Trojan horse found in OpenSSH

ComputerWorld ^ | AUGUST 02, 2002 | Joris Evers

[Bush2000]

Trojan horse found in OpenSSH

Several versions of OpenSSH contain a Trojan horse that can allow an attacker to take over a system running the free network connectivity software, the makers of OpenSSH warned in an advisory yesterday. OpenSSH is distributed for free by the OpenBSD project. The SSH protocol is widely used for secure remote terminal connections and file transfers between a client and a server running Unix and its derivatives.

The Trojan horse was discovered in OpenSSH versions 3.2.2p1, 3.4p1 and 3.4. The compromised software was first made available on an official download server on July 30 or 31 and from there likely copied to other download sites, according to the OpenSSH security advisory.

Trojan horse programs install backdoor programs that let attackers gain access to a computer. In this case, the malicious code is run when the OpenSSH software is compiled by the user, according to the advisory. It allows arbitrary commands to be executed with the privileges of the compiling user.

Anyone who installed OpenSSH or offered it for download since July 30 should verify the authenticity of the software. The compromised OpenSSH versions can be identified by their incorrect MD5 checksums and PGP signatures, according to the advisory.

More information on the Trojan horse and how to detect it can be found in an advisory sent out by the Computer Emergence Response Team.

[Bush2000]

Repeat after me: "Open source means more eyeballs and no opportunity for viruses and trojan horses..."

[ikka]

It was found and fixed within about 24-48 hours. Further, it was not a corruption or bug in the source code that was in the central repository of code. It was a hack on a SunSITE server in Alberta, Canada, which does not run OpenBSD but instead runs Solaris, a closed source OS.

[beckett]

Jeez....this is perfect ploy for proprietary protocols to pull.

Makes ya wonder.

More info here

[detsaoT]

(Hey, don't blame us for Theo "The Raat" DeRaadt's problems. The guy's practically begging for stuff like this to happen to him. Search Google for "bugtraq GOBBLES" for more information...)

Interesting side note - It was a checksumming feature of the FreeBSD ports system which caught this trojan-horse.

:) ttt

[HAL9000]

According to this August 1 weblog, the problem was detected and reported within six hours when the automatic checksum comparison reported a problem with the archive. If the people installing the software are paying attention to the checksum error message, it's unlikely that this trojan has affected more than a few machines.

Also of note -

The C code is not that smart. It tries once per hour to connect to port 6667 on the machine 203.62.158.32 which is web.snsonline.net and waits for commands from the person or persons who 0wn3d the machine. Does it get an M, it sleeps for another hour. Does it get an A, it will abort. Does it get an M, it will spawn a shell. Some people will build it "normal" privileges and install it as root: they will get a shell with "normal" privileges. Other people will build it with "root" privileges and the shell will have "root" privileges.

[lelio]

At least with FreeBSD you'll have a chance with checksums to see that it was bogus. Unlike with Microsoft you could get some FunLove with their hotfixes and you wouldn't know it.

[lelio]

I swear some virus writers are just dumb. Should rather connect to a list of IRC servers and post info, that way the person that wrote it can't be so easily detected or stopped.

[afraidfortherepublic]

Filing

[justlurking]

I swear some virus writers are just dumb. Should rather connect to a list of IRC servers and post info, that way the person that wrote it can't be so easily detected or stopped.

The server in question wasn't traceable back to the originator of the trojan. Ironically, one of the first two people to discover the problem was the owner of the server. He shutdown the server and rebuilt it immediately.

[TechJunkYard]

Repeat after me: "We need at least 30 days to investigate, formulate and propogate a fix.."

[TechJunkYard]

The real scary part is that whomever broke into the server to replace the package could have also replaced the sums.. then no one would have noticed. Who was the admin on that (Sun) box?

[Reeses]

could have also replaced the sums

That's not that simple. You have to know a trusted person's private key to certify the new hash value. They're way ahead of the typical MS programmer hired to insert trojans into open source. Also, it's very rare anyone would install OpenSSH without verifying its integrity. Someone smart enough to install it would not skip that 10 second test.

[lelio]

Showing that you shouldn't depend on one r00ted box to receive your handiwork :) Just connect to an IRC server and post something, or maybe post to UseNet.
Did the person discover his box was hacked as suddenly he started seeing thousands of hits on that port?

[TechJunkYard]

..the typical MS programmer hired to insert trojans into open source

Hoo-boy, are you trying to incite a riot or something? ;-)

This really does expose some problems with the way OSS is distributed and installed. Luckily OpenBSD actually performs a checksum when it installs something. Lots of Linux folks don't bother. Lots of folks build AND install AS ROOT so this scheme (compile and run an extra program at build-time) would open a root shell to the attacker.

In a way, the Windows crowd is lucky they only have to worry about buying buggy code, and the risks associated with that. WE don't know WHAT we need to worry about.

[TechJunkYard]

Did the person discover his box was hacked as suddenly he started seeing thousands of hits on that port?

Details here. It was an unbelievable stroke of luck that the guy was on the same IRC channel where the analysis was conducted and recognised the host name.

[justlurking]

Did the person discover his box was hacked as suddenly he started seeing thousands of hits on that port?

No, it's really strange: the first guy to discover the checksum problem (or at least the first one to investigate) asked on an IRC channel if anyone else had the same problem.

The guy that responded eventually turned out to be the administrator/owner of that server. A weird coincidence.

It's not clear that the server was actually hacked, or if the owner/administrator saved anything to investigate the source of the compromise.

[justlurking]

Details here.

Should have checked the thread. I responded directly to the "My Comments" page.

This is the same info I read, too.

[dwollmann]

MD5 checksums are not the same as digital signatures. I can generate an MD5 checksum value for a file, send you a copy of the file, then you can generate an MD5 checksum for the file on your system and, provided the file hasn't been modified, you'll come up with the same value. No key required.

The fact that the perpetrator could have generated new checksums for the modified tarballs, but didn't, suggests that he was trying to make a point.

[Bush2000]

It was found and fixed within about 24-48 hours. Further, it was not a corruption or bug in the source code that was in the central repository of code. It was a hack on a SunSITE server in Alberta, Canada, which does not run OpenBSD but instead runs Solaris, a closed source OS.

I could care less about how quickly it was fixed. You guys are constantly harping on how much more secure open source is. And you hate it when you get your faces rubbed in your own garbage.

[dwollmann]

How does this incident prove that Open Source is not secure?