WyldRyde IRC Network » IRC News

Security Alert: UnrealIRCd 3.2.8.1 Download Contains A Trojan

Jeff Weisbein — Sat, 12 Jun 2010 20:10:08 +0000

Just a quick security alert for anyone running UnrealIRCd 3.2.8.1, I recieved an email this morning stating that for the past 8 months the UnrealIRCd download has been tainted. It has been tampered with and included a backdoor trojan which allows a person to execute ANY command with the privileges of the user running the ircd. The backdoor can be executed regardless of any user restrictions (so even if you have passworded server or hub that doesn’t allow any users in). Below is the full email transcript.

Hi all,

This is very embarrassing…

We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been
replaced quite a while ago with a version with a backdoor (trojan) in it.
This backdoor allows a person to execute ANY command with the privileges of
the user running the ircd. The backdoor can be executed regardless of any user
restrictions (so even if you have passworded server or hub that doesn’t allow
any users in).

It appears the replacement of the .tar.gz occurred in November 2009 (at least
on some mirrors). It seems nobody noticed it until now.

Obviously, this is a very serious issue, and we’re taking precautions so this
will never happen again, and if it somehow does that it will be noticed quickly.
We will also re-implement PGP/GPG signing of releases. Even though in practice
(very) few people verify files, it will still be useful for those people who do.

Safe versions
==============

The Windows (SSL and non-ssl) versions are NOT affected.

CVS is also not affected.

3.2.8 and any earlier versions are not affected.

Any Unreal3.2.8.1.tar.gz downloaded BEFORE October 11 2009 should be safe, but
you should really double-check, see next.

How to check if you’re running the backdoored version
======================================================
Two ways:

One is to check if the Unreal3.2.8.1.tar.gz you have is good or bad by running
‘md5sum Unreal3.2.8.1.tar.gz’ on it.
Backdoored version (BAD) is: 752e46f2d873c1679fa99de3f52a274d
Official version (GOOD) is: 7b741e94e867c0a7370553fd01506c66

The other way is to run this command in your Unreal3.2 directory:
grep DEBUG3_DOLOG_SYSTEM include/struct.h
If it outputs two lines, then you’re running the backdoored/trojanized version.
If it outputs nothing, then you’re safe and there’s nothing to do.

What to do if you’re running the backdoored version
====================================================
Obviously, you only need to do this if you checked you are indeed running the
backdoored version, as mentioned above. Otherwise there’s no point in
continuing, as the version on our website is (now back) the good one from
April 13 2009 and nothing ‘new’.

Solution:
* Re-download from http://www.unrealircd.com/
* Verify MD5 (or SHA1) checksums, see next section (!)
* Recompile and restart UnrealIRCd

The backdoor is in the core, it is not possible to ‘clean’ UnrealIRCd without
a restart or through a module.

How to verify that the release is the official version
=======================================================
You can check by running ‘md5sum Unreal3.2.8.1.tar.gz’, it should output:
7b741e94e867c0a7370553fd01506c66 Unreal3.2.8.1.tar.gz

For reference, here are the md5sums for ALL proper files:
7b741e94e867c0a7370553fd01506c66 Unreal3.2.8.1.tar.gz
5a6941385cd04f19d9f4241e5c912d18 Unreal3.2.8.1.exe
a54eafa6861b6219f4f28451450cdbd3 Unreal3.2.8.1-SSL.exe

These are the EXACT same MD5sums as mentioned on April 13 2009 in the initial
3.2.8.1 announcement to the unreal-notify and unreal-users mailing list.

Finally
========
Again, I would like to apologize about this security breach.
We simply did not notice, but should have.
We did not check the files on all mirrors regularly, but should have.
We did not sign releases through PGP/GPG, but should have done so.

This advisory (and updates to it, if any) is posted to:

http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt

Hope you’ll all continue to support UnrealIRCd.

- –
Bram Matthys
Software developer/IT consultant syzop@vulnscan.org

Ustream redesign changed ustream chat behavior

usrbingeek — Thu, 23 Apr 2009 00:44:59 +0000

If you had your Ustream channel page redirected to WyldRyde you were probably surprised to find out this evening that your Ustream flash chat no longer goes to WyldRyde but to Ustream’s own chat server instead.
Ustream launched a redesign minutes ago and reset all the chat rooms back to their own chat server. Apparently, Ustream says they’re no longer preforming any chat switches. However, you can keep using WyldRyde if you disable the Ustream chat room and embed the WyldRyde flash chat in your About section (Describe your show).
Please see this page for the full instructions and compatible WyldRyde flash chat code.

Chat with Santa Claus!

usrbingeek — Sun, 07 Dec 2008 17:09:56 +0000

LIVE from the North Pole, Santa Claus is streaming video and chatting on WyldRyde everyday from 6pm-12am EST/3pm-9pm PST until December 24th!
Bring the kids and join the fun at http://www.wyldryde.org/channels/santa/!
Brought to you by TheSquirrelCam.com, Ustream.TV and WyldRyde IRC Network!

Urgent security update released for Quassel

usrbingeek — Wed, 19 Nov 2008 01:57:44 +0000

An error in CTCP handling has been discovered in the Quassel IRC client that allows attackers to send IRC messages as you.
All Quassel users are encouraged to update their client immediately.

