Feeds

Sendmail Trojan looks familiar

And hard to trace

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

The Trojan horse discovered in a distribution of the Sendmail open-source e-mail server has striking similarities to a backdoor planted in OpenSSH last summer, according to security experts who've analyzed the code. But missteps in the alerting process may have given the culprits a chance to cover their tracks.

The sophisticated backdoor came to light Tuesday through an advisory from the government-funded Computer Emergency Response Team (CERT) Coordination Center. CERT warned that copies of version 8.12.6 of Sendmail downloaded between September 28th and October 6th from the Sendmail Consortium's public FTP server contained the backdoor.

Once downloaded, the victim unwittingly activates the backdoor by compiling Sendmail from source code. The malicious code then establishes a secret control channel to a particular Internet host over TCP port 6667, according to the CERT advisory.

That's the same general technique used by a backdoor discovered last August in another popular open-source package, OpenSSH, a free implementation of the SSH standard that lets users encrypt their communications over the Internet. That similarity is more than skin deep, according to Erik Parker, a senior security analyst at San Antonio-based Digital Defense who analyzed the code in his spare time.

Parker found that the Sendmail backdoor was controlled by a simple trio of one-letter commands: 'A' to kill the exploit, 'D' to execute a command, and 'M' to put the Trojan to sleep. The same syntax, possibly an insider's nod to the hacker group ADM, was used in the OpenSSH backdoor, according to an analysis by the OpenSSH development team at the time.

The analyst thinks the same hacker pulled both stunts, but admits that the similarities in code don't prove it. "It could have been a copycat," Parker says, "or somebody could have ripped that code off because they didn't know how to code it themselves."

Files Erased

Parker says he came by the Trojan horse the old fashioned way -- he was one of the estimated 200 people to unknowingly download the backdoor from the Sendmail FTP server before it was discovered, though he didn't compile the package. When the CERT advisory came out he and co-worker Forrest Rae ripped into the code and examined the malicious add-on.

In addition to the "ADM" commands, Parker pulled out the Internet address that was programmed into the backdoor as the control host, and contacted the owner, Denver-based network engineer Eli Klein. He was surprised to learn that Klein, apparently himself a victim of the hackers, hadn't already heard from the Sendmail Consortium or CERT.

"I thought that was irresponsible of them, because his box is still out there," says Parker. "It seems like it would be more responsible for them to let him know so he could shut down the box."

Klein says the machine, appropriately named "aclue.com," is a FreeBSD box in his basement used by himself, his wife, and half-a-dozen friends with guest accounts. When Parker contacted him, Klein was skeptical that the computer had been hacked, but began blocking port 6667 in his Internet router as a precaution.

It turns out that wasn't good enough. Wednesday evening found Klein scrambling to recover gigabytes of files -- everything from intrusion detection logs to years of personal financial records -- that he says the intruder deleted in an apparent effort to cover his or her tracks.

"Whoever it was that hacked Sendmail probably did have my box owned at some point, and decided to clean up," says Klein. "All of my files were on this PC. I lost everything from the last seven or eight years."

Parker says Klein should have taken his machine offline the moment he learned of its alleged role in the hack, but he also faults CERT and the Sendmail Consortium for not warning Klein before issuing an advisory.

In an interview, Marty Lindner, CERT's team leader for incident handling, said he doesn't remember the identify of the control host, and referred further inquiries to the Sendmail Consortium. Sources involved with the advisory say miscommunication between the Sendmail Consortium and CERT is to blame for Klein being left out of the loop -- each thought the other would notify Klein before the alert was issued.

"That's basically correct," confirms Eric Allman, a member of the Sendmail Consortium and chief technology officer of Sendmail Inc. "Mistakes were made, let's put it that way... I want to apologize to him for the way this happened to him. It wasn't supposed to happen that way."

Because the files on Klein's machine were merely deleted, rather than being thoroughly wiped from the hard drive, the prospect of eventually recovering them -- and retrieving some clues from aclue.com -- are good.

Allman says details of the hack's execution are still scarce, but it appears that the hacker managed to modify the FTP program that serves up the files, so that one out of every ten downloads would receive the backdoor without the original package ever being touched. It's a decidedly unusual technique. "I haven't had a chance to do a forensic analysis on it, but my first take was that it was pretty sophisticated," says Allman. "He did a pretty remarkable job of covering his tracks, and the attack was fairly subtle."

© 2002 SecurityFocus.com, all rights reserved.

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.