Linux Trojan rears its ugly head

UnrealIRCd logo

UnrealIRCd logo

Next to OS X users, Linux users are the most arrogant in their perception that they are immune to malware infections. Unfortunately for them, this morning the administrators of had to post that their Unix/Linux source code had been compromised and has contained a backdoor since November of 2009.

Users of Sophos Anti-Virus are protected against the poisoned versions of this source code through our identity Troj/UnIRC-A. On Windows malware is never really delivered as source, so Linux malware presents unique challenges for anti-virus. In the Linux world, best practices by administrators are much more important.

It looks as though the download servers for UnrealIRCd were compromised and a Trojanized version of the source was placed in the main download repository. The administrators of the project admitted to several mistakes that led to the issue, as well as allowing it to pass undetected for so long.

First, the administrators were not monitoring their repository to know if it had been modified. Second, they had stopped publishing checksums. Third, the mirrors of their software also did not require checksums, so they were blindly accepting the poisoned code and passing it on to their users.

The authors are now GPG-signing their releases to allow their customers to determine the validity of an archive. The main problem with all source-based packages is that users are simply too lazy to bother to actually calculate checksums or signatures. It is not difficult, or time consuming, but situations like this occur so infrequently that we could check every checksum for five years and never run across a corrupted or malicious archive (remember foo.pad?).

When they are published, checksums are often hosted on the same system as their archives, or on a system with shared credentials. This serves almost no purpose, as Paul Ducklin and I have previously discussed.

Paul often makes the point that if you control a server well enough to place a malicious binary or source archive on it, you can also easily alter the published checksum to match your replacement copy. Perhaps the UnrealIRCd team’s approach of signing rather than checksumming can thwart this in the future. That would require that they also take very good care of their signing keys and not keep them on the same host.

If you are an UnrealIRCd user, please check your tarball and ensure the md5sum is 7b741e94e867c0a7370553fd01506c66 (for version 2.8.1). The compromised version’s checksum is 752e46f2d873c1679fa99de3f52a274d. Windows versions of the software were not affected by this hack. If you run Sophos Anti-Virus you can run savscan -tar -gzip Unreal3.2.8.1.tar.gz on your Linux or Unix servers to determine whether your system is using a compromised version.

Screenshot of file size and checksum

Update: We have now released detection for the compiled binaries as well as the original tarball.

Administrators take note: When a signature or checksum is provided, check it. That’s why they’re provided, and this is only one case among many every year. Don’t fall into the trap of thinking “viruses are a Windows problem.” As you can see from this incident, Linux is not immune.

Thanks to Pete from SophosLabs Australia for all the help today with analyzing this threat.