The urls used in the abs files refer both to trojaned sources. It seems to not affect built binaries, thus installing using pacman is not a problem.
* The trojan contains modifications to the configure script and gencode.c (in libpcap only).
* The configure script downloads http://mars.raketti.net/~mash/services which is then sourced with the shell. It contains an embedded shell script that creates a C file, and compiles it.
* The program connects to 126.96.36.199 (mars.raketti.net) on port 1963 and reads one of three one byte status codes:
o A - program exits
o D - forks and spawns a shell and does the needed file descriptor manipulation to redirect it to the existing connection to 188.8.131.52.
o M - closes connection, sleeps 3600 seconds, and then reconnects
* It's important to note that it reuses the same outgoing connection for the shell. This gets around firewalls that block incoming connections.
* Gencode.c is modified to force libpcap to ignore packets to/from the backdoor program, hiding the backdoor program's traffic.
* This is similar to the OpenSSH trojan a few months ago.
Check http://hlug.fscker.com/ for more information
thank somebody I can't use abs at school
Think they would be very upset if I introduce yet another virus ...
apt-get install arch