Trojan Found in libpcap and tcpdump

msolnik writes "Members of The Houston Linux Users Group discovered that the newest sources of libpcap and tcpdump available from tcpdump.org were contaminated with trojan code. HLUG has notified the maintainers of tcpdump.org. See our reports here or here."

Eventually, this would happen

[Rotten]

And if I don't remember, this happened befrore. Of course this is one of the biggest strenghts of the Open Source Model.
Code is constantly audited, checked and corrected. If your closed source software has backdoors or trojans...well....who knows but on Open Source is easyly detected.

This is dreadful

[The_Jazzman]

I run a successful London-based dot com (yes, they do exist :) and we've been having to run around like headless chickens all day because of this.

Is it really too much trouble to do an MD4?

It's the one problem with the open-source community - there's no-one to pay me to pay my staff for the lost man-hours caused by this.

MD5 checksums

[Zayin]

Use them.

Re:This is dreadful

[Anonymous Coward]

"It's the one problem with the open-source community - there's no-one to pay me to pay my staff for the lost man-hours caused by this. "

Doesn't the money come from the money you`ve saved by not having to pay for any software? What did your business plan mention about this? Just a blank page, right? Try it out and see what happens? Well, it's your money!

That's not a problem, that's a feature

[Anonymous Coward]

there's no-one to pay me to pay my staff for the lost man-hours caused by this.
But then again, you had to pay no-one for the man hours you saved by using the open-source code.

Re:MD5 checksums

[diamondc]

if someone breaks into an ftp server, they might as well replace the md5 signatures, too. a better solution would be signing the sources with a gpg key.

One too many?

[simpleguy]

Isn't this one too many?

There was dsniff, BitchX, OpenSSH etc. and today tcpdump and libpcap?

Does anyone else think that someone has found a security hole in a popular unix daemon and is having some fun with it before notifying the authors. Or maybe there is a *VERY NASTY* exploit circulating privately?

At least that's what I think.

Re:This is dreadful

[jimand]

there's no-one to pay me to pay my staff for the lost man-hours caused by this

Did Microsoft pay you for lost man-hours when your staff battled Nimda or Code Red? Didn't think so.

Re:prison

[outofpaper]

While it is true that:

our current legal environment is that it appears to not matter much the ill intent of authors of such malevolent code

It is also true that only because this is an open sorce project was such code found. People seem to forget that there is no realy eficient way of checking closed software for sevurity holes. Ontop of that companies are more than likly to place back doors in programs as actual features that are not mentioned in documentation, or only glazed over. My exaple for this was in a Busines programe that I wourk with had the "option for you to enter a code into one of the text fields if you set the computers date to a specific date and then you would be able to edit all records, thus by pasing the simple code that it uses. I fould out about the feature when the was a problem with some of the records and since the files are encoed I wasn't going to search through them in any easy way so I cantacted the programes distributor and they told me of this feature. Just think how meany othe progs out there have stuff like that.

Re:This is dreadful

[Anonymous Coward]

"Good" being the operative keyword.

It would be best not to download the author's public key from the same place you get the source, or else you might as well be fucked. "Gee! It checks out alright, it must have come from my vendor!" Not necessarily.

Don't jump to conclusions

[astrashe]

The good blackhats have lots of compromised machines at their disposal, and are generally way too clever to leave such an obvious clue behind.

It's possible that this guy has something to do with it, but it's more likely that his machine is owned by the same person who managed to put the trojan out there.

Re:One too many?

[LostCluster]

As Linux becomes more popular, the dumber system admins who never patched their Windows systems now have Linux systems. All it takes is a small handful of people to not know there is a wide-open back door, or worse yet know but be too lazy to take the corrective action, and there's enough zombies to cause headaches.

Re:Eventually, this would happen

[Rotten]

Of course you have never disected a rootkited server. Nobody trust the date stamps, not even my grandmother does it.

Have you ever changed the date of a file? It's quite easy.

Re:Seems

[paranoos]

If some malicious coder could upload manipulated software, do you not think they could also spoof the MD5 sum also? From what I've seen, the checksum is usually just stored in a text file in the same directory.

Re:Eventually, this would happen

[Rotten]

Please, I just replyed to two other "MAYBE" Posts. Talk about facts:

The same that applies to somebody breaking into a open source code repository applies to a closed source repository.

If the trojaned code is inserted after the aditing and goes into a production/distribution state, then the consumer/user has NO WAYS to detect the problem.

