Linux IRC daemon Trojan uncovered
The UnrealIRCd source code has played unwitting host to a backdoor Trojan for several months.
Although far, far rarer than Windows malware, attacks against Linux-based operating systems are definitely out there - and while security features built in to the operating system, such as commonly running as a non-administrative user and the requirement to mark files as executable before they will run, make Linux-based operating systems a much harder target, there are those who will continue to try.
It is one such attacker who managed - somehow - to insert a backdoor Trojan into the source code for the UnrealIRCd package - an Internet Relay Chat daemon for Linux. According to Sophos' Chester Wisniewski, the backdoor has been present in the source code since as far back as November 2009 - providing ne'er-do-wells with an easy entry point into affected systems.
The common cry of "I don't need anti-virus software, I'm on Linux," might still be true - despite Wisniewski claiming that his company's products would have protected against the backdoor - but this major security breach highlights the requirement to stick to the rules of industry best practice no matter how secure your operating system might be.
While the users who downloaded the code might hold some culpability for not checking their sources, it's the project's administrators who should hang their heads: a combination of not checking their repositories for unauthorised changes, a failure to publish checksums or digital signatures for the code which would have highlighted the changes, and providing the tainted code to mirrors again without checksums have left the project's users open to attack for months.
Thankfully, the team have now wised up: with the Trojan removed and the code base cleaned, all future releases are digitally signed to prevent tampering - although for the project's users the move could well be too little, too late.
Are you shocked to see a Linux app fall prey to a backdoor Trojan, or is this the sort of thing you expect when package maintainers fail to do their job properly? Could Linux be mainstream enough now to require anti-virus software? Share your thoughts over in the forums.
Previous Article
17 Comments
Discuss in the forums ReplyOf course, the benefits outweigh the potential downsides, but that is only true as long as changes to the source are regularly checked by other maintainers. If nobody checks what it is that is being added to the source code, this is bound to happen again and again and again, as it becomes the easiest attack vector.
Hopefully this will prompt other open-source package maintainers who haven't been as diligent as they should have been to pull their socks up and check their code base.
Of course, this could have just been an isolated incident.
i don't care what os people use, best practice is to have some sort of AV product. software is like humans, non of it is perfect, flaws can be made and found.
Backup your data, regularly check for updates to EVERYTHING and not just your anti-virus software and only download porn from respectable sources!
If you happen to have a lot of very specific knowledge.
The problem was with the file on the mirrors being changed to a bad version, not their source repository, or the official site. While this is an issue that needs to be looked at and addressed, it's not as big as its being made out to be.
It's like downloading an update to a program from download.com or softpedia that's infected with a virus.
More Info: http://forums.unrealircd.com/viewtopic.php?t=6562
OIC. I wonder why that wasn't specified. It does make a big difference, and makes me look a bit of a plonker.
I'll be in the corner, if anyone needs me :(
It would be a laugh to try, though. =D
I do love OSS and what it stands for. That's why I've got an N900. But I do worry about this kind of attack.
It won't stop me from using OSS though
I much prefer Linux-based OSes to Windows OSes, however the suggestion by Unix-based OS users that 'We don't need a virus checker' is a bit silly (as this shows, viruses can and do affect Unix-based systems)
This wouldn't have been detectable with a virus scanner, although it may be detectable with something like SELinux or AppArmor.
This back door would allow a remote user to run commands with the permissions of the user running UnrealIRCd, which ideally should not have permissions to anything else.
http://neko3koneko.wordpress.com/2010/06/20/could-we-have-stopped-the-raise-of-this-linux-backdoor/
lol!?