Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Linux Software

More trojan horse issues 50

Linux Weekly News is reporting more trojan horse activity, this time hitting util-linux. Looks like someone read that Bruce Perens Article. Assume that win.tue.nl is not safe for the moment.
This discussion has been archived. No new comments can be posted.

More trojan horse issues

Comments Filter:
  • by Anonymous Coward
    In login.c, why not make a grab at the plaintext password, too? Why just the host name and numeric user ID? Something's fishy.

    And anyway, this is illegal crackery--I hope that someone has told Hotmail about it. If the Scientologists can get penet.fi shut down for some (arguable) copyright violations, Hotmail (Microsoft) might be a bit leery of actual illegal activity using their equipment. Maybe they could track this guy and give him the hose.

  • by Anonymous Coward
    How can I check if software is signed if it has the right md5 checksums or whatever..?
  • Hm. Speaking of security bugs... I clicked "reply" and Matts login came up. The symptom is that I am logged in from Ricochet (radio modem) using a dynamic IP address. My laptop is claiming to be bruce-laptop.hams.com, but there is no valid DNS for that at the moment.

    Bruce Perens

  • by Anonymous Coward
    When this happened with tcp-wrappers I thought about the following:
    Why don't we have ftp servers where before you can change things on the server, you have to get a control file with random data, then put it back pgp signed?

    This can be made to work with regular old ftp clients. But has anyone done it?

    Another point is that this attacker is really stupid. We see this attack. We will have to tighten up, but not many will be compromised.

    The attack that I am concerned about is someone slipping in key patches with buffer overflows. None of these obvious holes. Just something that looks like a common mistake which just happens to open up an exploitable hole. Want to bet that the maintainer would catch every hole submitted? Are there no buffer overflows now? Hmmm..

    Ben (too lazy to sign in) Tilly
  • If this happens again (or is it necessary?), what is the chance this could be played by interested (sp?) parties into an attack against Linux?

    "Look, we told you you could never trust those OSS flakes! Download OpenSource software and you will compromise your systems!"

    Once Fear, Uncertainty and Doubt about the security and "cleanliness" (sp ???) of OSS is seeded in the minds of those who are in power,

    Once a perception that OSS is not kosher becomes shared by enough people,

    Linux's goose might be cooked.

    Now, tell me, who has the most to loose if Linux *really* takes off? Who has the mose to gain to lead people to beleive that OSS is a security/reliability risk?

    Considering this company has modified its GUI to break DR-DOS, that it is working on sabotaging QuickTime (IE/Mac 4.5 apparently installs an obsolete QT extension), that this is the company where it was once said "DOS isn't done until Lotus won't run" (when they had hopes for Multiplan against 1-2-3), I'd say that there is a strong chance M$ is behind this.

    I do hope I'm wrong and that this is just one little a**hole's handywork. Because the prospect of M$ engaging in S/W guerrilla with the OSS community scares the sh*t out of me.

    Bruno Majewski
    bruno@pubnix.qc.ca

  • For anyone comparing NT to this:

    Latest versions of NetBus can't be detected by
    any of NT's vaunted virus scanners.

    NetBus is all over my school's computer labs.

    NT passwords are a dime a dozen in public computer
    labs.

    This is what I've seen:

    NetBus cracker sits in back of lab with NetBus
    installed on many systems. Waits for prey to
    log on to a system. He/she is of course getting
    all keyboard activity from all of the infected
    systems. NetBus cracker waits for an admin to
    logon to one of the infected systems. Admin
    password is then compromised.

    Schools and The Media don't seem to care that
    there is no such thing as a secure NT publically
    used network.

    I just feel bad for all those people who are
    having their email read and personal files
    inspected.

  • Somebody is using ECS GmbH network to probe external hosts:

    Jan 11 04:55:32 localhost portmap[4783]: connect from 193.134.251.17 to dump (): request from unauthorized host

    inetnum: 193.134.251.0 - 193.134.251.255
    netname: ECS-NET
    descr: ECS GmbH
    descr: Gossau, Switzerland
    country: CH
    admin-c: RK320-RIPE
    tech-c: RK320-RIPE
    tech-c: MD142-RIPE
    changed: hostmaster@switch.ch 961024
    source: RIPE

    route: 193.134.0.0/16
    descr: Unisource Business Networks Switzerland
    descr: UBN-CH-AGGR.5
    origin: AS3303
    mnt-by: CH-UNISOURCE-MNT
    changed: bridge@unisource.ch 971001
    source: RIPE

    person: Rene Kueng
    address: ECS GmbH
    address: Poststr. 4
    address: CH-9200 Gossau
    address: Switzerland
    phone: +41 71 380 0042
    fax-no: +41 71 380 0044
    nic-hdl: RK320-RIPE
    changed: hostmaster@switch.ch 961024
    source: RIPE

