RealTime IT News

OpenSSH Hit with Trojan; Mirrors Compromised

A day after warning of multiple vulnerabilities in the OpenSSL protocol, the CERT Coordination Center (CERT/CC) issued an alert that some copies of the source code for the OpenSSH package contain a Trojan horse.

The security outfit warned that an unknown intruder modified files in the openssh-3.4p1.tar.gz, openssh-3.4.tgz and openssh-3.2.2p1.tar.gz to include malicious code and warned that mirrors of the OpenSSH download may be compromised. The main openBSD mirror was trojaned.

"We strongly encourage sites which employ, redistribute, or mirror the OpenSSH package to immediately verify the integrity of their distribution," CERT/CC said in the advisory.

Developers on security message boards say the malicious code does not appear sophisticated but could be remotely programmed to give intruders root access machines.

"When building the OpenSSH binaries, the trojan resides in bf-test.c and causes code to execute which connects to a specified IP address. The destination port is normally used by the IRC protocol. A connection attempt is made once an hour. If the connection is successful, arbitrary commands may be executed," the group warned.

It is the second major bug found in OpenSSH in the last few months. In June, serious flaws were found and fixed in versions 2.3.1p1 through 3.3 of the open-source tool, which is used by developers as a secure alternative to Telnet Rlogin, Rsh, and FTP.

The malicious files appear to have been placed on the FTP server which hosts ftp.openssh.com and ftp.openbsd.org between July 30 or 31, almost two full days before the OpenSSH development team could replace the Trojan horse copies with the original, uncompromised versions. That means the Trojan horse copy of the source code was available long enough for copies to propagate to sites that mirror the OpenSSH site, CERT warned.

"The Trojan horse versions of OpenSSH contain malicious code that is run when the software is compiled. This code connects to a fixed remote server on 6667/tcp. It can then open a shell running as the user who compiled OpenSSH," the Center said.

OpenSSH users are urged to go to the primary distribution site for the software at OpenSSH.com.