Linux Version Of Unreal IRC Servers Contained Trojans Since 2009

In a startling revelation, the administrators of  UnrealIRCD, one of the most popular IRC servers revealed that the Linux version of UnreadlIRCd version contained a backdoor in it. The backdoor could be executed by user, regardless of security privileges on the server. To rub salt on the wounds, the file was replaced on certain mirrors, way back in November 2009 and went unnoticed till yesterday.

The backdoor works by examining and parsing any incoming packets, looking specifically at the string “AB”. Any Linux command, followed by the string “AB” would be parsed and executed using system() function call, making it a very dangerous combo in the hands of a malicious user.

The administrators state that the following versions of UnrealIRCD are safe:

  • Official  precompiled  Windows (SSL and non-ssl) binaries
  • CVS versions
  • 3.2.8 and any earlier versions are not affected
  • Any Unreal3.2.8.1.tar.gz downloaded BEFORE November 10 2009 should be safe

Verifying that the version you have is not the backdoor version:

There are couple of ways to verify that you have legitimate version –

  • Calculate the MD5 sum

Running ‘md5sum Unreal3.2.8.1.tar.gz’  will calculate the md5 sum: The official version has a md5 of 7b741e94e867c0a7370553fd01506c66 , while the Backdoored version has a md5 of  752e46f2d873c1679fa99de3f52a274d

  • Examine struct.h h

Running  grep DEBUG3_DOLOG_SYSTEM include/struct.h will perform a regex search for the pattern.  If it outputs two lines, then you’re running the backdoored/trojanized version.  If it outputs nothing, then the version is clean.

What to do if you’re running the backdoored version ?

If the above steps indicate you have a backdoor version, then following steps must be taken:

Verified md5sums

Below are the verified md5 checksums:

  • 7b741e94e867c0a7370553fd01506c66 for Unreal3.2.8.1.tar.gz
  • 5a6941385cd04f19d9f4241e5c912d18 for   Unreal3.2.8.1.exe
  • a54eafa6861b6219f4f28451450cdbd3 for  Unreal3.2.8.1-SSL.exe

Could anything have been done to prevent this ?

Perhaps. Fact that the md5sum was published on the site, and and yet nothing was done indicates that nobody bothered to verify the md5sum. You might argue that md5checksums could be altered, but this would be the case if the server was broken into, but in this case, the source files were altered, so the md5sum difference would have shown up.

The files could’ve been signed using PGP, but again, not sure how many people would be bothered to verify the signatures.

Response from UnrealIRCD team

The UnrealIRCd admins have come out full with a full disclosure, and they should be applauded for doing that, rather than covering up the matter. They have released an advisory, so keep an eye for any updates to this file. They have also stated that they will start PGP/GPG signing of releases.

Learnings from the incident

Most of these have been said  ad nauseam, yet it needs to be repeated:

  • Never download files from unverified sources.
  • Always rely on files packaged by your distribution’s package manager.
  • If you’re downloading sources, ensure that you’ve verified the authenticity. Most publish the md5/SHA1 checksums,  if there’s any deviation then do inform the site admins.

Published by

Sathya Bhat

Sathyajith aka "Sathya" or "cpg" loves working on computers, and actively participates in many online communities. Sathya is a Community Moderator on Super User, a collaboratively maintained Q&A site which is part of the Stack Exchange network. Sathya also contributes to and is a Super Moderator at Chip India Forums. While not writing SQL queries or coding in PL/SQL, Sathya is also a gamer, a Linux enthusiast, and maintains a blog on Linux & OpenSource. You can reach Sathya on twitter.