trojan code in tcpdump/libpcap
debs (et al.),
apparently, there's trojan code in
tcpdump & libpcap.
woody is okay, right? but those apps
in sarge/sid could be effected?
(i'm just the curious messenger.)
b.
att.
//
INFORMATION ALERT
AN EMERGING ISSUE WITH:
TROJAN CODE PLANTED IN TCPDUMP AND LIBPCAP
SEVERITY:
Medium
DATE:
November 14, 2002
---------------------------------------------------------------
For an easier-to-read HTML version of this article, go to:
https://www3.watchguard.com/archive/showhtml.asp?pack=135225
---------------------------------------------------------------
SUMMARY:
On November 13, members of the Houston Linux User Group (HLUG)
reported that some copies of the popular Linux packet sniffing
program, tcpdump, as well as a popular Linux packet sniffing
library, libpcap, contain Trojan horses. If you recently downloaded
and compiled either tcpdump or libpcap from the altered source code,
a hacker could gain complete control of your system and
simultaneously render his activity invisible. There is no direct
impact on WatchGuard products. Administrators who have recently
installed tcpdump or libpcap should reboot their machines and verify
the integrity of these applications.
EXPOSURE:
Tcpdump is a very popular Linux packet sniffer application
<http://www.webopedia.com/TERM/s/sniffer.html> used to monitor
network traffic. Libpcap is a popular library of functions
<https://www3.watchguard.com/archive/images/lsglossary.htm#function>
used by many network applications that need to "sniff" network
traffic such as tcpdump, Snort and Ethereal. If you capture network
traffic on a Linux machine you probably use either tcpdump or the
libpcap library.
According to members of the Houston Linux User Group (HLUG)
<http://www.hlug.org/>, the source code for tcpdump and libpcap on
the official tcpdump site <http://tcpdump.org> has been infected
with a Trojan. The infected software has also made its way to many
official mirror sites. According to an advisory released by CERT
<http://www.cert.org/advisories/CA-2002-30.html>. it appears the
infected packages were uploaded to the tcpdump site sometimes on or
around November 11.
When you compile the infected tcpdump and libpcap packages, the
Trojan makes an outgoing connection to a fixed remote IP address
using TCP port 1963. If the connection is successfully established,
the attacker can gain remote shell
<http://www.webopedia.com/TERM/s/shell.html>
access to your server. The remote shell has the same privileges as
the user who compiled the application. Therefore, if you compiled
one of the infected packages using root privileges, the attacker
gains full control of your server. Since the Trojan makes an
outgoing connection, it will pass through any firewall that is not
egress filtering <http://rr.sans.org/firewall/egress.php>.
In an interesting twist, the Trojan also alters the packet sniffer
libraries in a way that any packets from the hacker's IP are
ignored. In short, the hacker can hide himself from your network
monitors.
If this attack sounds familiar, it is. The attack is identical to
the Trojans recently found in both OpenSSH and Sendmail. In fact,
the design of the Trojan suggests that all three cases are the work
of the same hacker. For more information on those past cases see our
Information Alerts on August 1
<https://www3.watchguard.com/archive/showhtml.asp?pack=135156>
and October 9
<https://www3.watchguard.com/archive/showhtml.asp?pack=135200>.
SOLUTION PATH:
If you have recently installed the tcpdump or libpcap packages, it
may already be too late to protect your server. Details on this
Trojan are still emerging. However, the previous Sendmail and
OpenSSH Trojans only ran only once during the applications build
process. Rebooting your machine removed the malicious service from
the machine's memory in the past. We recommend you at least reboot
your machine in case those previous details hold true with this new
Trojan. After rebooting your machine, run "netstat" to see whether
or not your machine is connected on port 1963. If you do not find
any connections on port 1963 then that hacker's backdoor is not in
affect.
We also recommend you un-install tcpdump and libpcap and delete the
infected packages. CERT provides a great step-by-step document
<http://www.cert.org/tech_tips/win-UNIX-system_compromise.html> on
recovering from a system compromise that you should follow if you
have installed the infected tcpdump and libpcap packages.
This is a good example of why it is important to use signature files
when downloading software. Signature files provide a means of
verifying the authenticity of the file you are downloading. Although
it appears that the infected packages were first introduced around
November 11, if you downloaded tcpdump or libpcap in the past few
weeks, we recommend you use the signatures in CERT's advisory
<http://www.cert.org/advisories/CA-2002-30.html> to verify your
packages. For more information on validating downloads with an MD5
checksum signature, see this CERT page:
<http://www.cert.org/security-improvement/implementations/i002.01.html>.
-- For WatchGuard Firebox and SOHO Users:
Since the WatchGuard SOHO and Firebox allow all outgoing connections
by default, the solutions above are your primary recourse. However,
you can use the Firebox or SOHO to block outgoing access that uses
TCP port 1963 and prevent attackers from exploiting this port in the
future.
--For ServerLock and AppLock/Web Users:
These vulnerabilities primarily affect Linux systems. However, it is
possible to compile these applications on a Solaris system as well.
ServerLock for Solaris was specifically designed to protect against
the damage caused by unauthorized users who might gain root
privileges via a vulnerability of this nature. While ServerLock does
not prevent this Trojan, it does protect core Solaris system files
from corruption or modification, regardless of user privileges.
STATUS:
There is no official word from Tcpdump.org yet.
DIRECT IMPACT ON WATCHGUARD PRODUCTS:
None.
IMPACT ON NETWORKS PROTECTED BY WATCHGUARD PRODUCTS:
If you have recently downloaded tcpdump or libpcap from tcpdump.org
or one of its mirrors, you are susceptible to an attacker gaining
total control of your machine.
REFERENCES:
Net-Security's story on this Trojan
<http://www.net-security.org/news.php?id=1436>
Information from Huston Linux Users Group on this Trojan
<http://151.164.128.17/def-con/>
CERT's advisory
<http://www.cert.org/advisories/CA-2002-30.html>
TISC editorial, "The Importance of Egress Filtering"
<https://www3.watchguard.com/archive/showhtml.asp?pack=135208>
This alert was researched and written by Corey Nachreiner.
=======================================================
FEEDBACK: This e-mail was sent from an unattended mailbox,
so please do not reply to it. Send comments to
lsseditor@watchguard.com. <mailto:lsseditor@watchguard.com>
For other helpful articles, log into the LiveSecurity Archive
<https://www3.watchguard.com/archive/broadcasts.asp>.
-------------------------------------------------------
UNSUBSCRIBE: You received this e-mail because you subscribed
to the WatchGuard LiveSecurity Service, which advises about
virus alerts, security best practices, new hacking exploits,
and more. To stop receiving future e-mails, or to change which
e-mail address receives this content, please log in at
https://www3.watchguard.com/archive/preferences.asp.
For technical support, visit
https://support.watchguard.com/incidents/NewIncident.asp
or call 1-877-232-3531.
------------------------------------------------------
Copyright 2002 WatchGuard Technologies, Incorporated. All
Rights Reserved. WatchGuard, LiveSecurity, Firebox and
ServerLock are registered trademarks or trademarks of
WatchGuard Technologies, Inc. in the United States and/or
other countries. All other trademarks are the property of
their respective owners.
You may not modify, reproduce, republish, post, transmit
or distribute this content except as expressly permitted
in writing by WatchGuard Technologies, Inc.
======================================================
Reply to: