The UnrealIRCd project administrators announced during the weekend that the Linux installation package for the latest version of the IRC server software contained a trojan. The backdoored source tarball was distributed through the official repository and many of the mirror servers for the past eight months without anyone noticing something was wrong.
"This is very embarrassing... We found out that the Unreal126.96.36.199.tar.gz file on our mirrors has been replaced quite a while ago with a version with a backdoor (trojan) in it. This backdoor allows a person to execute ANY command with the privileges of the user running the ircd. The backdoor can be executed regardless of any user restrictions (so even if you have passworded server or hub that doesn't allow any users in)," Syzop, the UnrealIRCd project leader, wrote on the official forum on Saturday.
The admins don't know how the rogue source tarball made it on the official repository, but they determined that the official one was replaced with it sometime last November. From there, it was automatically picked up by some of the mirror servers that didn't perform any checksum-based file validation.
To help prevent this in the future, the UnrealIRCd source packages will be signed with PGP/GPG again. The practice of signing releases was previously stopped due to its lack of popularity amongst users. The project administration said that the Windows binaries were not affected, and promised that, if rogue files somehow made it into the repository again in the future, the compromise would be noticed very quickly.
For those users who do bother to verify files, the md5sum of the valid Unreal188.8.131.52.tar.gz package is 7b741e94e867c0a7370553fd01506c66, while that of the backdoored one is 752e46f2d873c1679fa99de3f52a274d. "Administrators take note: When a signature or checksum is provided, check it. That's why they're provided, and this is only one case among many every year. Don't fall into the trap of thinking 'viruses are a Windows problem.' As you can see from this incident, Linux is not immune," Chester Wisniewski, senior security advisor at antivirus vendor Sophos, whose products detect this malware as Troj/UnIRC-A, said.
Meanwhile, in a post on the Securelist blog, Kaspersky Lab's Director of Global Research, explains how the backdoor actually works. "[...] It only took two lines of code to do it, plus another two which define the condition when the code is inserted – that is, if DEBUGMODE3 is defined. […] In the module ‘s_bsd.c’ there is a function called ‘read_packet,’ which gets to handle every packet of data sent to the server. If the ‘AB’ command is detected (which is defined by DEBUGMODE3_INFO in our case), then the remaining data in the buffer is sent directly to the operating system for execution via ‘system().’ Pretty simple and straightforward," he writes.
UnrealIRCd (Unreal IRC daemon) is an application that allows users to run an IRC server under a wide array of platforms including Linux, Windows, Mac, Solaris and BSD. IRC (Internet Relay Chat) is a real-time Internet text messaging dating back to the end of the '80s. When it first appeared, the protocol was the Twitter of its times, allowing large groups of people to discuss and report on current events as they were happening. However, it was slowly overtaken in popularity by the modern IM applications, which offer video and audio conferencing, as well as other attractive features.
IRC is still used by gaming and hacking communities - old-school ones, in particular – but also many open source projects, which set up IRC channels for live support. Meanwhile, UnrealIRCd remains a fairly popular IRC server software because of its extended range of features and easy deployment.