Popular packet sniffing packages contaminated by Trojan
Geoff Shang
gshang at uq.net.au
Thu Nov 14 23:13:59 EST 2002
Hi:
The following story was posted to the Register at
http://www.theregister.co.uk/content/55/28105.html . Man, there are some
idiots out there.
Geoff.
Popular packet sniffing packages contaminated by Trojan
By [39]John Leyden
Posted: 14/11/2002 at 16:43 GMT
Users are warned to be vigilant after trojanised versions of popular
packet sniffing packages were posted on well known download sites.
A [40]detailed alert from members of the Houston Linux users group
warns that trojanised versions of Libpcap, used as a packet sniffing
library in programs like Snort (the open source IDS package), and
Tcpdump have been posted on Tcpdump.org. These contaminated packages
have also found their way onto many mirror sites, such as
Wiretapped.net
.
The trojan contains modifications to the configure script for both
packages. It also alters gencode.c in libpcap only.
Russ Spooner, of network security specialists Interrorem, told us that
the warning is genuine and affects a wide range of widely used
programmes.
"Libpcap is massively used across a wide range of platforms, programs
such as ethereal use it, and of course tcpdump," he told us. "If Snort
(one of the best IDS out there) is built against a trojanised lipcap,
then obviously that would become vulnerable too".
"Even "hacking" tools like ettercap would be vulnerable to compromise
with this, he added.
There is an important mitigating factor, however.
The backdoor component of the trojan tries to connect to a specific
host (mars.raketti.net), and as such fail to open compromised systems
to world+dog.
Sponner advises that, as a precaution, people should downgrade their
libpcap to a trusted
version and be cautious of statically compiled pcap based programs.
These programmes should be run in a sandbox to make sure they are not
trying to connect to the mars.raketti.net server.
Posting version of popular applications contaminated with trojan code
has become a popular tactic among denizens in the digital underground.
In October a trojanised version of Sendmail was found circulating the
Internet. Experts later noted the marked similarities between this
trojan to a backdoor planted in OpenSSH in late July. ®
Related Stories
[41]Trojanized Sendmail distro circulated
[42]Sendmail Trojan looks familiar
[43]OpenSSH trojaned!
References
39. mailto:john.leyden at theregister.co.uk
40. http://hlug.fscker.com/
41. http://www.theregister.co.uk/content/55/27511.html
42. http://www.theregister.co.uk/content/55/27554.html
43. http://www.theregister.co.uk/content/archive/26492.html
More information about the Speakup
mailing list