June 14, 2010, 12:33 PM — There have been several stories proclaiming that a recent Linux infection proves Windows malware monopoly is over and that Think Linux is free from malware? Think again; it's been hacked. Much as it pains me to disagree with the good people, they're wrong.
Here's what really happened. UnrealIRCd, a rather obscure open-source IRC (Internet Relay Chat) server, wasn't so much hacked as the program it was letting people download has been replaced by one with a built-in security hole. Or, as they explained on their site,
"This is very embarrassing...
We found out that the Unreal18.104.22.168.tar.gz file [the source code for UnrealIRCd] on our mirrors has been replaced quite a while ago with a version with a backdoor (Trojan) in it. This backdoor allows a person to execute ANY command with the privileges of the user running the ircd. The backdoor can be executed regardless of any user restrictions (so even if you have passworded server or hub that doesn't allow any users in).
It appears the replacement of the .tar.gz occurred in November 2009 (at least on some mirrors). It seems nobody noticed it until now.
Obviously, this is a very serious issue, and we're taking precautions so this will never happen again, and if it somehow does that it will be noticed quickly. We will also re-implement PGP/GPG signing of releases. Even though in practice (very) few people verify files, it will still be useful for those people who do."
So what does that mean? First, there's no new, or old for that matter, security hole in Linux at all. What happened was that this one group let someone replace the program they were shipping with one that had been deliberately designed to let other people into it to run commands on your Linux computer.
There's nothing too surprising about this. Historically, IRC, which is sort of a CB radio of instant messaging services, has always had one major security problem after another. Indeed, IRC has often been used in the past to run Windows botnets. I strongly suspect whoever replaced the UnrealIRCd has been using it for running Windows botnets.