Linux infection proves Windows malware monopoly is over; Gentoo ships backdoor? [updated]

Update 12:30PM PDT 14-Jun-2010: It's much worse than it appears. According to this report, the malware-compromised code was included in the official Gentoo distribution:

Would you consider it to be a big deal if it was found in a distribution? Gentoo just released an update to remove the backdoor.

http://packages.gentoo.org/package/net-irc/unrealircd

I'm sure there will be others, I believe the package is also available in Arch. I haven't really looked to see if it was anywhere else.

The Gentoo bug report (warning: Gentoo's certificate does not resolve to a trusted Certifying Authority) reports that it is VERIFIED and CLOSED with this comment:

The unrealircd taball in the gentoo mirrors _is_ affected ( Unreal3.2.8.1.tar.gz ) but the Manifest file's signatures match the _unaffected_ tarball. This discrepancy is how the backdoor was discovered.

So, please just flush the tar.gz from gentoo's mirrors, teach people to not blindly run ``ebuild *.ebuild manifest'', and unrealircd's SRC_URI does not include the current upstream tarball location:

SRC_URI="http://www.unrealircd.com/downloads/${MY_P}.tar.gz"

(unrealircd's mirror system was compromised by the attacker and so the tarball is temporarily being hosted at the official site).

There's a great deal of comment in the Talkback section of this post about how official repositories can be trusted. It appears that system broke down thoroughly in this case.

Every time I write about Windows security software, I get a predictable flood of responses from Linux advocates who claim that they don't need any such protection. Today comes a shining example of why they're wrong.

If you downloaded and installed the open-source Unreal IRC server in the last 8 months or so, you've been pwned. Here's the official announcement:

Hi all,

This is very embarrassing...

We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been replaced quite a while ago with a version with a backdoor (trojan) in it.

This backdoor allows a person to execute ANY command with the privileges of the user running the ircd. The backdoor can be executed regardless of any user restrictions (so even if you have passworded server or hub that doesn't allow any users in).

Two additional details in the announcement added extra helpings of irony:

It appears the replacement of the .tar.gz occurred in November 2009 (at least on some mirrors). It seems nobody noticed it until now.

Right. Because even server administrators believe that open source and Linux software are impregnable by design, the official download of a widely distributed server product has been infected with a backdoor that gives bad guys complete ownership of the system. Oops.

And my favorite part:

The Windows (SSL and non-ssl) versions are NOT affected.

Again, that's right. A similarly infected Windows file in the wild would be detected within days if not hours after a routine virus scan by someone checking the download before installing it.

Meanwhile, Mac users shouldn't get complacent either. Intego has reported two in-the-wild outbreaks of a Trojan horse program found on game sites and a gruesome piece of spyware that tags along with screen savers and other freebie apps. (And Intego says they found copies of the unwanted software even after the original distributor claimed to have removed it.)

If you think all of this sounds familiar, you're right. Welcome to the world Windows users lived in back in 2003 or so. The good news for security professionals who use Linux or a Mac? They have years of lessons to draw on courtesy of their Windows peers.

(Thanks to F-Secure's Mikko Hyponnen for the tip, via Twitter.)