Trojan Discovered in Linux Version of UnrealIRCd

Posted on June 16, 2010 6:52 AM by Rob Williams

The reasons one might choose to use an alternative OS varies depending on the person, and their goals, but one of the more common arguments made towards using a non-Windows OS is overall PC security. It’s a good one, too. Microsoft’s Windows, as a market-leading OS, has been the target of crackers and less-than-reputable beings for many years, and at this point, you really need to be careful about what you do in the OS – and not to mention lace yourself up with lots of protection.

I doubt many would dispute the fact that Windows users have a far greater chance of having their PC’s infected with some sort of malware or virus than others, but neither Mac OS X or Linux have been completely devoid of such potential either. In the past, various forms of shady software has been discovered for these OSes, but at the end of the day, their effect had been minimal.

With both OS X and Linux growing in popularity, the potential for shady characters to begin targeting those OSes, especially OS X given its rapid growth, is reason for real concern. This was highlighted just mere days ago by the developer of the Unreal IRC daemon, a tool that allows folks to set up their own IRC servers and allow users to connect to them with whichever software they choose.

As it appears, someone in November of 2009 implemented a trojan into the main .tar.gz archive that housed the program’s source code – code that Linux users would then compile and install. As the trojan targeted only this one file, Windows users were left alone, unless they chose to download the same source code and compile it on their own (most do not) in order to produce a Windows binary.

The trojan isn’t to be taken lightly, as it essentially allows someone to enter a backdoor and take on the permissions that the ‘unrealircd’ user has. Most often, users created by applications such as these don’t have the greatest of permissions, so the effect could be minimal. At least this is what I’d assume, because if someone was able to take advantage of the backdoor to the user’s full extent, I’d have to imagine we would have learned of this issue long, long ago.

If you happen to be using UnrealIRCd, you can upgrade to the latest (as in, trojan removed) version. The developers have also amped up their security measures to assure that this doesn’t happen again, including implementing a GPG key for users to verify the download before installing.

As a Linux user, news of this trojan doesn’t do much to scare me, as the incident has been quite isolated and its effects minimal, which is proven by the fact that it took so long for it to even be discovered. The software here wasn’t hosted on a website that most people would recognize (as in, a distro’s repository or well-known software developer’s website). There was an obvious security issue here, where someone was able to get this trojan in, and for the most part, those kinds of breaches are uncommon, given how serious most Linux server admins take security. Still, I hope we don’t begin seeing more of this, else malware scanners for Linux and OS X may become just as common as their Windows counterparts.

We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been replaced quite a while ago with a version with a backdoor (trojan) in it. This backdoor allows a person to execute ANY command with the privileges of the user running the ircd. The backdoor can be executed regardless of any user restrictions (so even if you have passworded server or hub that doesn’t allow any users in).

Source: UnrealIRCd

Recent Tech News
Recent Site Content