Linux Trojan Avoids Detection for Almost a Year
Linux Trojan Avoids Detection for Almost a Year
Posted 06/14/2010 at 4:42am
| by Paul Lilly
9
Comments
Print
The tech media has gone into full "told you so" mode after it was discovered that hackers managed to plant a Trojan in the popular Unreal IRC server, proving that Linux users need to worry about malware too.
"This is very embarrassing... We found that the Unreal3.2.8.1.tar.gz file on our mirrors has been replaced quite a while ago with a version with a backdoor (Trojan) in it," an announcement on the Unreal IRC forum states. "This backdoor allows a person to execute ANY command with the privileges of the user running the ircd. The backdoor can be executed regardless of any user restrictions (so even if you have passworded server or hub that doesn't allow any users in)."
While a single outbreak doesn't constitute an insecure OS platform by any stretch of the imagination, perhaps the media has a point. The announcement goes on to state that the "replacement of the.tar.gz occurred in November 2009 (at least on some mirrors," which means it took nearly a year for it to be noticed. What most of the write-ups are insinuating -- and we'll just come out and say it -- is that perhaps this was left unnoticed in the Linux community because of an arrogance that suggests the open source OS is impenetrable. Obviously that isn't the case, but despite reports you may read elsewhere, the opposite isn't true either -- Linux users needn't worry that the sky is falling because of one high profile outbreak.
Original Image Credit: Mono, the Trojan (softwarelive.org)
More like this
9
Comments
Comments are closed on this article
gokeefe
June 15, 2010 at 11:03pm
This is a inaccurate "issue" exagerated by an uninformed media. This is like saying Windows is an insecure platform because Energizer's USB software had a trojan in it.
It's not Microsoft's fault Energizer is incompetent, just like it's not Linux's fault that the UnrealIRCd developers are incompentent. There has never been any question that Linux is susceptible to malware and viruses, especialy when it's introduced by a piece of software considered safe. It's just always been the assumption/conclusion that Linux is "safer" by design, and harder to crack by external attackers.
roninnder
June 14, 2010 at 1:50pm
Let's see, November 2009 - June 2010 = about 7 months. I'm all for rounding up when the situation warrants, but I don't think you used the right number of significant digits in your equation.
Neufeldt2002
June 14, 2010 at 8:11am
If I can't scan for malware and what not, I don't use it. I do think Linux is designed to be more secure, but I also think that it can be broken.
tkid124
June 14, 2010 at 7:47am
Linux’s greatest security measure is that it has a very small market share, and within that market share there are dozens if not hundreds of companies making distinct OSs, and within each company they have several different releases or OSs. What goes against Linux is that many a servers are running it, now if I had to choose between hacking a single server of a Fortune 500 company or a single end user’s computer I am going to choose the serer. So how long will Linux be free, that depends on adoption rate more than anything, as Apple is starting to find out.
Neon Samurai
June 15, 2010 at 5:17am
Here, we're seeing a video game with limited third party developer review and non-distribution sources. It's not the same as a good server distribution with much wider used software components and trusted repositories. Get malware into Debian Stable, RHEL or similar major server distributions and then it'll be news. One also needs to look at patch times which I'd again refer to Debian for since they run a fully transparent shop from initial report through to updated package delivery. They vett software modifications and patch submissions. Packages are run through nightly automatic builds.
Let's say it all together; Obscurity is not security. I only provides a false sense of security to those who don't know much about the topic. With the development model currently in place, there is no reason not to believe that major distributions and projects will easily keep up with growing popularity as a target for blanket attacks (all platforms are already "equal opertunity" for targeted attacks).
In this case; a video game with a small user base and provided from limited distribution sources got maliciously modified. That shouldn't be news. What this more importantly demonstrates is that peer review and tighter package monitoring would have caught this as it already catches undesirable code in other projects. The reality check for this is looking at how many distributions include the video game, how they prepare it within there package management and if they are affected by the backdoor. That would actually be interesting and informative (but not sensationalized so it won't spread about the mass media like this initial bit of information-harpies.)
Good on them for being open about the breach also. Many other companies, especially game companies, probably would have switched directly into CYA mode. These folk where honest and said "wow are we embarrassed.. ok.. here's the problem we found.."
(sorry, entire comment isn't directed at you personally. One last bit.)
As for the mass media going into "told you so" mode; it'll amuse the 14 year olds and fanboys for a while but it's the same spin the used to fuel screen clicks and eyeballs after the Pwn2own. All the kiddies jumped up and down going "XYZ OS was first to be broken at Pwn2own so that demonstrates that it sucks" while ignoring inconvenient details like the pwn2own rules, where the vulnerability actually was and how fast it was addressed after being reported.
Neon Samurai
June 15, 2010 at 7:40am
It was IRC server software rather than the *nix build of Unreal. Still an issue with a bit of software that runs on top of several different platforms but not being a video game does increase the effect. I'm honest enough to admit error though. So, what distributions include this IRC software and of those, what ones where effected by the backdoor code?
(edit):
"The contaminated source files have also found their way into the Gentoo Linux distributions repositories. The Gentoo package has already been updated with a non infected version (unrealircd-3.2.8.1-r1 ebuild) and is available"Looks like the system works and effected distributions are maintaining the usual short patch times.
techparadox
June 14, 2010 at 7:03am
If anything it was probably just lack of oversight. Group produces their program, group checks it over and finds it clean, group puts files out on their server for download, and then group moves on to producing the next version of their program. They have no reason to think that their server is going to get 0wned and their source replaced with source that has a backdoor in it, so they have no reason to go back and check their old code on the server. I read the article linked above and quite honetly I wanted to reach through my computer screen and slap the writer over at ZD. His crowing about how the Windows pre-compiled binaries weren't infected and wouldn't have lasted more than a few days in the wild if they were infected is complete Bravo-Sierra. Of course the pre-compiled binaries weren't affected, because that would have required the attackers to recompile the darned things and replace them on the server handing the files out to the public. As for virus scanners catching them on a Windows platform, I'd like to know what mythical virus scanner he's using. Sure, scanning heuristics have improved and scanners these days are more likely than ever to catch known infections, but you're lucky if even a third of the commercial-grade scanners out there can catch an infection with an unknown signature.
Regardless of that, this strikes me as much ado about nothing. The people running this IRC server will wipe their boxes and reinstall, and life will go on. One backdoor infection in a third-party program does not an epidemic of OS security holes make.
Azrael808
June 14, 2010 at 6:35am
Wow... When I first read this headline, my immediate thought was that I was going to have to spend the next few hours checking over all the machines I'm responsible for to see if they have been exploited...
However, it turns out that the vulnerability in question was in fact with a piece of open source software that could be installed on any number of platforms. At the risk of sounding like one of the "arrogant" open source proponents mentioned in the article, I don't think this shows that the Linux platform is particularly vulnerable. I guess this does serve as a wake up call to all system admins though: check package signatures before installing software off the internet, even if it's from a trusted source! :)
Connect with MaximumPC
Featured Content
The gang discusses the GTX 690, Trinity, Ivy Bridge, Amazon, big-box stores, MMOs,...
This month's issue
Feature
Build a PC On Any Budget
Feature
Cloud Services Showdown
How-To
Encrypt Your External Drive
Build It
Upgrade an X58 Rig
Most Commented Articles
Latest Max PC Tweets
- maximumpc: Original RickRoll Video Returns to YouTube After 24-Hour Copyright Hiatus http://t.co/MaH9Sxyy1 day 19 hours ago
- maximumpc: Corsair has decided not to go forward with its $78 million IPO, citing weak equity market conditions http://t.co/A5a4DAzj1 day 19 hours ago
- maximumpc: Want to work at Maximum PC? Our Online Managing Editor, Alex, is moving away, so we need a new one. http://t.co/9Z7JCh0E3 days 16 hours ago
