Popular packet sniffing packages contaminated by Trojan

Geoff Shang gshang at uq.net.au
Thu Nov 14 23:13:59 EST 2002


Hi:

The following story was posted to the Register at
http://www.theregister.co.uk/content/55/28105.html .  Man, there are some
idiots out there.

Geoff.

   Popular packet sniffing packages contaminated by Trojan
   By [39]John Leyden
   Posted: 14/11/2002 at 16:43 GMT
   Users are warned to be vigilant after trojanised versions of popular
   packet sniffing packages were posted on well known download sites.
   A [40]detailed alert from members of the Houston Linux users group
   warns that trojanised versions of Libpcap, used as a packet sniffing
   library in programs like Snort (the open source IDS package), and
   Tcpdump have been posted on Tcpdump.org. These contaminated packages
   have also found their way onto many mirror sites, such as
   Wiretapped.net
   .
   The trojan contains modifications to the configure script for both
   packages. It also alters gencode.c in libpcap only.
   Russ Spooner, of network security specialists Interrorem, told us that
   the warning is genuine and affects a wide range of widely used
   programmes.
   "Libpcap is massively used across a wide range of platforms, programs
   such as ethereal use it, and of course tcpdump," he told us. "If Snort
   (one of the best IDS out there) is built against a trojanised lipcap,
   then obviously that would become vulnerable too".
   "Even "hacking" tools like ettercap would be vulnerable to compromise
   with this, he added.
   There is an important mitigating factor, however.
   The backdoor component of the trojan tries to connect to a specific
   host (mars.raketti.net), and as such fail to open compromised systems
   to world+dog.
   Sponner advises that, as a precaution, people should downgrade their
   libpcap to a trusted
   version and be cautious of statically compiled pcap based programs.
   These programmes should be run in a sandbox to make sure they are not
   trying to connect to the mars.raketti.net server.
   Posting version of popular applications contaminated with trojan code
   has become a popular tactic among denizens in the digital underground.
   In October a trojanised version of Sendmail was found circulating the
   Internet. Experts later noted the marked similarities between this
   trojan to a backdoor planted in OpenSSH in late July. ®
   Related Stories
   [41]Trojanized Sendmail distro circulated
   [42]Sendmail Trojan looks familiar
   [43]OpenSSH trojaned!

References

  39. mailto:john.leyden at theregister.co.uk
  40. http://hlug.fscker.com/
  41. http://www.theregister.co.uk/content/55/27511.html
  42. http://www.theregister.co.uk/content/55/27554.html
  43. http://www.theregister.co.uk/content/archive/26492.html






More information about the Speakup mailing list