Sendmail Trojan looks familiar
And hard to trace
The Trojan horse discovered in a distribution of the Sendmail open-source e-mail server has striking similarities to a backdoor planted in OpenSSH last summer, according to security experts who've analyzed the code. But missteps in the alerting process may have given the culprits a chance to cover their tracks.
The sophisticated backdoor came to light Tuesday through an advisory from the government-funded Computer Emergency Response Team (CERT) Coordination Center. CERT warned that copies of version 8.12.6 of Sendmail downloaded between September 28th and October 6th from the Sendmail Consortium's public FTP server contained the backdoor.
Once downloaded, the victim unwittingly activates the backdoor by compiling Sendmail from source code. The malicious code then establishes a secret control channel to a particular Internet host over TCP port 6667, according to the CERT advisory.
That's the same general technique used by a backdoor discovered last August in another popular open-source package, OpenSSH, a free implementation of the SSH standard that lets users encrypt their communications over the Internet. That similarity is more than skin deep, according to Erik Parker, a senior security analyst at San Antonio-based Digital Defense who analyzed the code in his spare time.
Parker found that the Sendmail backdoor was controlled by a simple trio of one-letter commands: 'A' to kill the exploit, 'D' to execute a command, and 'M' to put the Trojan to sleep. The same syntax, possibly an insider's nod to the hacker group ADM, was used in the OpenSSH backdoor, according to an analysis by the OpenSSH development team at the time.
The analyst thinks the same hacker pulled both stunts, but admits that the similarities in code don't prove it. "It could have been a copycat," Parker says, "or somebody could have ripped that code off because they didn't know how to code it themselves."
Parker says he came by the Trojan horse the old fashioned way -- he was one of the estimated 200 people to unknowingly download the backdoor from the Sendmail FTP server before it was discovered, though he didn't compile the package. When the CERT advisory came out he and co-worker Forrest Rae ripped into the code and examined the malicious add-on.
In addition to the "ADM" commands, Parker pulled out the Internet address that was programmed into the backdoor as the control host, and contacted the owner, Denver-based network engineer Eli Klein. He was surprised to learn that Klein, apparently himself a victim of the hackers, hadn't already heard from the Sendmail Consortium or CERT.
"I thought that was irresponsible of them, because his box is still out there," says Parker. "It seems like it would be more responsible for them to let him know so he could shut down the box."
Klein says the machine, appropriately named "aclue.com," is a FreeBSD box in his basement used by himself, his wife, and half-a-dozen friends with guest accounts. When Parker contacted him, Klein was skeptical that the computer had been hacked, but began blocking port 6667 in his Internet router as a precaution.
It turns out that wasn't good enough. Wednesday evening found Klein scrambling to recover gigabytes of files -- everything from intrusion detection logs to years of personal financial records -- that he says the intruder deleted in an apparent effort to cover his or her tracks.
"Whoever it was that hacked Sendmail probably did have my box owned at some point, and decided to clean up," says Klein. "All of my files were on this PC. I lost everything from the last seven or eight years."
Parker says Klein should have taken his machine offline the moment he learned of its alleged role in the hack, but he also faults CERT and the Sendmail Consortium for not warning Klein before issuing an advisory.
In an interview, Marty Lindner, CERT's team leader for incident handling, said he doesn't remember the identify of the control host, and referred further inquiries to the Sendmail Consortium. Sources involved with the advisory say miscommunication between the Sendmail Consortium and CERT is to blame for Klein being left out of the loop -- each thought the other would notify Klein before the alert was issued.
"That's basically correct," confirms Eric Allman, a member of the Sendmail Consortium and chief technology officer of Sendmail Inc. "Mistakes were made, let's put it that way... I want to apologize to him for the way this happened to him. It wasn't supposed to happen that way."
Because the files on Klein's machine were merely deleted, rather than being thoroughly wiped from the hard drive, the prospect of eventually recovering them -- and retrieving some clues from aclue.com -- are good.
Allman says details of the hack's execution are still scarce, but it appears that the hacker managed to modify the FTP program that serves up the files, so that one out of every ten downloads would receive the backdoor without the original package ever being touched. It's a decidedly unusual technique. "I haven't had a chance to do a forensic analysis on it, but my first take was that it was pretty sophisticated," says Allman. "He did a pretty remarkable job of covering his tracks, and the attack was fairly subtle."
© 2002 SecurityFocus.com, all rights reserved.
Sponsored: Customer Identity and Access Management