Feeds

Sendmail Trojan looks familiar

And hard to trace

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

The Trojan horse discovered in a distribution of the Sendmail open-source e-mail server has striking similarities to a backdoor planted in OpenSSH last summer, according to security experts who've analyzed the code. But missteps in the alerting process may have given the culprits a chance to cover their tracks.

The sophisticated backdoor came to light Tuesday through an advisory from the government-funded Computer Emergency Response Team (CERT) Coordination Center. CERT warned that copies of version 8.12.6 of Sendmail downloaded between September 28th and October 6th from the Sendmail Consortium's public FTP server contained the backdoor.

Once downloaded, the victim unwittingly activates the backdoor by compiling Sendmail from source code. The malicious code then establishes a secret control channel to a particular Internet host over TCP port 6667, according to the CERT advisory.

That's the same general technique used by a backdoor discovered last August in another popular open-source package, OpenSSH, a free implementation of the SSH standard that lets users encrypt their communications over the Internet. That similarity is more than skin deep, according to Erik Parker, a senior security analyst at San Antonio-based Digital Defense who analyzed the code in his spare time.

Parker found that the Sendmail backdoor was controlled by a simple trio of one-letter commands: 'A' to kill the exploit, 'D' to execute a command, and 'M' to put the Trojan to sleep. The same syntax, possibly an insider's nod to the hacker group ADM, was used in the OpenSSH backdoor, according to an analysis by the OpenSSH development team at the time.

The analyst thinks the same hacker pulled both stunts, but admits that the similarities in code don't prove it. "It could have been a copycat," Parker says, "or somebody could have ripped that code off because they didn't know how to code it themselves."

Files Erased

Parker says he came by the Trojan horse the old fashioned way -- he was one of the estimated 200 people to unknowingly download the backdoor from the Sendmail FTP server before it was discovered, though he didn't compile the package. When the CERT advisory came out he and co-worker Forrest Rae ripped into the code and examined the malicious add-on.

In addition to the "ADM" commands, Parker pulled out the Internet address that was programmed into the backdoor as the control host, and contacted the owner, Denver-based network engineer Eli Klein. He was surprised to learn that Klein, apparently himself a victim of the hackers, hadn't already heard from the Sendmail Consortium or CERT.

"I thought that was irresponsible of them, because his box is still out there," says Parker. "It seems like it would be more responsible for them to let him know so he could shut down the box."

Klein says the machine, appropriately named "aclue.com," is a FreeBSD box in his basement used by himself, his wife, and half-a-dozen friends with guest accounts. When Parker contacted him, Klein was skeptical that the computer had been hacked, but began blocking port 6667 in his Internet router as a precaution.

It turns out that wasn't good enough. Wednesday evening found Klein scrambling to recover gigabytes of files -- everything from intrusion detection logs to years of personal financial records -- that he says the intruder deleted in an apparent effort to cover his or her tracks.

"Whoever it was that hacked Sendmail probably did have my box owned at some point, and decided to clean up," says Klein. "All of my files were on this PC. I lost everything from the last seven or eight years."

Parker says Klein should have taken his machine offline the moment he learned of its alleged role in the hack, but he also faults CERT and the Sendmail Consortium for not warning Klein before issuing an advisory.

In an interview, Marty Lindner, CERT's team leader for incident handling, said he doesn't remember the identify of the control host, and referred further inquiries to the Sendmail Consortium. Sources involved with the advisory say miscommunication between the Sendmail Consortium and CERT is to blame for Klein being left out of the loop -- each thought the other would notify Klein before the alert was issued.

"That's basically correct," confirms Eric Allman, a member of the Sendmail Consortium and chief technology officer of Sendmail Inc. "Mistakes were made, let's put it that way... I want to apologize to him for the way this happened to him. It wasn't supposed to happen that way."

Because the files on Klein's machine were merely deleted, rather than being thoroughly wiped from the hard drive, the prospect of eventually recovering them -- and retrieving some clues from aclue.com -- are good.

Allman says details of the hack's execution are still scarce, but it appears that the hacker managed to modify the FTP program that serves up the files, so that one out of every ten downloads would receive the backdoor without the original package ever being touched. It's a decidedly unusual technique. "I haven't had a chance to do a forensic analysis on it, but my first take was that it was pretty sophisticated," says Allman. "He did a pretty remarkable job of covering his tracks, and the attack was fairly subtle."

© 2002 SecurityFocus.com, all rights reserved.

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.