Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan’s been holding open the backdoor in the source code since November of 2009– not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don’t really exist.
The Trojan Trouble
The folks behind Unreal IRC issued a statement on the UnrealIRCd forum:
This is very embarrassing…
We found out that the Unreal126.96.36.199.tar.gz file on our mirrors has been replaced quite a while ago with a version with a backdoor (trojan) in it.
This backdoor allows a person to execute ANY command with the privileges of the user running the ircd. The backdoor can be executed regardless of any user
restrictions (so even if you have passworded server or hub that doesn’t allow any users in).
It appears the replacement of the .tar.gz occurred in November 2009 (at least on some mirrors). It seems nobody noticed it until now.
Obviously, this is a very serious issue, and we’re taking precautions so this will never happen again, and if it somehow does that it will be noticed quickly.
We will also re-implement PGP/GPG signing of releases. Even though in practice (very) few people verify files, it will still be useful for those people who do.
Later, UnrealIRCd administrator Syzop posted an announcement on the main UnrealIRCd site stating that many new measures are being put into place to keep something like this from happening again (or if it does happen, to bring the malware to light much sooner). Aside from all releases being PGP/GPG-signed, the main site will be isolated from the others, some parts of the main site will be unmodifiable by anyone, several methods have been added to detect if any data is modified or switched, and files will only be available at the main site (for now). In addition, Syzop also mentioned that several other methods of protection have been established, though it’s understandable as to why he did not give any details as to what they were.
It’s unfortunate and embarrassing that a backdoor was left open for so long in any software no matter which platform it runs on, but it sounds as if the UnrealIRCd team has learned from this mistake and will hopefully avoid anything similar in the future. Hopefully other developers can learn and avoid a similar mistake, too. At any rate, the current Linux release of UnrealIRCd is now clean and safe to install and use.
News Flash: Linux Is Now Wicked!
It was apparent that this was going to happen because it’s happened in the past, but the press is taking advantage of this insecurity in a Linux app to harp on and on about the supposed degradation of Linux security. We’ve all heard it before “Windows didn’t get this virus! That means Linux is wicked! Linux is getting more and more viruses these days, and Windows is getting better security– does this mean that Linux now requires antivirus software just like Windows?” It goes on. I’m not putting down Windows or Linux (I use Windows mainly myself), but comparing Linux to Windows in terms of security is a joke no matter how much better Windows security has gotten with recent releases.
The real issue here is that bloggers and the press are jumping on this security problem pointing fingers specifically at Linux, when in reality Linux has little to do with this Trojan; the problem is really UnrealIRCd’s. This security issue shouldn’t even be front-page news, but I’m putting it here in a sort of challenge to the rest of the media and to set anyone straight on the matter. Syzop himself, our friend from earlier, states it perfectly:
On an unrelated side note, I find the claims in various media that this security incident indicates that Linux and Open Source cannot be trusted and that Microsoft and closed-software is better really silly. It lacks any foundation. A hacker, once in, could just as easily have inserted the backdoor in Windows software. In fact, it is *THANKS* to it being Open Source that this backdoor got noticed, though – I fully agree – much too late.
Every operating system– and every software, for that matter– is not completely invulnerable no matter how many brick walls get built around it. Breaches in Linux security are going to happen from time to time– and this wasn’t necessarily a breach in Linux security, as I already stated; this is a breach in UnrealIRCd security. Bloggers saying that this is a Linux problem I think I can safely classify in one of three areas:
- They want to create more hype than is actually there, thus bringing more attraction to their websites or their person
- They really don’t like Linux and/or open-source
- They don’t know what the heck they’re talking about
What do you think?