Linked by Jordan Spencer Cunningham on Mon 14th Jun 2010 23:58 UTC
Bugs & Viruses Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan's been holding open the backdoor in the source code since November of 2009-- not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don't really exist.
Thread beginning with comment 430281
To view parent comment, click here.
To read all comments associated with this story, please click here.
saynte
Member since:
2007-12-10

Sorry, but Aristocracies is absolutely right. He has provided data to back-up the claim that the daemon is popular in its field, and (as he stated) even if the numbers of servers aren't large, the clients would be more considerable (Wikipedia has some estimate of a half-million IRC clients).

He is also correct that you went off on several tangents unrelated to the topic of potential impact of this vulnerability, calling IRC obscure, anyone who installed this incompetent, a few guesses based on total IP space, etc.

Your argument is appears incredibly weak compared to his, you may want to stop discussing this if you can't produce better formed responses that are actually on-topic.

Reply Parent Score: 1

lemur2 Member since:
2007-02-17

Sorry, but Aristocracies is absolutely right. He has provided data to back-up the claim that the daemon is popular in its field, and (as he stated) even if the numbers of servers aren't large, the clients would be more considerable (Wikipedia has some estimate of a half-million IRC clients).

He is also correct that you went off on several tangents unrelated to the topic of potential impact of this vulnerability, calling IRC obscure, anyone who installed this incompetent, a few guesses based on total IP space, etc.

Your argument is appears incredibly weak compared to his, you may want to stop discussing this if you can't produce better formed responses that are actually on-topic.


Aristocracies is the one who went of on the tangent. It was his whole point that this IRC server daemon was somehow in his view not an obscure application, when clearly it is. It could scarcely be more obscure. Even though there is a Linux version, it is included in no Linux distribution repositories at all. I merely mentioned this in passing.

Furthermore, it truly is incompetent, both of the application authors and of anyone who installed it, to have been caught out by this trojan. There was totally no need to have been so caught out, since there are a number of means readily available to distribute Linux applications securely, so that trojans cannot get a look in. Signing the package is a very obvious thing to have done, but these developers failed to do even that. The developers even admitted to being very embarrassed by their utter lack of even the simplest security measures.

Anyone who had even the vaguest understanding of normal methods of distribution of Linux software should not have touched this particular package with a ten foot barge pole.

Unsigned binary packages simply downloaded from a server and manually installed is the absolutely classic vector for trojan horse malware injection.

http://en.wikipedia.org/wiki/Trojan_horse_%28computing%29
Trojan horses can be installed through the following methods:
* Software downloads (e.g., a Trojan horse included as part of a software application downloaded from a file sharing network)


I'm sorry, but this is in the very first page of security 101 for dummies ... don't do this. Don't do unsigned binary installation packages. Refuse point blank to ever install such things.

Edited 2010-06-16 11:51 UTC

Reply Parent Score: 2

saynte Member since:
2007-12-10

I don't see how this is obscure. Your own Wikipedia link states that the top 100 IRC servers alone host over a half million users at a time. With at least a half-million users, how can it be so obscure? Clearly a vulnerability to the servers translates to a problem for the clients.

Reply Parent Score: 1

Aristocracies Member since:
2010-06-15

You still haven't grasped the fact that this trojan wasn't in an executable binary. None of the provided executable binaries were infected, in fact, they only provide a Windows binary. Someone had replaced the source tarball with one that had the backdoor in the source code itself. This allowed anyone who built the daemon to have anyone connected to the IRC service execute arbitrary commands as the user the daemon ran as. The potential for abuse there if one was motivated is mindboggling, since it'd be trivial to take control of the entire service from that point.

Anyone who downloaded this and compiled it had an issue. In fact, all the fix scripts for this are simply cleaning a header file, then you have to recompile. Or you could just grab a known clean tarball now and check against the provided hashes.

Sure, they should have been doing more and in fact, now are. But you're still a crazed autistic who can't be bothered to read anything to get his facts straight. I'm sure your reply will be more drivel attacking the Unreal team and then some further distractions like 'hurr tarballs are binaries too', all of which you're throwing forth because someone wrote a mean article about your preferred OS, even if no one in their right mind would take said article seriously. ;)

Edited 2010-06-16 19:17 UTC

Reply Parent Score: 1