Trojan horses plague open source

At least three commonly used open source software packages were altered by black-hat (bad-guy) hackers to contain "Trojan horse" code this year.

The three most commonly used packages affected were Sendmail, OpenSSH and tcpdump/libpcap. Others to be modified included BitchX, a chat client, and Fragrouter, a network security tool.

In all of these cases, the unknown cracker gained entry to the relevant download sites and embedded the back door code in the installation packages.

Adam Pointon, a Melbourne based security consultant, says that most of these modifications were not noticed for several days.

"In the case of Sendmail, the administrators didn't pick up the compromise until nine days after the fact." he said.

But Pointon says that using open source software is often less risky than using pre-compiled, or "closed source" software because users who download open source packages can very easily verify their authenticity through a mathematical process known as an md5 checksum.

An md5 checksum is basically a fingerprint of a file. A mathematical operation is performed on the relevant file that will generate a unique 32 byte number. If a single bit is changed in that file, the number that the md5 utility spits out will be completely different.

This means that it is quite easy to detect modifications in software by comparing the md5 value of the downloaded installation package to a "known good", or genuine, checksum value.

"Administrators who installed the affected packages without verifying them first were being lazy." said Pointon.

The md5 values are usually stored on the download site as well as a few others, just to be sure. One of the alternative sites that hosts md5's for Sendmail, on a Northern Illinois University page, explains the logic well:

"This page is not automatically copied from the sendmail.org site. This makes it relatively unlikely that an intruder could break into both the sendmail site and this site, and install the same bogus MD5 checksums in both places."

The motives for the Trojans are unclear. Some are speculating that a group black-hat hackers are using the Trojan technique to target high-profile security related sites. They might "get lucky" if the administrators of these sites installs a tainted package.

The Trojan itself works by connecting back to a specific server upon activation, a subtle yet effective technique.

The Trojans have given open source products a bad rap in some circles. It seems that many don't understand that by following best practices it's possible to avoid being affected by these types of issues.

According to CERT the delivery mechanisms that have been established to distribute open-source software are quite robust if administrators follow some simple rules, like checking md5's.

CERT has even produced a guide to verifying software.

"When downloading software from online repositories, it is important to consider the possibility that the site has been compromised."

But the guide also point out that "There are ways that software publishers and distributors can provide verification of the authenticity of their software."

Advertisement

Print feature brought to you by Adobe

Talkback 8 comments

    Most likely done by Microsoft ...Jill H. Gates III -- 24/12/02

    Most likely done by Microsoft programmers looking to save some face by trying to drag their competitors down to their level.

    Plauge??? GET A GRIP... Way t ...Anonymous -- 25/12/02

    Plauge??? GET A GRIP...

    Way to OVER state reality... please show us documentation of a SINGLE person that was hurt by these isolated occurances? Please tell us how many millions were wasted due to these problems?

    Man.. what lame writing.

    Well we move on the FUD is now ...Fred Billings -- 25/12/02

    Well we move on the FUD is now becoming a comedy. What next, use open source and spaceman will kill your first born.

    I wish that Windows was plague ...Uno Engborg -- 26/12/02

    I wish that Windows was plagued just as much. Then windows based companies could cut down the number of sysadmins radically. And the sysadmins left would have time to deal with how to advance the system to better fit business needs instead of doing fire fighting.

    There is plague like the one in 14 tenth century or windows
    and there are minor colds like the one in windows land.

    Just how do you define plague? ...Anonymous -- 27/12/02

    Just how do you define plague? My understanding is that it is a widespread phenomonon that is dangerous or possibly deadly. The three, count them three, examples cited do not constitute anything close to a plague. If you want to report on something that is a genuine threat to today's computer users you'll find a far richer field discussing any of the dozens of much more widespread problems that any of MS's Windows product suffer from. What you have done is merely act as an MS shill by spreading FUD concerning Open Source software.

    That said, this article does serve a useful purpose in a couple of ways. First, people that run mirror sites for popular Open Source software need to institute security procedures to try to prevent this sort of thing in the future. If nothing else it should be possible to run a daily check of MD5 checksums and compare them against known good results, flagging anything that doesn't match. Second, for users who download Open Source software always check the MD5 checksums. It doesn't take long to do and will go a long way towards guarding against problems like this.

    Just my $.02,
    Ron

    I remember when Microsoft IIS ...Anonymous -- 27/12/02

    I remember when Microsoft IIS was hit last year with the worm. My web server log filled every night with attempts at loading default.asp. My cable modem activity light would rarely pause for a full second. Thousands of comprimises all over the Internet; all of the wasted bandwidth - now that's a plague. These examples are barely a sniffle.