    person: Martin Doerig
    address: ECS GmbH
    address: Poststr. 4
    address: CH-9200 Gossau
    address: Switzerland
    phone: +41 71 380 0041
    fax-no: +41 71 380 0044
    nic-hdl: MD142-RIPE
    changed: hostmaster@switch.ch 961024
    source: RIPE



    traceroute to 193.134.251.17 (193.134.251.17): 1-30 hops, 38 byte packets
    1 xx.xx.xx.xx 0.20 ms
    2 xx.xx.xx (xx.xx.xx.xx) 2.5 ms (ttl=63!)
    3 xx.xx.xx.xx (xx.xx.xx.xx) 3.1 ms
    4 xx.xx.xx.xx (xx.xx.xx.xx) 8.5 ms
    5 ny-backbone-1-gs010.router.demon.net (158.152.0.222) 48 ms
    6 nj-backbone-1-gs000.router.demon.net (195.173.173.2) 78 ms
    7 209.67.27.210 (209.67.27.210) 111 ms
    8 jcnj-01-f-0-0.core.exodus.net (209.185.185.130) 109 ms
    9 bbr01-p0-0.jrcy01.exodus.net (209.1.169.193) 108 ms
    10 bbr01-p5-0.hrnd01.exodus.net (209.185.249.214) 134 ms
    11 dcr01-p12-0-0.hrnd01.exodus.net (209.185.249.25) 259 ms
    12 mae-east-h2-1-0.exodus.net (209.1.169.161) 113 ms
    13 mae-east.telia.net (192.41.177.122) 206 ms
    14 209.95.128.38 (209.95.128.38) 134 ms
    15 ny-i7-feth2-0-int.newyork.telia.net (209.95.128.69) 144 ms
    16 ny-i2-atm6-0-0-1-int.newyork.telia.net (209.95.128.245) 143 ms
    17 164.128.33.205 (164.128.33.205) 240 ms (ttl=243!)
    18 i79zhh-020-FastEthernet6-0-0.unisource.ch (164.128.36.3) 133 ms (ttl=243!) BR> 19 164.128.99.62 (164.128.99.62) 145 ms (ttl=242!)
    20 *
    21 *
    22 *
    23 *
    24 *
    25
    (interrupt)
  • by Anonymous Coward
    Sadly, i see quite a few "MS (must/could be /probably is) behind this trojan".
    Seriously people, whether you like the products, or the marketing, doesn't change the fact that most people at MS are good natured, smart, and usually kind people. Just cause we got quite a few unethical assholes around in marketing, doesn't mean we are all evil people. Has anyone here who claims the first sentence to be true ever met anyone from MS? It might change your perception of the people who work there a bit.
    I've worked for MS Research for a few years, and have used Linux since 1992.
    I can say for a fact that nobody i've ever met would dream of doing something like this.
    Even the MS zealots who are around wouldn't try to do this, because in the big scheme of things, who the hell cares? What do you win? 15 years in a federal prison?
    There are quite a few linux users around MS.
    There's also quite a few people who contribute to open source projects.
    At least at MS research, they could care less about it, too. It's not discouraged at all. We get paid to Research, not run NT.
    We've got researchers whose research mainly involves (and involved before coming here) creating netscape plugins on UNIX machines. Nobody even batted an eye at that one. Most of us are atheistic when it comes to OSes, and will use whatever the hell works best for us. Do you think the Windows police come running in with electromagnetic guns threatening to destroy our hard drives if we don't install NT?
    Most of you have a seriously screwed up view of how MS works.
    On a random subject, since no rant would be complete without a tangent, IMHO, it'd be funny if they broke MS up, cause nothing would change. There is no communication between product groups as it is. Really. I still can't understand how anything gets developed at all around here, or any sharing occurs (actually, i do know this one. It happens because the idea is to see if you can reuse as much as possible of supposedly working tested parts from other apps before having to redo in a new app)
    They actually set up internal help lists for most products, because if say someone from the NT5 team emails the Visual C++ team to ask a question, the odds of getting an answer are about the same as Steve Jobs getting his head out of his ass.
    Probably worse (if thats possible).
    Most people seem to think there is some inter-group communication and collaboration on design or something.
    That cracks me up.
    If only they knew.

    Anyway, thats enough of a rant for now, i'm afraid if i type any more, Win98 will run out of system resources and crash.

    (Incidentally, inside MS we bash some of the cruddy shit produced even more than people on slashdot do. It's hard not to make fun of things like shipping a zero bug release by moving 8000 bugs from priority 1 and 2, to priority 3 and 4.)

  • Isn't one mode of this compromise mirroring software which doesn't validate what it is mirroring? It's bad enough that one site throws up compromised source. The cracker is relatively assured his/her work will be propogated worldwide to mirror sites in a matter of hours.

    Mirroring software must check PGP signatures.

    Hell, the FTP sites must check PGP sigs.

    And the installation software must check PGP sigs.

    Bruce Perens is quite right that crypto is the solution.

  • Could it be that M$ has found its FUD campaigns ineffective and has reserved part of its Microsoft Special Task Force to undermine openly coded software? .. .. nahhhh..

    Microsoft Encryption [min.net]

  • Posted by neuralfraud:

    This is just INSANE

    What the hell is wrong with people? if the person who did this is reading, HA HA HA.

    If only these people could just die.. unfortunatley we cant kill people with the flick of a finger.

    Im willing to bet that theres a group of lamers in some leet-o channel laughing about this too.

    im glad i didnt get the g update.

    Whats next, personally editing all the source code!?
  • Posted by Hagbard Celine:

    I haven't read every comment in response to the BP Trojan article, so this may have already been mentioned...

    A trojan attack against an Open Source codebase could be staged, not only by individuals, but by corporations that perceive OS as a threat to their proprietary interests. You can plug in the name of the corporation of your choice...I'm thinking of one right now... ;)

    Hagbard
  • by Matts ( 1628 )
    Hotmail is a huge gateway for this sort of illegal activity, and they don't care, and won't do anything about it. They have been contacted numerous times about the issue but never take any action further than simply removing the account. After which of course the crackers can simply open a new hotmail account. There is one case of crackers obtaining a huge list of ISP phone numbers, usernames and passwords by using a trojan pointing to hotmail. Their account is still active despite all the information being given to them!

    Also - I think it's hugely worrying that this is happening to open source software. You sort of expect it from binaries, but with source code you don't expect to have to check it for trojans. This is a sad day...
    --
  • I don't think it was MS. For one, the trojan itself is pretty benign. As someone pointed out, this looks more like proof of concept, or a warning.

    See my response to the "Why just UID and hostname" thread above. This trojan is most definitely NOT benign; it grants anyone a root shell on login.

    Hrm... This reminds me - I got an attempted connection from someone at [name withheld].akh-wien.ac.at yesterday shortly after I dialed in (dynamic IP). I wonder if that indicates that that machine was hit by this, or more likely that someone else using JHU's ppp service got bitten.

  • by Rendus ( 2430 )
    This definatley falls into my "sonofabitchthissucks" category of news.

    Great, I don't even know C... I guess I'm grepping for "hotmail.com" from now on..
  • I guess it is time to get serious about using signed versions of software, firewalling to watch for strange packets, and checking the outgoing mail and other queues.

    Just the excuse I need to spend a Sunday afternoon tightening down my system like Fort Knox.
  • Still, if it encourages the development of proper signing infrastructure for Linux downloads, it could turn out to be a good thing in the long run. That's little consolation for everyone who installed login in the last few days, though.
  • Come on people, you make it too easy for the stupid AC trolls to get you worked up! This is the biggest thread on this article at the moment. They only do it to get a response, and that's exactly what they're getting! Ignore them and they'll evaporate.
  • OK, although it said I was Matts when posting, the actual post said it was anonymous.

    Maybe a problem with cachedot?

  • Anyone can generate a checksum. A digital signature with proper cross-signing is the only security we have.


    Bruce

  • Your freshmeat announcement and the MD5 checksum file need to be crypto signed. Otherwise, we have no idea of who it came from - it's easy enough for a cracker to make a false announcement to FreshMeat.

    Check out how Debian handles this - project-wide key files, cross-signing by a trusted "security" key, automatic crypto and MD5 checks on uploads. This is what everyone needs to do.

    Bruce

  • Don't say you weren't told this would happen.


    We know how to handle this. Cryptographicaly sign everything, have good cross-signings on your keys, and check the signatures when you download.


    A tool to automate signature checks during downloads might be nice.


    Bruce Perens

  • I'm sorry, have there been any actual exploits reported based on either of the past week's trojan horse episodes? Stolen credit cards or trade secrets? Long downtimes?

    What counts is not the number of security vulnerabilites listed on security/hacker sites, but the damage done when those vulnerabilities are exploited.

    With open source, vulnerabilities are spotted quickly and publicized widely. This reduces the chances of real damage - if system administrators are paying attention.

    Linux system administrators (including me) will have to be especially careful in coming months, as Linux begins chomping up market share. Lots of angry, envious twerps will be out there looking to bring about a widely publicized security 'incident' to cast aspersions on the viability of Linux and OSS in general.

    -Doug
  • Is there any way to be able to contact some sort of server somewhere and authenticate a package by using a digital ID somehow?

    This opens up a whole big can of worms. We need more/bigger use of digital ID's and signing of documents to verify that people are really who they say they are.

    This could take away some of the credibility of OSS if we don't find some way to curtail this.

    Imagine if a news source jumped on this and gave these problems the wrong kind of spin?

    Ben
  • I've thought of this as a potential vulnerability for well over a year, since the early Samba attacks came out (and worked against kernel.org, for that matter). I tested them against kernel.org, then promptly reported the bug to them (and it was fixed within a day). But, that begs the question, if an unmotivated, bored attacker could break in and *think* about dropping a trojan horse, a dedicated, malicious attacker could have perhaps edited a code segment in the Linux kernel, or in any piece of the site, and had that change spread VERY quickly. And if it was a kernel-level trojan, it might not have been noticed, even by now. Programs as large as the Linux kernel don't receive comprehensive source reviews often enough to make a judgement on the security of the code.

    See, what we need, is a centralized server, that is highly secured, that carries md5sums for all major Linux system software, that can be trusted. Now, this means treating it the same as a really huge kerberos keyserver... if someone DOES compromise it, we're in trouble.
  • Or, for the conspiracy minded...

    How do we know Microsoft wasn't responsible?

    --
  • Title says it all. No basis in fact, but it would be immensely entertaining if it was even remotely true. And think what that would do to the DoJ's case...
    Which brings up an interesting point. Is it necessarily illegal to put trojan horses into a public open-source project? All of this stuff is 'Use at your own risk' anyway...
  • ..who have not got a clue, what security is about...
  • I was sort of afraid of this... I think we'll probably be seeing a lot more of this kind of security hazard. The more advanced things get software-wise, the harder this stuff will be to contain.

    - Slarty
  • Nice one. As I see it emails your IP address to a hotmail address. Microsoft are probably not in any great hurry to stop this because they own hotmail and it makes Linux appear insecure. Except the Law says they ought to. DOJ, here I come..

    The account for wlogain@hotmail.com [mailto] still exists, something I've just confirmed with the help of my own hotmail account ;-)

    Someone could do this: set up a Linux box w/o hard disk to boot over nfs off another machine. Then apply your patch and login to the machine. Eventually the rogue may (or may not) attempt to log into this machine, but that doesn't matther, cos it's got no hard disk and no one trusts it anyway. But he's on your spare machine and bingo you have his IP address. The harass the ISP enough and you have the culprit's real name and address in no time. Alternatively if you're not so good-natured you could try every possible attack on the machine. Gosh this sounds all too easy.

  • MD5 produces a string which is characteristic of the file that produced, and quite hard to fake. However, if the crook can give you the file and the MD5 string all you will see is a correct match when you try to reproduce that MD5 string. Security usually comes from a two stage process - you get a public key from the author in a way you feel comfortable with (e.g. direct from the RedHat site - i.e. from a name and place you know and trust). Then whenever you find a package from that supplier, whichever mirror or other source it comes from, you can check it using the the key you got in advance. One of the nice things about RPMs is they let you make this check a no-brain use of a simple command line operation.
  • "Programs as large as the Linux kernel don't receive
    comprehensive source reviews often enough"
    Well I must admit that I don't read the full kernel source when
    there's a new version, but at least I read every single patch file
    and I've read all of them since early '92. Lately I've stopped
    reading most of the new m68k stuff etc., concentrating instead
    on the platforms I use. So at least it isn't so easy to place any trojan in the patches.
    I know that many many other people also read all the patches, and there sure are
    a lot of people looking everywhere in the kernel whenever there' a new version.
  • hotmail is owned by microsoft and that about tells you what to expect....


    nuf said....
  • This really has little to do with the OS. It's just an application to download that was compromised with a trojan on one server. This is the equivalent of someone hacking and distributing a copy of WinZip for Windows that would do something similar. The only difference is that with open source, the trojan is caught fairly quickly by people who go over the source. In Windows, you never know exactly what you're running... like BackOrifice.
  • a unix doesn't HAVE to have remote login. You can shut off all remote accesses except http, if you want. That's what makes unix unix: virtually unlimited choices of what you want. I'd be interested in an finding out if an NT web server is more secure than a unix-based web server with all remote logins turned off.

    As for inexperienced sysadmins... well, if you use linux, I'd think that with the money saved you could get yourself a more experienced sysadmin, which would be better in the long-run anyway. As you said, NT looks pretty good "on the surface".
  • I've been gathering the files to 'test drive' the new kernel, following the recommended links in http://www.linuxhq.com/change21.html This afternoon I saw the warnings at the trojaned site while I was browsing for tarballs.

    It is unfortunately easy to simply click and download the files when you come from a reference page (for example, linuxhq), without getting a chance to verify the files. Luckily the links are a bit stale..

Were there fewer fools, knaves would starve. - Anonymous

Working...