The trojaning of mICQ

Posted Feb 20, 2003 3:01 UTC (Thu) by ncm (guest, #165)
Parent article: The trojaning of mICQ

My question is, why didn't Mr. Loschwitz see the trojan code when he diff'd the old version against the update, to see what had changed?

to post comments

The trojaning of mICQ

Posted Feb 20, 2003 3:31 UTC (Thu) by trutkin (guest, #3919) [Link] (1 responses)

He didn't look over the diff. He was upbraided by other maintainers for this.

The trojaning of mICQ

Posted Feb 20, 2003 22:11 UTC (Thu) by hmh (subscriber, #3838) [Link]

You bet he was upbraided. Some of us take great pains to go over every
line in a 1000+ line diff file (usually not for security, but out of sheer
paranoia of breaking the package in a hideous way, and losing even more
time trying to get it to work again)...

However, as others said, don't expect normal diff-looking to catch a
really bright piece of obsfucation (which was NOT the case of mICQ).

The trojaning of mICQ

Posted Feb 27, 2003 14:46 UTC (Thu) by MLKahnt (guest, #6642) [Link]

Having seen the code (and read the entirety of each thread of the flame war,) there were some very deliberate efforts to hide the code and the activities - other developers on Debian-devel admitted that they wouldn't have realised the nature of what was to happen if the results weren't reported to them. The offending message was coded in base64 iirc, the reference used to hide the message from appearing on the system of the Debian maintainer was set up to use his specific ICQ name, hardcoded a letter at a time rather than a more obvious string, and even the reference to Debian was chopped into substrings to not stand out.

There was substantive effort put into hiding this function, which might well have slipped past most any maintainer not performing security audits of diffs, let alone one that was relatively new to the process (the mICQ maintainer being still under sponsorship.)