Linked by Jordan Spencer Cunningham on Mon 14th Jun 2010 23:58 UTC
Bugs & Viruses Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan's been holding open the backdoor in the source code since November of 2009-- not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don't really exist.
Thread beginning with comment 430051
To read all comments associated with this story, please click here.
Need for Better Practices, Not More FUD
by lemur2 on Tue 15th Jun 2010 04:50 UTC
lemur2
Member since:
2007-02-17

http://www.itworld.com/open-source/110930/trojaned-app-demonstrates...

Still, from the looks of this news, mistakes were indeed made. The Unreal team have already 'fessed up to the fact that (until this happened), archived releases had not been PGP/GPG signed. Which means if the archived version of the software varied in any way from the actual source code, there's no sure way to tell. That's what signing is supposed to do.

The team also admitted to not checking all of the mirrored files as often as they should have. Which means that while the true source code (in CVS) was clean as a whistle, the source archive files that people downloaded were not clean for a very long time.

This is all very unfortunate, but the general feeling in the broader open source community is that this was a sharp lesson in what not to do with handling software downloads. To their credit, the Unreal team owned up to their mistakes.


BTW, the means that the way the Unreal3.2.8.1.tar.gz file was distributed, (that is a unsigned binary file which one was supposed to just download from a website and install without checking) ... is far more reminiscent of the typical means of installing Windows applications on users systems.

This is the way that Windows systems often handle software downloads. An example of what not to do.

I'd bet that the malware authors were rubbing their hands in glee when they found this one.

Edited 2010-06-15 04:56 UTC

Reply Score: 4