least here in America, that "your right to swing your fist stops at the end of my nose." that sort of thing.
And anyway, this is illegal crackery--I hope that someone has told Hotmail about it. If the Scientologists can get penet.fi shut down for some (arguable) copyright violations, Hotmail (Microsoft) might be a bit leery of actual illegal activity using their equipment. Maybe they could track this guy and give him the hose.
How can I check if software is signed if it has the right md5 checksums or whatever..?
Bruce Perens
When this happened with tcp-wrappers I thought about the following:
Why don't we have ftp servers where before you can change things on the server, you have to get a control file with random data, then put it back pgp signed?
This can be made to work with regular old ftp clients. But has anyone done it?
Another point is that this attacker is really stupid. We see this attack. We will have to tighten up, but not many will be compromised.
The attack that I am concerned about is someone slipping in key patches with buffer overflows. None of these obvious holes. Just something that looks like a common mistake which just happens to open up an exploitable hole. Want to bet that the maintainer would catch every hole submitted? Are there no buffer overflows now? Hmmm..
Ben (too lazy to sign in) Tilly
If this happens again (or is it necessary?), what is the chance this could be played by interested (sp?) parties into an attack against Linux?
"Look, we told you you could never trust those OSS flakes! Download OpenSource software and you will compromise your systems!"
Once Fear, Uncertainty and Doubt about the security and "cleanliness" (sp ???) of OSS is seeded in the minds of those who are in power,
Once a perception that OSS is not kosher becomes shared by enough people,
Linux's goose might be cooked.
Now, tell me, who has the most to loose if Linux *really* takes off? Who has the mose to gain to lead people to beleive that OSS is a security/reliability risk?
Considering this company has modified its GUI to break DR-DOS, that it is working on sabotaging QuickTime (IE/Mac 4.5 apparently installs an obsolete QT extension), that this is the company where it was once said "DOS isn't done until Lotus won't run" (when they had hopes for Multiplan against 1-2-3), I'd say that there is a strong chance M$ is behind this.
I do hope I'm wrong and that this is just one little a**hole's handywork. Because the prospect of M$ engaging in S/W guerrilla with the OSS community scares the sh*t out of me.
Bruno Majewski
bruno@pubnix.qc.ca
For anyone comparing NT to this:
Latest versions of NetBus can't be detected by
any of NT's vaunted virus scanners.
NetBus is all over my school's computer labs.
NT passwords are a dime a dozen in public computer
labs.
This is what I've seen:
NetBus cracker sits in back of lab with NetBus
installed on many systems. Waits for prey to
log on to a system. He/she is of course getting
all keyboard activity from all of the infected
systems. NetBus cracker waits for an admin to
logon to one of the infected systems. Admin
password is then compromised.
Schools and The Media don't seem to care that
there is no such thing as a secure NT publically
used network.
I just feel bad for all those people who are
having their email read and personal files
inspected.
Somebody is using ECS GmbH network to probe external hosts:
Jan 11 04:55:32 localhost portmap[4783]: connect from 193.134.251.17 to dump (): request from unauthorized hostinetnum: 193.134.251.0 - 193.134.251.255
netname: ECS-NET
descr: ECS GmbH
descr: Gossau, Switzerland
country: CH
admin-c: RK320-RIPE
tech-c: RK320-RIPE
tech-c: MD142-RIPE
changed: hostmaster@switch.ch 961024
source: RIPE
route: 193.134.0.0/16
descr: Unisource Business Networks Switzerland
descr: UBN-CH-AGGR.5
origin: AS3303
mnt-by: CH-UNISOURCE-MNT
changed: bridge@unisource.ch 971001
source: RIPE
person: Rene Kueng
address: ECS GmbH
address: Poststr. 4
address: CH-9200 Gossau
address: Switzerland
phone: +41 71 380 0042
fax-no: +41 71 380 0044
nic-hdl: RK320-RIPE
changed: hostmaster@switch.ch 961024
source: RIPE
person: Martin Doerig
address: ECS GmbH
address: Poststr. 4
address: CH-9200 Gossau
address: Switzerland
phone: +41 71 380 0041
fax-no: +41 71 380 0044
nic-hdl: MD142-RIPE
changed: hostmaster@switch.ch 961024
source: RIPE
traceroute to 193.134.251.17 (193.134.251.17): 1-30 hops, 38 byte packets
1 xx.xx.xx.xx 0.20 ms
2 xx.xx.xx (xx.xx.xx.xx) 2.5 ms (ttl=63!)