    This article, while technically correct, is framed in such a fashion as to question the motives of the author or publisher.

    Ummm..."plague" in t ...Anonymous -- 30/12/02

    Ummm..."plague" in the headline is just what Microsoft would like to be able to quote. C'mon, Mr. Gray...ZDNet doesn't speak of IIS or other Windows Server products (notably the OS) being "plagued" with security holes, and that happens a lot more often than Free Software gets Trojaned. Can we say, SMBdie? I work for a large school system, and boy, did the server guys go nuts for a while with that one.

    The next time a Windows Server product gets cracked, will you also say that Microsoft products are "plagued" with security problems? Or is ZDNet too worried about MS pulling advertising dollars? I also question your editor's judgment here for allowing that headline, given the facts.

    The last time I heard of anything justifiably being called a "plague", it was the Bubonic (Black) Plague, which reportedly affected one in four people in Europe. Likewise, AIDS could (sadly) be called a "plague" in large parts of Africa. Three Trojan cases of Free Software is not a plague, Mr. Gray.

    Not so easy to protect yoursel ...Anonymous -- 01/01/03

    Not so easy to protect yourself. First of all those developers/sites that do publish the MD5 sum usually publish it on the same server as the files lie on. I.e. if hackers succeed in hacking into the server and replacing the files, they can just as easily change the MD5 sum displayed on the site. This means that you need to get the MD5 sum from a different site which somehow does not automatically display the MD5 sum of the trojaned files on the official server. How would that other site know which files are authentic or not? Add to that the fact that many developers neither publish the MD5 sum on their site, nor sign the files.

    The only solution would be to genrally institute some generally accepted practice of ensuring the authenticity of files. For example every developer signing each file with a TRUSTED signature and users checking the signature before installing the software. That would make it a lot more difficult to spread trojanned software.

Add your opinion

Latest Videos

Blogs

  • Darren Greenwood Telecom NZ savings damage prospects
    If Telecom NZ wants to have any of the NZ$1.5 billion the government intends to spend on its new broadband network, it had better think long and hard before offshoring 1500 jobs.
  • Array iiNet: The whys and what nows
    Last week the Federal Court ruled that internet service providers are not responsible for copyright violation by their customers. This is an important decision not just for iiNet, which spent around $4 million defending the case, but for all ISPs in Australia and, indeed, globally.
  • Array Govt, hurry up with releasing data
    A programmer scraped data from the My School website to make some really cool heat maps showing regions of smart schools — no thanks to the government, which didn't supply the data in any useful kind of format.
  • More blogs »

Tags

  1. 104 articles are tagged with acma
  2. 61 articles are tagged with afact
  3. 1291 articles are tagged with apple
  4. 525 articles are tagged with australia
  5. 1326 articles are tagged with broadband
  6. 89 articles are tagged with censorship
  7. 210 articles are tagged with china
  8. 686 articles are tagged with cio
  9. 297 articles are tagged with conroy
  10. 145 articles are tagged with contract
  11. 399 articles are tagged with copyright
  12. 18 articles are tagged with court case
  13. 13 articles are tagged with cowdroy
  14. 142 articles are tagged with defence
  15. 114 articles are tagged with filter
  16. 1065 articles are tagged with google
  17. 21 articles are tagged with govt
  18. 1317 articles are tagged with ibm
  19. 249 articles are tagged with iinet
  20. 12 articles are tagged with iitrial
  21. 6 articles are tagged with ipad
  22. 746 articles are tagged with jobs
  23. 8 articles are tagged with judgement
  24. 403 articles are tagged with laptop
  25. 12 articles are tagged with microsoft
  26. 1140 articles are tagged with mobile
  27. 366 articles are tagged with mobile phone
  28. 244 articles are tagged with national broadband network
  29. 444 articles are tagged with nbn
  30. 22 articles are tagged with nbn co
  31. 225 articles are tagged with new zealand
  32. 208 articles are tagged with nsw
  33. 905 articles are tagged with optus
  34. 32 articles are tagged with parliament
  35. 333 articles are tagged with piracy
  36. 160 articles are tagged with police
  37. 2665 articles are tagged with security
  38. 616 articles are tagged with server
  39. 68 articles are tagged with south australia
  40. 195 articles are tagged with stephen conroy
  41. 733 articles are tagged with storage
  42. 134 articles are tagged with tasmania
  43. 74 articles are tagged with telecom nz
  44. 2493 articles are tagged with telstra
  45. 147 articles are tagged with tender
  46. 66 articles are tagged with trial
  47. 193 articles are tagged with victoria
  48. 6 articles are tagged with whole-of-government
  49. 980 articles are tagged with wireless
  50. 18 articles are tagged with xt

Back to top

Featured