Linked by Jordan Spencer Cunningham on Mon 14th Jun 2010 23:58 UTC
Bugs & Viruses Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan's been holding open the backdoor in the source code since November of 2009-- not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don't really exist.
Thread beginning with comment 430383
To view parent comment, click here.
To read all comments associated with this story, please click here.
Aristocracies
Member since:
2010-06-15

You still haven't grasped the fact that this trojan wasn't in an executable binary. None of the provided executable binaries were infected, in fact, they only provide a Windows binary. Someone had replaced the source tarball with one that had the backdoor in the source code itself. This allowed anyone who built the daemon to have anyone connected to the IRC service execute arbitrary commands as the user the daemon ran as. The potential for abuse there if one was motivated is mindboggling, since it'd be trivial to take control of the entire service from that point.

Anyone who downloaded this and compiled it had an issue. In fact, all the fix scripts for this are simply cleaning a header file, then you have to recompile. Or you could just grab a known clean tarball now and check against the provided hashes.

Sure, they should have been doing more and in fact, now are. But you're still a crazed autistic who can't be bothered to read anything to get his facts straight. I'm sure your reply will be more drivel attacking the Unreal team and then some further distractions like 'hurr tarballs are binaries too', all of which you're throwing forth because someone wrote a mean article about your preferred OS, even if no one in their right mind would take said article seriously. ;)

Edited 2010-06-16 19:17 UTC

Reply Parent Score: 1

lemur2 Member since:
2007-02-17

You still haven't grasped the fact that this trojan wasn't in an executable binary.


Correct. It was in an unsigned binary file, which was a tarball of the application source code. What exactly was it that you contend that I did not grasp?

None of the provided executable binaries were infected, in fact, they only provide a Windows binary. Someone had replaced the source tarball with one that had the backdoor in the source code itself. This allowed anyone who built the daemon to have anyone connected to the IRC service execute arbitrary commands as the user the daemon ran as.


Exactly. This is a classic trojan horse. Where did I say anything different? (PS: a tarball is a binary file, it is not a plain text file, although it can contain plain text files).

The potential for abuse there if one was motivated is mindboggling, since it'd be trivial to take control of the entire service from that point.


For up to the Linux subset of some 800 IRC server machines, of all the machines on the entire Internet. Obscure.

Anyone who downloaded this and compiled it had an issue.


And ran it. Apparently this could amount to maybe 300 machines, perhaps.

In fact, all the fix scripts for this are simply cleaning a header file, then you have to recompile. Or you could just grab a known clean tarball now and check against the provided hashes. Sure, they should have been doing more and in fact, now are.


Now that they are using standard practice, the trojan is no more. Agreed.

But you're still a crazed autistic who can't be bothered to read anything to get his facts straight. I'm sure your reply will be more drivel attacking the Unreal team and then some further distractions like 'hurr tarballs are binaries too', all of which you're throwing forth because someone wrote a mean article about your preferred OS, even if no one in their right mind would take said article seriously. ;)


Sigh!

Oh dear oh dear. Tarballs are indeed binaries. Type "cat name-of-tarball.tgz" at a command prompt and see for yourself.

In order to avoid trojans, standard practice to distribute tarballs of software source code is to provide checksums and a PGP/GPG signature along with the tarball.

Like so:
http://www.ffmpeg.org/download.html
(Provides a source tarball, MD5 and SHA1 checksums, and a PGP signature).

UnRealIRC failed to do this simple thing, which is accepted standard practice. I'm afraid that under any viewpoint at all, that makes them incompetent. Likewise for anyone who accpeted their unsigned file and put it in their distribution, namely Gentoo and Arch Community repo.

Following accepted standard practice, which is very simple to do, would have avaoided this breach of security entirely. There is no excuse, really.

Reply Parent Score: 2

lemur2 Member since:
2007-02-17

For up to the Linux subset of some 800 IRC server machines, of all the machines on the entire Internet. Obscure.

Anyone who downloaded this and compiled it had an issue.


And ran it. Apparently this could amount to maybe 300 machines, perhaps.


Hmmmm, I think I need to reconsider this. Apparently only Gentoo and Arch Community repositories had this problem. That would mean that of the 800 IRC server machines Running UnrealIRC, perhaps only a dozen or so were running Gentoo or Arch (both of which are very minor independent Linux distributions).

Extremely obscure.

Edited 2010-06-17 00:47 UTC

Reply Parent Score: 2