3 xx.xx.xx.xx (xx.xx.xx.xx) 3.1 ms
4 xx.xx.xx.xx (xx.xx.xx.xx) 8.5 ms
5 ny-backbone-1-gs010.router.demon.net (158.152.0.222) 48 ms
6 nj-backbone-1-gs000.router.demon.net (195.173.173.2) 78 ms
7 209.67.27.210 (209.67.27.210) 111 ms
8 jcnj-01-f-0-0.core.exodus.net (209.185.185.130) 109 ms
9 bbr01-p0-0.jrcy01.exodus.net (209.1.169.193) 108 ms
10 bbr01-p5-0.hrnd01.exodus.net (209.185.249.214) 134 ms
11 dcr01-p12-0-0.hrnd01.exodus.net (209.185.249.25) 259 ms
12 mae-east-h2-1-0.exodus.net (209.1.169.161) 113 ms
13 mae-east.telia.net (192.41.177.122) 206 ms
14 209.95.128.38 (209.95.128.38) 134 ms
15 ny-i7-feth2-0-int.newyork.telia.net (209.95.128.69) 144 ms
16 ny-i2-atm6-0-0-1-int.newyork.telia.net (209.95.128.245) 143 ms
17 164.128.33.205 (164.128.33.205) 240 ms (ttl=243!)
18 i79zhh-020-FastEthernet6-0-0.unisource.ch (164.128.36.3) 133 ms (ttl=243!) BR> 19 164.128.99.62 (164.128.99.62) 145 ms (ttl=242!)
20 *
21 *
22 *
23 *
24 *
25
(interrupt)
Sadly, i see quite a few "MS (must/could be /probably is) behind this trojan".
Seriously people, whether you like the products, or the marketing, doesn't change the fact that most people at MS are good natured, smart, and usually kind people. Just cause we got quite a few unethical assholes around in marketing, doesn't mean we are all evil people. Has anyone here who claims the first sentence to be true ever met anyone from MS? It might change your perception of the people who work there a bit.
I've worked for MS Research for a few years, and have used Linux since 1992.
I can say for a fact that nobody i've ever met would dream of doing something like this.
Even the MS zealots who are around wouldn't try to do this, because in the big scheme of things, who the hell cares? What do you win? 15 years in a federal prison?
There are quite a few linux users around MS.
There's also quite a few people who contribute to open source projects.
At least at MS research, they could care less about it, too. It's not discouraged at all. We get paid to Research, not run NT.
We've got researchers whose research mainly involves (and involved before coming here) creating netscape plugins on UNIX machines. Nobody even batted an eye at that one. Most of us are atheistic when it comes to OSes, and will use whatever the hell works best for us. Do you think the Windows police come running in with electromagnetic guns threatening to destroy our hard drives if we don't install NT?
Most of you have a seriously screwed up view of how MS works.
On a random subject, since no rant would be complete without a tangent, IMHO, it'd be funny if they broke MS up, cause nothing would change. There is no communication between product groups as it is. Really. I still can't understand how anything gets developed at all around here, or any sharing occurs (actually, i do know this one. It happens because the idea is to see if you can reuse as much as possible of supposedly working tested parts from other apps before having to redo in a new app)
They actually set up internal help lists for most products, because if say someone from the NT5 team emails the Visual C++ team to ask a question, the odds of getting an answer are about the same as Steve Jobs getting his head out of his ass.
Probably worse (if thats possible).
Most people seem to think there is some inter-group communication and collaboration on design or something.
That cracks me up.
If only they knew.
Anyway, thats enough of a rant for now, i'm afraid if i type any more, Win98 will run out of system resources and crash.
(Incidentally, inside MS we bash some of the cruddy shit produced even more than people on slashdot do. It's hard not to make fun of things like shipping a zero bug release by moving 8000 bugs from priority 1 and 2, to priority 3 and 4.)
Mirroring software must check PGP signatures.
Hell, the FTP sites must check PGP sigs.
And the installation software must check PGP sigs.
Bruce Perens is quite right that crypto is the solution.
What part of "gestalt" don't you understand?
Microsoft Encryption
Posted by neuralfraud:
This is just INSANE
What the hell is wrong with people? if the person who did this is reading, HA HA HA.
If only these people could just die.. unfortunatley we cant kill people with the flick of a finger.
Im willing to bet that theres a group of lamers in some leet-o channel laughing about this too.
im glad i didnt get the g update.
Whats next, personally editing all the source code!?
Posted by Hagbard Celine:
;)
I haven't read every comment in response to the BP Trojan article, so this may have already been mentioned...
A trojan attack against an Open Source codebase could be staged, not only by individuals, but by corporations that perceive OS as a threat to their proprietary interests. You can plug in the name of the corporation of your choice...I'm thinking of one right now...
Hagbard
Hotmail is a huge gateway for this sort of illegal activity, and they don't care, and won't do anything about it. They have been contacted numerous times about the issue but never take any action further than simply removing the account. After which of course the crackers can simply open a new hotmail account. There is one case of crackers obtaining a huge list of ISP phone numbers, usernames and passwords by using a trojan pointing to hotmail. Their account is still active despite all the information being given to them!
Also - I think it's hugely worrying that this is happening to open source software. You sort of expect it from binaries, but with source code you don't expect to have to check it for trojans. This is a sad day...
--
Matt. Want XML + Apache + Stylesheets? Get AxKit.
I don't think it was MS. For one, the trojan itself is pretty benign. As someone pointed out, this looks more like proof of concept, or a warning.
See my response to the "Why just UID and hostname" thread above. This trojan is most definitely NOT benign; it grants anyone a root shell on login.
Hrm... This reminds me - I got an attempted connection from someone at [name withheld].akh-wien.ac.at yesterday shortly after I dialed in (dynamic IP). I wonder if that indicates that that machine was hit by this, or more likely that someone else using JHU's ppp service got bitten.
This definatley falls into my "sonofabitchthissucks" category of news.
Great, I don't even know C... I guess I'm grepping for "hotmail.com" from now on..
I guess it is time to get serious about using signed versions of software, firewalling to watch for strange packets, and checking the outgoing mail and other queues.
Just the excuse I need to spend a Sunday afternoon tightening down my system like Fort Knox.
Still, if it encourages the development of proper signing infrastructure for Linux downloads, it could turn out to be a good thing in the long run. That's little consolation for everyone who installed login in the last few days, though.
fish and pipes
Come on people, you make it too easy for the stupid AC trolls to get you worked up! This is the biggest thread on this article at the moment. They only do it to get a response, and that's exactly what they're getting! Ignore them and they'll evaporate.
fish and pipes
Maybe a problem with cachedot?
Bruce Perens.
Bruce
Bruce Perens.
Check out how Debian handles this - project-wide key files, cross-signing by a trusted "security" key, automatic crypto and MD5 checks on uploads. This is what everyone needs to do.
Bruce
Bruce Perens.
We know how to handle this. Cryptographicaly sign everything, have good cross-signings on your keys, and check the signatures when you download.
A tool to automate signature checks during downloads might be nice.
Bruce Perens
Bruce Perens.
I'm sorry, have there been any actual exploits reported based on either of the past week's trojan horse episodes? Stolen credit cards or trade secrets? Long downtimes?
What counts is not the number of security vulnerabilites listed on security/hacker sites, but the damage done when those vulnerabilities are exploited.
With open source, vulnerabilities are spotted quickly and publicized widely. This reduces the chances of real damage - if system administrators are paying attention.
Linux system administrators (including me) will have to be especially careful in coming months, as Linux begins chomping up market share. Lots of angry, envious twerps will be out there looking to bring about a widely publicized security 'incident' to cast aspersions on the viability of Linux and OSS in general.
-Doug
Is there any way to be able to contact some sort of server somewhere and authenticate a package by using a digital ID somehow?
This opens up a whole big can of worms. We need more/bigger use of digital ID's and signing of documents to verify that people are really who they say they are.
This could take away some of the credibility of OSS if we don't find some way to curtail this.
Imagine if a news source jumped on this and gave these problems the wrong kind of spin?
Ben
I've thought of this as a potential vulnerability for well over a year, since the early Samba attacks came out (and worked against kernel.org, for that matter). I tested them against kernel.org, then promptly reported the bug to them (and it was fixed within a day). But, that begs the question, if an unmotivated, bored attacker could break in and *think* about dropping a trojan horse, a dedicated, malicious attacker could have perhaps edited a code segment in the Linux kernel, or in any piece of the site, and had that change spread VERY quickly. And if it was a kernel-level trojan, it might not have been noticed, even by now. Programs as large as the Linux kernel don't receive comprehensive source reviews often enough to make a judgement on the security of the code.
See, what we need, is a centralized server, that is highly secured, that carries md5sums for all major Linux system software, that can be trusted. Now, this means treating it the same as a really huge kerberos keyserver... if someone DOES compromise it, we're in trouble.
Or, for the conspiracy minded...
How do we know Microsoft wasn't responsible?
--
Title says it all. No basis in fact, but it would be immensely entertaining if it was even remotely true. And think what that would do to the DoJ's case...
Which brings up an interesting point. Is it necessarily illegal to put trojan horses into a public open-source project? All of this stuff is 'Use at your own risk' anyway...
..all this 25000 MS developers are busy with...
<^>_<(ô ô)>_<^>
..who have not got a clue, what security is about...
<^>_<(ô ô)>_<^>
I was sort of afraid of this... I think we'll probably be seeing a lot more of this kind of security hazard. The more advanced things get software-wise, the harder this stuff will be to contain.
- Slarty
Hi... I'm Larry... the shivering chipmunk... brrrrr!... I'm cold... I need a sweater...
The account for wlogain@hotmail.com still exists, something I've just confirmed with the help of my own hotmail account ;-)
Someone could do this: set up a Linux box w/o hard disk to boot over nfs off another machine. Then apply your patch and login to the machine. Eventually the rogue may (or may not) attempt to log into this machine, but that doesn't matther, cos it's got no hard disk and no one trusts it anyway. But he's on your spare machine and bingo you have his IP address. The harass the ISP enough and you have the culprit's real name and address in no time. Alternatively if you're not so good-natured you could try every possible attack on the machine. Gosh this sounds all too easy.
MD5 produces a string which is characteristic of the file that produced, and quite hard to fake. However, if the crook can give you the file and the MD5 string all you will see is a correct match when you try to reproduce that MD5 string. Security usually comes from a two stage process - you get a public key from the author in a way you feel comfortable with (e.g. direct from the RedHat site - i.e. from a name and place you know and trust). Then whenever you find a package from that supplier, whichever mirror or other source it comes from, you can check it using the the key you got in advance. One of the nice things about RPMs is they let you make this check a no-brain use of a simple command line operation.
"Programs as large as the Linux kernel don't receive
comprehensive source reviews often enough"
Well I must admit that I don't read the full kernel source when
there's a new version, but at least I read every single patch file
and I've read all of them since early '92. Lately I've stopped
reading most of the new m68k stuff etc., concentrating instead
on the platforms I use. So at least it isn't so easy to place any trojan in the patches.
I know that many many other people also read all the patches, and there sure are
a lot of people looking everywhere in the kernel whenever there' a new version.
hotmail is owned by microsoft and that about tells you what to expect....
nuf said....
This really has little to do with the OS. It's just an application to download that was compromised with a trojan on one server. This is the equivalent of someone hacking and distributing a copy of WinZip for Windows that would do something similar. The only difference is that with open source, the trojan is caught fairly quickly by people who go over the source. In Windows, you never know exactly what you're running... like BackOrifice.
He said, "You'll be able to tell your grandchildren that you helped assemble the first NT supercomputer," and I cringed.
a unix doesn't HAVE to have remote login. You can shut off all remote accesses except http, if you want. That's what makes unix unix: virtually unlimited choices of what you want. I'd be interested in an finding out if an NT web server is more secure than a unix-based web server with all remote logins turned off.
As for inexperienced sysadmins... well, if you use linux, I'd think that with the money saved you could get yourself a more experienced sysadmin, which would be better in the long-run anyway. As you said, NT looks pretty good "on the surface".
He said, "You'll be able to tell your grandchildren that you helped assemble the first NT supercomputer," and I cringed.
I've been gathering the files to 'test drive' the new kernel, following the recommended links in http://www.linuxhq.com/change21.html This afternoon I saw the warnings at the trojaned site while I was browsing for tarballs.
It is unfortunately easy to simply click and download the files when you come from a reference page (for example, linuxhq), without getting a chance to verify the files. Luckily the links are a bit stale..