You are talking about the same Microsoft that wants to take to court independant researchers that detect security flaws in MS products?

Or the same Microsoft that hides security problems on their products?

And...Have you ever used CVS?

Re:This is dreadful

[gowen]

I run a successful London-based dot com

Wow. And just minutes ago you were a succesful lawyer. [slashdot.org] I'm so jealous.

Re:Seems

[fitten]

md5sum doesn't guarantee anything other than saying that the version you downloaded was the one that the author/host put out there for you to download (and not someone else's). If the author/host put a trojan in it, the md5sum will be for the trojan'd software.

In the end, it still comes down to whether or not you (can) trust the author/host.

Uncommented trojan

[magi]

The trojan code [151.164.128.17] seems somewhat complex and unreadable at first glance. The variable names don't express much of the semantics. It even doesn't have any comments. No wonder no one notices if this kind of stuff is written into code. And this is very clear code.

Even (or especially) free software developers should use more descriptive variable names and comment their code well. It makes the code much more readable for analysis, both security or quality reviews.

Well, ok, crackers probably want to obfuscate their code with /* Here's stuff for the trojan. */, but if all code is well documented, it's generally easier to understand and intentional obfuscation might be easier to spot.

I'd recommend the rule: "One comment per statement, except when really unnecessary." Many people think it's silly, but those people haven't had to read a lot of other people's code.

Hmm, I wonder why they used port 1963...author's birth year? Nah, that would be too old for a typical cracker.

Re:This is dreadful

[Hostile17]

"It's the one problem with the open-source community - there's no-one to pay me to pay my staff for the lost man-hours caused by this. "

And this is different from Closed Source how ?

Doesn't the money come from the money you`ve saved by not having to pay for any software? What did your business plan mention about this? Just a blank page, right? Try it out and see what happens? Well, it's your money!

Same place it will come from if you use Closed Source software, using Open Source products does not mean zero cost IT, it means lower cost IT. If your company did plan for these things, then it will make no difference what products you are using.

DEMAND PGP SIGNATURES!!!!

[aphor]

The reason this is a problem is that nebulous shrug of an answer to the question "Who are you trusting to provide this code which you execute?" It could be an anonymous PGP/GPG key, but to violate people's trust would mean that trusted token is no longer trusted, and thus it would identify the other risks out there.

Imagine the tcpdump distributions were signed by an anonymous key. We could look over the code, and decide to trust that key. Later, people would be able to tacitly trust that key to sign tcpdump tarballs. One day, the tcpdump code will fail to match the signature: it will be caught before being executed, and the trojan will be discovered quickly. Later, another trojan will appear, but the signature will match. A few people will be bit, but the key will be exposed and others will be able to quickly identify their risk.

At the VERY LEAST, use MD5 sums on the files like FreeBSD ports!

Re:Glad I use Gentoo

[taviso]

I think the worst thing is that the server the trojan connects to is still operating :

$ nc -vvv 212.146.0.34 1963
mars.raketti.net [212.146.0.34] 1963 (?) open
M sent 0, rcvd 1

The program connects to 212.146.0.34 (mars.raketti.net) on port 1963 and reads one of three one byte status codes:

A - program exits
D - forks and spawns a shell and does the needed file descriptor manipulation to redirect it to the existing connection to 212.146.0.34.
M - closes connection, sleeps 3600 seconds, and then reconnects


maybe someone should contact the machine administrator before more people get owned.

How is this fair?

[kiwimate]

This apparently misleading (albeit well-intentioned) comment gets modded +4 interesting, meaning that almost everyone will see this poor guy's name.

All the replying posts pointing out that it's a phone company/ISP and it's almost certainly nothing to do with this chap are at 2 or below, meaning that many people won't see them and this individual's name is now besmirched.

And, by the way, this happens all the bl**dy time on /. An early poster makes assumptions and gets modded way the hell up, then all the rebuttals pointing out he's talking out of an unreliable orifice wallow in the low point range.

Yeah, I know it's off-topic. Just wanted to rant about something that irritates me. Return to your normally-scheduled bits and pieces.

Re:Seems

[Branc0]

You are seeing bad sites :)

Normally a md5 checksum is stored in a different server... or at least it should be,

Recent incidents that I know of

[frozenray]

irssi [irssi.org]
fragroute, dsniff, fragrouter [securityfocus.com]
BitchX [slashdot.org]

This message [immunitysec.com] says Recently there have been a spat of well publicized attacks against what I would consider to be the backbone of the open source movement - it's source code distribution system. Hackers have been penetrating people who download, say, OpenSSH and then compile it to use on their systems by trojaning OpenSSH itself. This strikes at the very HEART of Open Source by making the act of installing the software a weakness. Because Open Source has no one distribution point, there are many places for someone to verify if they want to install software securely. Because there are no vendors, the sites people download software from are usually not provided with a dedicated security staff.

This is serious, guys and gals. Use the source, Luke - but what if I can't trust the source any more? Open Source has to find a method to get around this problem; see this post [google.com].

Re:DEMAND PGP SIGNATURES!!!!

[jonabbey]

And for god's sake, keep your private signing key encrypted in your gpg keyring, or offline.

Re:as soon as this evening...

[arkanes]

Okay, I've been confused about this MD5 thing. Most often, the MD5s are either in a file in the ftproot, or in the readme if you've owned the server enough to stick a trojan in the source code, can't you just put in the MD5s of your altered source? I thought the main reason for checksums was to check for corrupt/missing data after the download, which was way more important in the noisy line modem days.

Sigh

[Anonymous Coward]

Note that THE DATE ON THE FILE DOESN'T MATTER. It was trojaned last night, not last year.

The fact that someone so ineptly trojaned the source, not even bothering to generate a new md5sum, suggests that it's someone out to make it obvious looking. Someone who has a reason to discredit open source. Someone like a former script kiddie employed by microsoft...

Never mind that russian crackers were wondering round MS servers for MONTHS back in 2000...

Re:as soon as this evening...

[OrangeSpyderMan]

You don't seem that confused to me! :-) Your point is entirely valid, if the checksum is on the compromised FTP server, it's not going to be much help. If it's on a seperate webserver, there's a chance it'll be valid, but using a checksum, while being a quick and reasonably simple way of checking such downloads, should never be taken as a guarantee. They only thing they will guarantee, is that the copy you have on your hd is the same as the copy that's on the server. Only if you can trust the source of the checksum are they useful in such circumstances, otherwise take them with a pinch of salt.

Re:as soon as this evening...

[harlows_monkeys]

The funny thing about the paranoids who build from source is that, unless they actually look at the source, it doesn't gain them anything. There are three ways to build from source.

1. Just grab the source and build it. This is no better than grabbing a binary and running it, as far as security goes.

2. Grab the source, check the MD5 sum, and then build it. This is no better than grabbing the binary, checking the binary's MD5 sum, and then running it.

3. Grab the source, diff it against the previous source you were running, and at least glance at the diffs to see if anything looks suspicious. This is the only way that using source gives you more security than using the binary.

People using source for security who are in category 1 or 2 are just fooling themselves.

www.tcpdump.org

[kludge99]

Interesting that there is no mention of this on the tcpdump.org website, one would think they would at least post something about it.

Re:as soon as this evening...

[harlows_monkeys]

Correct.

The right way to do things is for the person who makes the release package (e.g., the tarball, or the rpm, or whatever) to digitally sign it. They should do the signing on a machine other than the web server or FTP server. Ideally, they do the signing on their development machine, which is safetly tucked away on a network that crackers can't get to.

Re:as soon as this evening...

[dark_panda]

One thing that would be useful would be for the author to either GPG/PGP sign the file with the MD5 sums with a trusted signiture or sign the actual source/binary tarballs themselves. A lot of linux vendors seem to be doing this recently.

J

Re:as soon as this evening...

[zen parse]

If you read the script properly, you'll see it does trojan the binaries built from it. "The (relevant) gencode.c diff:" part shows how it filters out the port used by the trojan.

Re:Eventually, this would happen

[Bruce Perens]

In handling the press and public perception for this, it's important that we make the point that binary programs are trojaned all of the time. In fact, most viruses have as their sole purpose the modification of binaries to insert a trojan copy of the virus into the binary, and to execute the virus payload. Much proprietary software has been distributed in infected state.

The difference is that with Open Source you have an additional means of detecting the corruption - not only by its effects (as with the binary), but by reading the source.

Bruce

Re:Eventually, this would happen

[Bruce Perens]

Also, we need to get better about signing our archives and heeding the signatures. Com'on folks! I wrote about this in the old linuxworld.com webzine in 1996!

Bruce

Re:Eventually, this would happen

[legoboy]

You don't need the source to trojan something. In fact, most trojans are simply virus-infected binaries. The entire purpose of most viruses is to trojan binary programs with another copy of the virus.

