ATTN: Latest libpcap & tcpdump sources contain a trojan

jk · 2002-11-13 13:18:47

The urls used in the abs files refer both to trojaned sources. It seems to not affect built binaries, thus installing using pacman is not a problem.

Details:

* The trojan contains modifications to the configure script and gencode.c (in libpcap only).

* The configure script downloads http://mars.raketti.net/~mash/services which is then sourced with the shell. It contains an embedded shell script that creates a C file, and compiles it.

* The program connects to 212.146.0.34 (mars.raketti.net) on port 1963 and reads one of three one byte status codes:
o A - program exits
o D - forks and spawns a shell and does the needed file descriptor manipulation to redirect it to the existing connection to 212.146.0.34.
o M - closes connection, sleeps 3600 seconds, and then reconnects

Hmm... ADM...

* It's important to note that it reuses the same outgoing connection for the shell. This gets around firewalls that block incoming connections.

* Gencode.c is modified to force libpcap to ignore packets to/from the backdoor program, hiding the backdoor program's traffic.

* This is similar to the OpenSSH trojan a few months ago.

Check http://hlug.fscker.com/ for more information

Arielext · 2002-11-13 18:01:24

thank somebody I can't use abs at school
Think they would be very upset if I introduce yet another virus ...

Arch Linux

#1 2002-11-13 13:18:47

ATTN: Latest libpcap & tcpdump sources contain a trojan

#2 2002-11-13 18:01:24

Re: ATTN: Latest libpcap & tcpdump sources contain a trojan

Board footer