Trojaned App Demonstrates Need for Better Practices, Not More FUD
An open source project discovers a backdoor trojan in its released software.
You've likely heard this one already, but here it is again: over the weekend, the UnrealIRCd team discovered the "Unreal126.96.36.199.tar.gz file on our mirrors has been replaced quite a while ago with a version with a backdoor (trojan) in it."
This, obviously, is not great news, because according to the team, apparently this switcheroo has gone unnoticed on some of Unreal's mirror sites since as early as November 2009.
The Unreal team handled it pretty well, in my opinion. They embraced the suck and made a clear announcement free of blame or denial--an announcement that also pointed out how to confirm the trojaned version and how to replace the trojaned version with the clean version. This is not, I should emphasize, the worst exploit ever: "This backdoor allows a person to execute any command with the privileges of the user running the ircd. The backdoor can be executed regardless of any user restrictions (so even if you have passworded server or hub that doesn't allow any users in)."
Which sounds bad, but then I have to kind of wonder how bad having the same user privileges of an IRC daemon really would be. More pain-in-the-butt category than codeaggedon.
Still, from the looks of this news, mistakes were indeed made. The Unreal team have already 'fessed up to the fact that (until this happened), archived releases had not been PGP/GPG signed. Which means if the archived version of the software varied in any way from the actual source code, there's no sure way to tell. That's what signing is supposed to do.
The team also admitted to not checking all of the mirrored files as often as they should have. Which means that while the true source code (in CVS) was clean as a whistle, the source archive files that people downloaded were not clean for a very long time.
This is all very unfortunate, but the general feeling in the broader open source community is that this was a sharp lesson in what not to do with handling software downloads. To their credit, the Unreal team owned up to their mistakes.
Of course, several wags couldn't resist the obvious target: open source software isn't secure! Windows is better than Linux! Nyahny-nyahny-boo-boo!
Actually, that first claim is absolutely true: open source software is no less vulnerable to malware hacks than proprietary software. No one with half a brain ever said it was.
What is true is that on the whole, malware (and unintentional bugs) typically get discovered in open source software faster and as such get fixed pretty quickly. Because the source code is open, more eyes can see the code and typically fix problems faster. The problem here was that the original source code was free of malware, but no one bothered to check the source archives in the download mirror. "Many eyes" doesn't work if you aren't looking.
My favorite outrageous response to this situation was ZDNet's Ed Bott's "Linux infection proves Windows malware monopoly is over"
Yes, that's quite the headline: claiming that Windows is so bad it had a monopoly on malware. Your words, Bott, not mine. I don't think even the most rabid Linux or Mac fan would ever rationally state that only Windows had malware. More malware, sure, but all of it? Hardly.
Of course, Bott--or his editor, depending on who wrote the headline--was just trying to get some pageviews and perhaps deliver some payback to all those thousands of times Linux and open source advocates mocked Windows security since, oh, yesterday.
Still, it would be nice if this scathing headline was factually correct: the source archive tarball effected was just that--source. Which means that, in this case, UnrealIRCd can run "on most *nix OSes including Linux, BSD, MacOS X [sic], Solaris, and HP-UX." Not to mention that most of the major Linux distros don't currently ship with UnrealIRCd.
So, this was more a *nix-based problem, rather than just Linux.
I could continue being a semantical smart-aleck, but in the interests of fair play, there is a piece of knowledge that hasn't come out yet. No explanation has been given on how the archive file on the mirrors were swapped out to begin with. If the mirrors were running Linux, then someone needs to figure out how those mirrors were breached. A bug in the system, or bad password management? It makes a difference, and there may yet be a Linux-specific problem that needs to be addressed
Beyond the headline, there were other errors in Bott's blog entry.
"Two additional details in the announcement added extra helpings of irony:
"It appears the replacement of the .tar.gz occurred in November 2009 (at least on some mirrors). It seems nobody noticed it until now.
"Right. Becauseeven [sic] server administrators believe that open source and Linux software are impregnable by design, the official download of a widely distributed server product has been infected with a backdoor that gives bad guys complete ownership of the system. Oops."
Erm, no. As near as I can tell, the bad guys could only get co-op the user privileges of the user running the daemon, which (one would hope) is not root. Again, that's not good, because getting any user privileges can be a problem. But, claiming total system takeover sounds more dramatic, I suppose.
Than there's this bit:
"And my favorite part:
"The Windows (SSL and non-ssl) versions are NOT affected.
"Again, that's right. A similarly infected Windows file in the wild would be detected within days if not hours after a routine virus scan by someone checking the download before installing it."
Hey, I know it's been a long time since I've been active in the Windows world, but I think if anyone had invented a magical virus scanner that could find previously undiscovered trojans in every piece of contaminated software ever, I would have heard about it. In truth, a similarly infected Windows file in the wild might go undetected for just as long because no one would have discovered the trojan and written an anti-virus definition to tag and quarentine it.
Of course, I'll concede a small point to Bott: currently there are so many viruses, trojans, and worms infecting the Windows platform, the odds are a bit higher that someone might have inserted a previously defined trojan into these Windows binaries. You never know.
Bott would have garnered a lot more respect from me had he hit upon the broader point: that any software can be exploited, and that proper security procedures should be used whenever any software is installed. Regardless of platform, know your software source and only use signed downloads.
But hey, props to Bott for the "Windows malware monopoly" line. Even on my most vicious day, I don't think I would have been able to speak truth to power so well.