How quickly the world forgets how things like the original Back Orifice were distributed... Too funny to read 'This couldn't happen with closed source!'

Re:Eventually, this would happen

[mosch]

hell, you can change the date from the command line... just use touch (it takes an optional timestamp)

Centralized and De-centralized PGP server for OSS

[dr.Flake]

Maybe somebody has already posted this idea as a project on sourceforge..

There have been too many of these incidents lately, and it's giving OSS a bad odor. We must be carefull. Telling the rest of the world closed binaries are infected often as well does not help. The damage is already done.

This is my idea to prevent most of these jokers tricks.

In stead of placing the checksums next to the source on the same server we nead to place it some where safe. A number of centralized servers with a sole purpose to serve these sums, in several locations, on preferably differend operating systems. This combined with the use of eg PGP.

All distro's, for those who have not already, must apply a simple program ala portage and apt that checks against multiple PGP-key servers before the build commenses.

Now, how to make sure the admin of the project is the one signing the source on his machine.............

Re:Eventually, this would happen

[dvdeug]

A case which does not substantiate that the flaw had anything to do with the nature of "closed source" software

With in a few months of the code being open sourced, the back door was found. It stayed in closed source code for six years. Whether or not Borland could have done things to find it is irrelevant - they didn't and I bet many other vendors work the same way.

it was a rumour.

I guess it's easier to accuse me of spreading rumors then to enter "Borland database backdoor" into google and get stuff like a ZDNet article detailing the history of the bug [com.com] or the CERT vulnerability note. [cert.org]

WarGames was one of the most accurate theatrical portrayals of hacking ever.

I'm not sure whethor to mod this +5 Funny or -1 Clueless. I really hope you were joking.

Why? He didn't fly through a 3d-cyberspace, nor did he jump through 5 layers of military-grade security in a couple minutes. He didn't have access to anything and everything controlled by computer.

He snagged the password to the teacher's computer off a Post-it note, and dug up information on the programmer of WOPR to take guesses at what the password might be, both of which are real hacking tools. He used hardware that existed and that he could realistically own. He wardialed, a habit of real hackers. I can't think of any other movie that comes close.

There are minor plot-neccessary exaggerations -- no, WOPR wouldn't have an outside line to it, and yes, the cops would have been at the door long before he got in -- but they don't mar the fact that it was fundamentally right.

...And later moderators can't fix it!

[Jetson]

This apparently misleading (albeit well-intentioned) comment gets modded +4 interesting, meaning that almost everyone will see this poor guy's name.

All the replying posts pointing out that it's a phone company/ISP and it's almost certainly nothing to do with this chap are at 2 or below, meaning that many people won't see them and this individual's name is now besmirched.

The sad part of this is the fact that we (people who have moderator points to give away) can't really fix the problem even after we're told about it. I could go back and mod down the misleading post, but then some metamoderator would see that I modded down what appears at face value to be an "interesting" post and I would be the one who was bitch-slapped for abusing my moderator points. All we can really do is mod up the replies, making the whole thread +5 in order to dilute the bad moderation.

Re:Glad I use Gentoo

[Tomble]

however, the md5sums would catch it (the md5sums in Gentoo are of the non-trojaned version, luckily)

Seeing the fact that the modifications to the source helped to obscure the trojan by making the pcap library quietly ignore packets associated with the remote site, reminded me of the paranoia I tend to feel over security, and the mechanisms we use for it.

Such as, what if a cracker got into my machine and set up (amongst other things) a patched version of md5sum, that knew which files had been altered, and what their orignal md5sums were, so I couldn't rely on that for my security? This paranoia went as far as worrying about whether it would be possible for someone to alter gcc, such that not only would it add malware functions to anything I compiled, but also to work out when it was being used to compile a compiler, and install this same such functionality into that. I spent ages trying to convince myself that that would be far too complex to do, maybe even impossible * , but at the same time tried to work out ways to bootstrap a C compiler that I could believe was indeed utterly trojan-free.

<sigh> I expect there's a word for that, and I'm sure it's not one I want to hear :P

* -I'm sure that it could be made to use certain cues, such as filenames, etc, to decide that it was compiling part of a specific compiler, such as another copy of gcc, and only do the modification on that. But I'm sure you can't write an algorithm to detect that a piece of code constitutes a compiler, let alone part of one (because of course, gcc only works on one source file at a time, not whole projects).