Latest news
Trojan Found in libpcap and tcpdump
Members of The Houston Linux Users Group discovered that the newest sources of libpcap and tcpdump available from tcpdump.org were contaminated with trojan code. HLUG has notified the maintainers of tcpdump.org.
Details:
- The trojan contains modifications to the configure script and gencode.c (in libpcap only).
- The configure script downloads http://mars.raketti.net/~mash/services which is then sourced with the shell. It contains an embedded shell script that creates a C file, and compiles it.
- The program connects to 212.146.0.34 (mars.raketti.net) on port 1963 and reads one of three one byte status codes:
A - program exits
D - forks and spawns a shell and does the needed file descriptor manipulation to redirect it to the existing connection to 212.146.0.34.
M - closes connection, sleeps 3600 seconds, and then reconnects - It's important to note that it reuses the same outgoing connection for the shell. This gets around firewalls that block incoming connections.
- Gencode.c is modified to force libpcap to ignore packets to/from the backdoor program, hiding the backdoor program's traffic.
- This is similar to the OpenSSH trojan a few months ago.
MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7 libpcap-0.7.1.tar.gz
MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248 tcpdump-3.6.2.tar.gz
MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz
Trojaned sources have the following MD5 hashes:
MD5 Sum 73ba7af963aff7c9e23fa1308a793dca libpcap-0.7.1.tar.gz
MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9 tcpdump-3.6.2.tar.gz
MD5 Sum 3c410d8434e63fb3931fe77328e4dd88 tcpdump-3.7.1.tar.gz
[ Read more ]
Comment:
The version on TCPDUMP available on HNS does NOT contain a trojan but it's advised not to download the program from any source until the developers post a notice on the official website.
Related items
- Software: TCPDUMP
- Advisory: Trojan Horse tcpdump and libpcap Distributions (14 November 2002)
- News: OpenSSH trojaned (1 August 2002)
- Article: Backdoored dsniff, fragroute and fragrouter (3 June 2002)
- Vulnerability: Irssi IRC Chat Client Backdoor (27 May 2002)
Spotlight
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Hacking charge stations for electric cars
Posted on 15 May 2013. | Ofer Shezaf talks about what charge stations really are, why they have to be ‘smart’ and the potential risks created to the grid, to the car and most importantly to its owner’s privacy and safety.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
