On one of the mirror servers, the distribution package Unreal3.2.8.1.tar.gz had been replaced with a hacked version that introduced a backdoor for root access. Nobody ever thought to check the code for unauthorized changes… and so the hacked file remained on the server for at least eight months. It’s unclear whether there are a bunch of compromised Linux systems out right now; hopefully, some users were smart enough to check the MD5 sum.
You know what shits me about this? This part:
Obviously, this is a very serious issue, and we’re taking precautions so this will never happen again, and if it somehow does that it will be noticed quickly.
We will also re-implement PGP/GPG signing of releases. Even though in practice
(very) few people verify files, it will still be useful for those people who do.
If one person checked the signature in December, the problem would have been instantly fixed.You don’t need everyone to check the signature, you just need one.
You know I’d be surprised if a virus scanner picked this up. Did he even check out what the modification did?
Yeah, I’m not sure if he knows something I don’t or if he’s just guessing. Perhaps this code modification introduced a type of backdoor that was already known?
When I read articles by people like Ed Bott I can’t help but wonder if their knowledge of these issues is really so vague or if they are just writing down to their audience. Then I get to thinking that every article I read about a subject upon which I’m not intimately familiar with may be likewise stupid (if not just simply wrong) to those who are… then I shrug and eat a cookie.
Augh, that article was just filled with stupid. The code didn’t contain any known “trojan”. It was just a few lines of custom code that executed raw messages with a certain prefix as system commands. There’s no way any virus scanner would have picked this up.
The real reason why Windows versions were not targeted is that no relevant network uses Windows ircd servers.
Yes… there goes the monopoly. Also, I just cooked myself a hamburger at home, so look out, McDonalds!
Update: Turns out the trojaned build was even included in an official Linux distribution, namely Gentoo. Whoops!
Can you stop linking to Ed Bott’s articles!
No way, Ed Bott is awesome!
Anyone citing the need for virus scanning software as a virtue of windows is a moron.
That’s a moronic misinterpretation of what Ed Bott wrote.
A similarly infected Windows file in the wild would be detected within days if not hours after a routine virus scan by someone checking the download before installing it.
Is that guy really that clueless or is he just trolling?
It took the Gentoo Security guys 8 hours to fix this after upstream announced that there was a back door, 4 hours before the Ed Bott article was published and ~24 hours before the OMG GENTOO SHIPPED IT update. I also like how he deliberately omits the fact that Windows binaries compiled from source are affected too and that this is apparently a Linux issue when UnrealIRCD runs on lots of different operating systems.
Looks like you missed the fact that the Gentoo stuff was added as an update to the original article. Looks like you also missed the fact that the original article referred to an UnrealIRC infection that lingered for eight months. That’s what this passage is referring to.
My point is that no virus scanner’s heuristics would pick up something like this, a routine virus scan after downloading might catch a legit program bundled with known MyLittleTrojanKit but not a subtle change in functionality.
This is an UnrealIRCD and hardly a “Linux” or Gentoo fuckup and it only took months to discover because they did not sign their source tarballs in the past.
The other thing to bear in mind is this: Gentoo isn’t exactly mainstream and it’s not a distribution in the traditional sense.
No, that wasn’t your point… you simply misread the article. Your new point is very likely correct, however.
This is an UnrealIRCD and hardly a “Linux” or Gentoo fuckup and it only took months to discover because they did not sign their source tarballs in the past.
Ah, but the contaminated version could slip into Gentoo because nobody downstream of Unreal IRC thought to check the MD5 sums, either! How many other distributions are happy to add any old software without verification? That’s a great way to spread viruses.
That’s good to know, because all hell would break loose if such a trojan slipped into a distribution that manufacturer put on netbooks – devices that people might use for sensitive stuff like online banking because they assume Linux is secure. Ed Bott seems to think the negligence that came to light here is widespread in the Linux community; we better hope he’s wrong there because otherwise there’s a disaster waiting to happen.
So is shipping USB storage devices from the factory with viruses pre installed. What’s your point?
People with netbook wouldn’t be running IRC servers. They wouldn’t be running servers at all, and in every distribution I can think of for netbooks, by default they would be running a firewall. Take your scaremongering and FUD elsewhere please, it’s insulting to people to actually know stuff about computers.
That both are bad things?
People with netbook wouldn’t be running IRC servers. They wouldn’t be running servers at all, and in every distribution I can think of for netbooks, by default they would be running a firewall.
So you think the only possible way to introduce trojans is in IRC servers? What?
Take your scaremongering and FUD elsewhere please, it’s insulting to people to actually know stuff about computers.
I presume that doesn’t include you, as you just sound like an angry Linux fanboy here.
If only they were running Norton AntivirusWorks Complete 360.