bit-tech.net

Linux IRC daemon Trojan uncovered

Linux IRC daemon Trojan uncovered

The UnrealIRCd source code has played unwitting host to a backdoor Trojan for several months.

A nasty backdoor that found its way into the source code of a popular IRC server application has been rooted out - and has provided a wake-up call to the Linux world regarding security best practices.

Although far, far rarer than Windows malware, attacks against Linux-based operating systems are definitely out there - and while security features built in to the operating system, such as commonly running as a non-administrative user and the requirement to mark files as executable before they will run, make Linux-based operating systems a much harder target, there are those who will continue to try.

It is one such attacker who managed - somehow - to insert a backdoor Trojan into the source code for the UnrealIRCd package - an Internet Relay Chat daemon for Linux. According to Sophos' Chester Wisniewski, the backdoor has been present in the source code since as far back as November 2009 - providing ne'er-do-wells with an easy entry point into affected systems.

The common cry of "I don't need anti-virus software, I'm on Linux," might still be true - despite Wisniewski claiming that his company's products would have protected against the backdoor - but this major security breach highlights the requirement to stick to the rules of industry best practice no matter how secure your operating system might be.

While the users who downloaded the code might hold some culpability for not checking their sources, it's the project's administrators who should hang their heads: a combination of not checking their repositories for unauthorised changes, a failure to publish checksums or digital signatures for the code which would have highlighted the changes, and providing the tainted code to mirrors again without checksums have left the project's users open to attack for months.

Thankfully, the team have now wised up: with the Trojan removed and the code base cleaned, all future releases are digitally signed to prevent tampering - although for the project's users the move could well be too little, too late.

Are you shocked to see a Linux app fall prey to a backdoor Trojan, or is this the sort of thing you expect when package maintainers fail to do their job properly? Could Linux be mainstream enough now to require anti-virus software? Share your thoughts over in the forums.

17 Comments

Discuss in the forums Reply
eddtox 14th June 2010, 11:26 Quote
In my opinion, the open-source nature of linux software is it's biggest security problem.

Of course, the benefits outweigh the potential downsides, but that is only true as long as changes to the source are regularly checked by other maintainers. If nobody checks what it is that is being added to the source code, this is bound to happen again and again and again, as it becomes the easiest attack vector.

Hopefully this will prompt other open-source package maintainers who haven't been as diligent as they should have been to pull their socks up and check their code base.

Of course, this could have just been an isolated incident.
hbeevers 14th June 2010, 11:47 Quote
i'm pretty sure this was an isolated incident. However, all the anti-virus companies would love it if virus' came to linux, a whole other source of income for them!
mi1ez 14th June 2010, 12:05 Quote
at least linux users don't claim with as much passion as mac users that they can't get a virus!
RichCreedy 14th June 2010, 12:12 Quote
it 'could' be an isolated incident, but it may prove to be more of a testbed, 'lets see how long it takes for someone to find this, are linux users dumb enough not to check'

i don't care what os people use, best practice is to have some sort of AV product. software is like humans, non of it is perfect, flaws can be made and found.
crazyceo 14th June 2010, 13:25 Quote
I've said it before and I'll say it again. I don't believe ANY OS is completely safe and secure regardless of how open or not it is. Anyone willing enough to have a go to crack it, usually does.

Backup your data, regularly check for updates to EVERYTHING and not just your anti-virus software and only download porn from respectable sources!
Phil Rhodes 14th June 2010, 13:44 Quote
This does rather highlight the core futility of open source. Yes, you can get the source code. Yes, you can modify it. Yes, you can check it for viruses.

If you happen to have a lot of very specific knowledge.
eddtox 14th June 2010, 13:59 Quote
It's just occurred to me that Sophos seems to be coming out with a lot of stories about how this and that is insecure, but they could make it better, if you pay them. Just worth bearing in mind that they do have a vested interest in people being afraid of insecure computers.
Andy Mc 14th June 2010, 14:46 Quote
With open source software at least you can _find_ the backdoors, if you look. With closed source software you just have to rely on the maintainer to tell you the source is good.
Greenie 14th June 2010, 16:22 Quote
Quote:
Originally Posted by eddtox
In my opinion, the open-source nature of linux software is it's biggest security problem.

The problem was with the file on the mirrors being changed to a bad version, not their source repository, or the official site. While this is an issue that needs to be looked at and addressed, it's not as big as its being made out to be.

It's like downloading an update to a program from download.com or softpedia that's infected with a virus.

More Info: http://forums.unrealircd.com/viewtopic.php?t=6562
eddtox 14th June 2010, 17:44 Quote
Quote:
Originally Posted by Greenie
The problem was with the file on the mirrors being changed to a bad version, not their source repository, or the official site. While this is an issue that needs to be looked at and addressed, it's not as big as its being made out to be.

It's like downloading an update to a program from download.com or softpedia that's infected with a virus.

More Info: http://forums.unrealircd.com/viewtopic.php?t=6562

OIC. I wonder why that wasn't specified. It does make a big difference, and makes me look a bit of a plonker.

I'll be in the corner, if anyone needs me :(
thehippoz 14th June 2010, 17:58 Quote
they let the weasel in the backdoor..
Shagbag 14th June 2010, 18:52 Quote
Quote:
Originally Posted by eddtox
In my opinion, the open-source nature of linux software is it's biggest security problem.
You're entitled to your opinion but I wouldn't recommend voicing it on the OpenBSD mailing lists. :D
eddtox 14th June 2010, 23:16 Quote
Quote:
Originally Posted by Shagbag
You're entitled to your opinion but I wouldn't recommend voicing it on the OpenBSD mailing lists. :D

It would be a laugh to try, though. =D

I do love OSS and what it stands for. That's why I've got an N900. But I do worry about this kind of attack.

It won't stop me from using OSS though
tristanperry 14th June 2010, 23:23 Quote
In some ways I'm glad about this.

I much prefer Linux-based OSes to Windows OSes, however the suggestion by Unix-based OS users that 'We don't need a virus checker' is a bit silly (as this shows, viruses can and do affect Unix-based systems)
deadsea 15th June 2010, 04:46 Quote
Would an AV program have actually stopped the trojan? Afterall, it is in the repository and it is being run as the highest possible access level. Should be a walk in the park to have it disable any other programs along the way.
Greenie 16th June 2010, 11:22 Quote
It was a source.tar.gz on a mirror that was compromised with a built in back door, I don't think it ever made it to a distro repository.

This wouldn't have been detectable with a virus scanner, although it may be detectable with something like SELinux or AppArmor.

This back door would allow a remote user to run commands with the permissions of the user running UnrealIRCd, which ideally should not have permissions to anything else.
js999 22nd June 2010, 03:01 Quote
Quote:
Originally Posted by
This is real scary, a program going for too long with a nasty backdoor, but it seems this is OLDER than the guys at unrealirc are saying, maybe it was proposital..

http://neko3koneko.wordpress.com/2010/06/20/could-we-have-stopped-the-raise-of-this-linux-backdoor/

lol!?
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums