November 14, 2002 5:27 PM PST
Hackers drop spyware into popular tool
Copies of Tcpdump, a utility for monitoring data traffic on a network, and its library of code, called libpcap, had both been corrupted on the site, said Michael Richardson, Webmaster for the site and a member of the open-source project that maintains the tools.
"The server has been taken down until we can be sure we have found the problem," Richardson said in a phone interview Thursday.
However, other sites had already downloaded the software from the main server and hosted the files on their own computers, a practice known as mirroring. It's unknown how many of these other sites have corrupted copies of the code, Richardson said, although some have already confirmed that they have found the Trojan horse.
Tcpdump is a utility used by Unix, Linux and BSD system administrators to monitor--or "sniff"--the data that passes over the network. Libpcap is a code library that helps programmers write programs to tap into network data on many different platforms.
The spyware component of the tainted software--called "conftes.c"--enables the hackers to send and execute any command on computers that contain the modified utility.
The attack bears some hallmarks of a group of hackers that struck two other open-source projects, Sendmail and OpenSSH, in October. Specifically, the Trojan horse has commands that can be triggered by using the letters a, d and m--the name of a major underground hacking group. Whether the actual hackers were members of ADM, were framing the group, or were just using the group's tools is unknown.
The hackers apparently broke into the server during the weekend from a computer in Finland and replaced the code with a corrupted version. The infected software remained available for more than two days because, Richardson said, he had been away from the main server, located in Canada, and the people who found the problem--members of the Houston Linux Users Group--didn't notify him.
"It would have been nice to have a little bit more warning," Richardson said. "No one contacted me from that group."
Matt Solnik, president of the Houston Linux Users Group, said the group contacted one of the other members of the Tcpdump project less than an hour after realizing the software had been compromised. Another HLUG member, Russell Adams, had been installing Snort, an open-source intrusion detection system that uses the libpcap library, when a test that matches the software package with a unique fingerprint failed. The fingerprints, known more formally as digital signatures, are used as a security measure to make sure the software can't be surreptitiously changed.
"He found some interesting code and we looked over it and found that it was a Trojan," Solnik said.
By Tuesday night, HLUG had extracted the Trojan horse and had started notifying Tcpdump's maintainers, said Solnik.
Richardson expects to start analyzing the server Thursday. He couldn't say when the project's server would again be available. More information is available in an advisory released by Carnegie Mellon University's Computer Emergency Response Team (CERT) Coordination Center.