Linked by Jordan Spencer Cunningham on Mon 14th Jun 2010 23:58 UTC
Bugs & Viruses Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan's been holding open the backdoor in the source code since November of 2009-- not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don't really exist.
Thread beginning with comment 430115
To read all comments associated with this story, please click here.
Without even reading other comments
by sbenitezb on Tue 15th Jun 2010 13:09 UTC
sbenitezb
Member since:
2005-07-22

what does this have to do with Linux/*BSD/etc?

Reply Score: 2

lemur2 Member since:
2007-02-17

what does this have to do with Linux/*BSD/etc?


Not a lot.

UnrealIRCd is an open source, multi-platform, relatively obscure (on Linux) IRC server program.

http://en.wikipedia.org/wiki/UnrealIRCd

Someone found out that the distribution method for the Linux version of this particular program was the same as for other platforms ... it is distributed for Linux via an unsigned binary file.

Someone decided to attach a trojan to the binary file and replace the original Linux distribution file with the trojan-infected file for Linux on some of the UnrealIRCd mirrors, where it went undetected for a lengthy period.

As anyone knows, distributing unchecked binary files is a perfect vehicle for disseminating trojans. It was apparently on someone's agenda to illustrate that this is just as true for a Linux version of an application as it is for any other OS.

Edited 2010-06-15 13:23 UTC

Reply Parent Score: 2

ba1l Member since:
2007-09-08

Yeah, this can (and does) happen with Windows software as well. It's really a problem with the "run random files downloaded off the Internet" distribution model, rather than any particular OS.

This is yet another reason we shouldn't trust this way of distributing applications. Too dangerous.

Obviously, anyone distributing source code should sign the packages, to make sure they haven't been tampered with. Most end-users won't check them, but package maintainers certainly will. That'd at least prevent a trojaned version of an application from getting into a distribution's repository.

The more interesting question is this - is there some way to safely run random applications downloaded off the 'net?

Sticking purely to a distribution's package collection is (normally - see above) much safer, since all packages in most distributions are signed. It's just sometimes not enough.

Ubuntu's PPAs go some of the way towards fixing this. As long as you install the package signing key correctly, you can be sure that the packages haven't been modified. Doesn't protect you from deliberate attacks though - PPAs can contain just about anything, and how do you know if you can trust the PPA owner?

What you really need is some way to restrict what a PPA can do, and to sandbox all of the applications inside it. Lock them down (Linux already has all the infrastructure required to do this), isolate them from each other, and come up with a way to add permissions if required, ideally in a way that's transparent to the end user (so if it needs filesystem access, you can see that and decide for yourself if you trust it).

Reply Parent Score: 2

lemur2 Member since:
2007-02-17

what does this have to do with Linux/*BSD/etc?


Here you go, read a quick summary:
http://www.itworld.com/security/110942/linux-secure-ever?source=sml...

Here's what really happened. UnrealIRCd, a rather obscure open-source IRC (Internet Relay Chat) server, wasn't so much hacked as the program it was letting people download has been replaced by one with a built-in security hole.

...

So what does that mean? First, there's no new, or old for that matter, security hole in Linux at all. What happened was that this one group let someone replace the program they were shipping with one that had been deliberately designed to let other people into it to run commands on your Linux computer.

There's nothing too surprising about this. Historically, IRC, which is sort of a CB radio of instant messaging services, has always had one major security problem after another. Indeed, IRC has often been used in the past to run Windows botnets. I strongly suspect whoever replaced the UnrealIRCd has been using it for running Windows botnets.

...

Let me spell it out for you. Even before this latest fiasco, no one who cares about security was letting IRC clients or servers run on their systems. It's always been too easy to abuse.

In this particular case, the group behind UnrealIRCd were just dumb about tracking their own program. Clearly, they never bothered to check their own code. The users, by virtue of the fact that they were running IRC in the first place, don't get any prizes for being bright either. After all, they were running IRC: Case closed.

Reply Parent Score: 2