Thursday , 31 July 2014
Home | Articles | Linux | Linux: Infected by Complacency
Linux: Infected by Complacency

Linux: Infected by Complacency

On my daily rounds, I pick up all kinds of good lil’ tidbits for article ideas.  Most of them are relating to Windows flaws or Anti Apple articles, but none of them really cut the mustard.  However, today I am going to pound my fist against the wall at those of US that thought we had less to worry about.  Yeah, we are Linux advocates, and we overlook security sometimes. Today I was introduced to a statement by UnrealIRCd detailing a trojan packaged with their IRCd (Internet Relay Chat deamon) for Linux.  This obviously represents one FATAL flaw with the Linux faithful; the blind trust we have for the most of the Linux community and the lack of attention we pay to what we are installing or downloading.  This time, it leads us to a backdoor that grants an evildoer the ability to run ANY command with the user’s privileges running the daemon. 

The statement:

Hi all,

This is very embarrassing…

We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been replaced quite a while ago with a version with a backdoor (trojan) in it.
This backdoor allows a person to execute ANY command with the privileges of the user running the ircd. The backdoor can be executed regardless of any user
restrictions (so even if you have passworded server or hub that doesn’t allow any users in).

It appears the replacement of the .tar.gz occurred in November 2009 (at least on some mirrors). It seems nobody noticed it until now.

Obviously, this is a very serious issue, and we’re taking precautions so this will never happen again, and if it somehow does that it will be noticed quickly.
We will also re-implement PGP/GPG signing of releases. Even though in practice (very) few people verify files, it will still be useful for those people who do.

While the software maker’s mirror downloads for Linux had been packaged with the trojan the Windows version (PRECOMPILED) remained clean.

Safe versions
==============

Official precompiled Windows (SSL and non-ssl) binaries are NOT affected.

CVS is also not affected.

3.2.8 and any earlier versions are not affected.

Any Unreal3.2.8.1.tar.gz downloaded BEFORE November 10 2009 should be safe, but you should really double-check, see next.

The oddity here is that the infection would have been found MUCH faster if the trojan had been released with Windows.  I can’t imagine that this has been running around for 7 months unnoticed.  My personal belief, when it comes to installing software on my Web Server (C.O.D. PROUDLY RUNS ON LINUX) is that I check the md5sums on everything that lists them.

How to verify that the release is the official version
=====================================
You can check by running ‘md5sum Unreal3.2.8.1.tar.gz’, it should output:
7b741e94e867c0a7370553fd01506c66 Unreal3.2.8.1.tar.gz

For reference, here are the md5sums for ALL proper files:
7b741e94e867c0a7370553fd01506c66 Unreal3.2.8.1.tar.gz
5a6941385cd04f19d9f4241e5c912d18 Unreal3.2.8.1.exe
a54eafa6861b6219f4f28451450cdbd3 Unreal3.2.8.1-SSL.exe

These are the EXACT same MD5sums as mentioned on April 13 2009 in the initial 3.2.8.1 announcement to the unreal-notify and unreal-users mailing list.
<http://sourceforge.net/mailarchive/forum.php?thread_name=49E341E0.3000702%40vulnscan.org&forum_name=unreal-notify>

Now this is where my beliefs get interesting.  I DON’T BLAME THE SOFTWARE MAKER! I blame the users!  I personally scan all files I download on my WINDOWS workstation prior to installing.  There are plenty of instances where I receive false positives and plenty of times that things have slipped through.  However, for the Linux faithful to blindly believe that the packages they are downloading have not been modified is unacceptable.  As quoted above, UnrealIRCd provided the md5sums for the proper files.

As one user stated

Re: Some versions of Unreal3.2.8.1.tar.gz contain a backdoor

by tmpaccount on Sun Jun 13, 2010 11:14 am

You are very irresponsible.
I`ll migrate to some other IRC server as soon as I can and I`d recommend everybody else to do the same.
I was wondering whether it was indeed someone from outside or if you guys did it yourself and when the advisory was published you
decided to blame someone from outside.
SHAME ON YOU.
I disagree… this may have been an oversight by UnrealIRCd, however, you BLINDLY installed the software.  As Linux and other operating systems gain popularity more and more instances similar to this are going to be featured. There have been plenty of security concerns for Linux users and administrators (like rootkits, etc) but this one was not by someone hacking into your system.  This one was because administrators or users have become complacent regarding simple things that Windows users have to do daily with software.  SCAN IT! (check the md5sum mah bruva)

About Joe DiFiglia

I have always had a passion for everything computing. In early 2000, I decided to take my passion to the web. Thus, C.O.D. was born. Through the years we have made many great friends at C.O.D. and hope to continue our journey for years to come.