Linux Trojan rears its ugly head

Filed Under: Linux, Malware

UnrealIRCd logo

Next to OS X users, Linux users are the most arrogant in their perception that they are immune to malware infections. Unfortunately for them, this morning the administrators of had to post that their Unix/Linux source code had been compromised and has contained a backdoor since November of 2009.

Users of Sophos Anti-Virus are protected against the poisoned versions of this source code through our identity Troj/UnIRC-A. On Windows malware is never really delivered as source, so Linux malware presents unique challenges for anti-virus. In the Linux world, best practices by administrators are much more important.

It looks as though the download servers for UnrealIRCd were compromised and a Trojanized version of the source was placed in the main download repository. The administrators of the project admitted to several mistakes that led to the issue, as well as allowing it to pass undetected for so long.

First, the administrators were not monitoring their repository to know if it had been modified. Second, they had stopped publishing checksums. Third, the mirrors of their software also did not require checksums, so they were blindly accepting the poisoned code and passing it on to their users.

The authors are now GPG-signing their releases to allow their customers to determine the validity of an archive. The main problem with all source-based packages is that users are simply too lazy to bother to actually calculate checksums or signatures. It is not difficult, or time consuming, but situations like this occur so infrequently that we could check every checksum for five years and never run across a corrupted or malicious archive (remember foo.pad?).

When they are published, checksums are often hosted on the same system as their archives, or on a system with shared credentials. This serves almost no purpose, as Paul Ducklin and I have previously discussed.

Paul often makes the point that if you control a server well enough to place a malicious binary or source archive on it, you can also easily alter the published checksum to match your replacement copy. Perhaps the UnrealIRCd team's approach of signing rather than checksumming can thwart this in the future. That would require that they also take very good care of their signing keys and not keep them on the same host.

If you are an UnrealIRCd user, please check your tarball and ensure the md5sum is 7b741e94e867c0a7370553fd01506c66 (for version 2.8.1). The compromised version's checksum is 752e46f2d873c1679fa99de3f52a274d. Windows versions of the software were not affected by this hack. If you run Sophos Anti-Virus you can run savscan -tar -gzip Unreal3.2.8.1.tar.gz on your Linux or Unix servers to determine whether your system is using a compromised version.

Screenshot of file size and checksum

Update: We have now released detection for the compiled binaries as well as the original tarball.

Administrators take note: When a signature or checksum is provided, check it. That's why they're provided, and this is only one case among many every year. Don't fall into the trap of thinking "viruses are a Windows problem." As you can see from this incident, Linux is not immune.

Thanks to Pete from SophosLabs Australia for all the help today with analyzing this threat.

, , , ,

You might like

One Response to Linux Trojan rears its ugly head

  1. jazzyjeph · 1727 days ago

    " Next to OS X users, Linux users are the most
    arrogant in their perception that they are immune to malware
    infections. " There is nothing like
    "Trolling" people is there. You know Sophos
    writers ought to have a bit more sense but unfortunately it seems
    everyone who is a big MS Windows fan has to have a go at users of
    other operating systems. Sigh....

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on as Chester, Chester Wisniewski on Google Plus or send him an email at