LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Sendmail source hit by a trojan horse

[Posted October 9, 2002 by corbet]

As detailed in this CERT advisory, the sendmail source distribution on ftp.sendmail.org was replaced by a version containing a trojan horse. The modified code stayed on the server from September 28 through October 6. The trojan was invoked during the build process; it would fire off a process that would listen for commands on port 6667. If you downloaded and installed sendmail during that time period, you need to take a serious look at the integrity of your systems.

Free software is supposed to be more secure because the source can be examined for this sort of thing. Yet this particular bit of malware managed to stay on a high-profile server for over a week. When you consider that, for example, the Interbase back door went undiscovered for over a year, one week does not seem all that bad. But one week is plenty of time to compromise a great many systems.

What is truly surprising is that we have not seen more of this sort of problem. Trojanized source distributions are scary; a compromised binary package is truly terrifying. There will be more - and worse - episodes of this nature in the future.

Of course, we have the tools to defend against most of these attacks. If you put up software for others to download, you should sign it with a cryptographic key. If you download software, you should check that signature. As long as the signing keys are handled carefully (i.e. not stored on the FTP server!), this bit of hygene will detect almost all tampering attacks. Without such checks, administrators are placing a great deal of trust in the security of every system they download software from.

(Log in to post comments)

Sendmail source hit by a trojan horse

Posted Oct 10, 2002 11:53 UTC (Thu) by rasumner (guest, #5410) [Link]

While signing things is a useful step, public key infrastructure is still a real problem. There is little point in checking the signature on a package signed by a public key you downloaded from the same server. This is normally solved by using a Certificate Authority, but who is going to play that role in the open source world?

Sendmail source hit by a trojan horse

Posted Oct 10, 2002 23:04 UTC (Thu) by zooko (subscriber, #2589) [Link]

This is a ubiquitous belief, but it doesn't hold up. Consider what would happen if sendmail, and all other open source sites, generated a public key, posted it on their site, or through a (non-verified, non-certified) keyserver. Suppose in addition that user-agent software fetched the public key and kept a copy, and notified you if it changed. (This is exactly what ssh does.)

Then attacks like these would be far less damaging, and perhaps more quickly discovered, too.

If argument from authority helps, consider that Pbil Zimmermann has been saying similar things recently.

Regards,

Zooko

Copyright © 2002, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds