Trojan horses plague open source

The three most commonly used packages affected were Sendmail, OpenSSH and tcpdump/libpcap. Others to be modified included BitchX, a chat client, and Fragrouter, a network security tool.

In all of these cases, the unknown cracker gained entry to the relevant download sites and embedded the back door code in the installation packages.

Adam Pointon, a Melbourne based security consultant, says that most of these modifications were not noticed for several days.

"In the case of Sendmail, the administrators didn't pick up the compromise until nine days after the fact." he said.

But Pointon says that using open source software is often less risky than using pre-compiled, or "closed source" software because users who download open source packages can very easily verify their authenticity through a mathematical process known as an md5 checksum.

An md5 checksum is basically a fingerprint of a file. A mathematical operation is performed on the relevant file that will generate a unique 32 byte number. If a single bit is changed in that file, the number that the md5 utility spits out will be completely different.

This means that it is quite easy to detect modifications in software by comparing the md5 value of the downloaded installation package to a "known good", or genuine, checksum value.

"Administrators who installed the affected packages without verifying them first were being lazy." said Pointon.

The md5 values are usually stored on the download site as well as a few others, just to be sure. One of the alternative sites that hosts md5's for Sendmail, on a Northern Illinois University page, explains the logic well:

"This page is not automatically copied from the sendmail.org site. This makes it relatively unlikely that an intruder could break into both the sendmail site and this site, and install the same bogus MD5 checksums in both places."

The motives for the Trojans are unclear. Some are speculating that a group black-hat hackers are using the Trojan technique to target high-profile security related sites. They might "get lucky" if the administrators of these sites installs a tainted package.

The Trojan itself works by connecting back to a specific server upon activation, a subtle yet effective technique.

The Trojans have given open source products a bad rap in some circles. It seems that many don't understand that by following best practices it's possible to avoid being affected by these types of issues.

According to CERT the delivery mechanisms that have been established to distribute open-source software are quite robust if administrators follow some simple rules, like checking md5's.

CERT has even produced a guide to verifying software.

"When downloading software from online repositories, it is important to consider the possibility that the site has been compromised."

But the guide also point out that "There are ways that software publishers and distributors can provide verification of the authenticity of their software."