Unreal Backdoored IRC Server

During the weekend, the maintainers of the Unreal IRCd Server source discovered a backdoor in the publicly available kit form their mirrors. Full announcement can be found on their website, but here’s an important quote which grabbed my attention:

“It appears the replacement of the .tar.gz occurred in November 2009 (at least on some mirrors). It seems nobody noticed it until now.”

Practically, this means the trojanized software was available for download for about 8 months before it was discovered.

Despite the fact that the official sources have been cleaned, I did a quick search and was able to find the trojanized version in a matter of minutes.

It is relatively easy to spot the bad version because it has the following MD5:

752e46f2d873c1679fa99de3f52a274d Unreal3.2.8.1.tar.gz

So, how does the backdoor work? Here’s a snippet of the code in question:

Trojanized Unreal IRC server code

As you can see, it only took two lines of code to do it, plus another two which define the condition when the code is inserted – that is, if DEBUGMODE3 is defined.

What happens here, is that in the module “s_bsd.c” there is a function called “read_packet”, which gets to handle every packet of data sent to the server. If the “AB” command is detected (which is defined by DEBUGMODE3_INFO in our case), then the remaining data in the buffer is sent directly to the operating system for execution via “system()”. Pretty simple and straightforward.

So, what is the moral of this story? First of all, with current applications, which have hundreds of thousands of lines, it is very easy to miss something as small as two lines of malicious code. This isn’t the first time it happened and I’m sure this is not the only trojanized open source application out there.

The real scary part is that it took 8 months to find it. How long will it take to find the next one?

Unreal Backdoored IRC Server

Your email address will not be published. Required fields are marked *



LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Subscribe to our weekly e-mails

The hottest research right in your inbox