Well, looks like 0.3.0.2 was not the last 0.3.0 release after all. coekie found an issue with CTCP handling in Quassel Core that allows attackers to send arbitrary IRC messages on your behalf. This issue is present in all versions prior to 0.3.0.3 and Git older than October 26th (rev. d7a0381).
This has been fixed in the quassel-0.3.0.3 release and also in Git and the nightly builds. Gentoo and *buntu already ship the new version, with more distributions hopefully following ASAP. If you still use a 0.2-rc1 core, please consider updating to 0.3.x as soon as possible. Note that we provide unstable, but fixed packages for Debian now, thanks to dileX.
Note that this affects (only) the core, so you’ll need to update and restart your core. Clients are not affected. Also, this exploit can not be used to affect anything on your system, including your local account, as it is purely IRC related.

[Quassel Urgent: Security Upgrade!]

KVIrc 3.4.2 released

usrbingeek — Tue, 18 Nov 2008 02:52:18 +0000

Version 3.4.2 of KVIrc was released and contains mostly bug fixes, reports the KVIrc web site.
However, all KVIrc users are encouraged to upgrade as this update comes after published reports of a vulnerability that affected earlier versions.

As already said for the previous RC1, this is primarily a bugfix release. Our Development Team fixed a huge amount of noisy and glitching bugs, reaching a very high code maturity.
As its father, this release actually contains a preliminary Qt4 support
and if you feel brave you might test it by passing the “hidden” –enable-qt
switch at configure stage.

[KVIrc 3.4.2, Windows binary]

Ontario man sentenced for distributing child pornography

usrbingeek — Wed, 12 Nov 2008 03:13:40 +0000

Tarig Bur, 33, Gravenhurst, Ontario, Canada has been sentenced to serve four months in prison and three years’ probation after pleading guilty to distributing child pornography.
The Huntsville Forester reports, that he was targeted for investigation after an undercover detective witnessed him try to lure young children on an internet relay chat room.

Provincial crown attorney Christine McGoey rehashed the incidents leading up to Bur’s April 7 arrest. An undercover detective conducting an online investigation targeting adults who visit child porn sites and try to lure young children posed as a 13-year-old girl on an internet relay chat that Bur frequently visited. Because Bur’s activity was being monitored, the detective initiated a private chat session with Bur, who then “initiated sexual conversation almost immediately with the girl.”

It’s too bad he only got 4 months! What do you think?
[Undercover officer nabs man for child pornography]

Free Snak registration today

usrbingeek — Wed, 05 Nov 2008 17:31:33 +0000

Today only, you may request a free license of the Snak IRC client for the Mac.

To celebrate this event there is no license fee for registering Snak today November 5 2008. Email Obama2008@snak.com to request your license. This offer is open to anyone, even those who did not vote for Mr. Obama, and those who were not able to on account of being outside the U.S.A.
To quote Mr. Obama – We can disagree without being disagreeable.

[Snak IRC for Mac]

Server upgrades being performed

usrbingeek — Wed, 10 Sep 2008 16:38:17 +0000

We’re upgrading and replacing a few of our servers today. During this process, which is expected to take several hours, there will be some disconnections and temporary outages.
Please note: rubicon.wyldryde.org has moved to Toronto, Ontario, Canada so you may want to adjust which server you connect to.
UPDATE:

Sep 10, 2008 10:53PM EDT: We’re aware that the WyldRyde Flash Chats are still not loading and are working on a fix. Restoring them is a very high priority.
Sep 11, 2008 12:00PM EDT: The flash chats have been restored and are now loading and connecting to the network properly. We’re very sorry for the downtime.

Please accept our apologizes for this inconvenience.

wmIRC brings IRC to Windows Mobile

usrbingeek — Tue, 02 Sep 2008 16:49:12 +0000

I don’t personally understand why anyone would still want to use a Windows Mobile phone now that the iPhone 3G is on the streets but I was asked to find a decent IRC client for the platform.
wmIRC seems to fit the bill. While it only has the minimum set of functions it is fast and easier to use than other Windows Mobile IRC clients and also works on Smartphone and Pocket PC devices.

Features:

Intuitive and straightforward user interface.
Multiple channels support, tabbed navigation.
Color and font codes support.
Real VGA mode, square screens and screen rotation support.
Messages highlighting.
Secure communications. TLS and SSL support.
Vibro, Sound and Balloon Tips notifications of new messages.
Display users list in channels.
Private chats, /query nickname.
Most of text commands are duplicated through a menu.
Macroses list support, copy/paste.
Context menus most everywhere – channels text, tabs, etc…
Multiple servers support.
Remebers last 10 phrases and provides quick access to them through a menu bar.
Built in traffic counter.
Built in Ident server.
Native, fast, compact and efficient code(ARMv4).
Multiple character sets translation and Unicode(UTF-8) servers support.

[wmIRC]

Music piracy leader with ties to IRC pleads guilty

usrbingeek — Mon, 25 Aug 2008 23:38:30 +0000

A 21 year old from Orlando, Florida has pleaded guilty to distributing music, software and gaming software in violation of the criminal copyright infringement laws.
“We can find you, we will find you, and we will prosecute you,” says United States Attorney Paul McNulty.

Paul J. McNulty, United States Attorney for the Eastern District of Virginia, and John G. Malcolm, Deputy Assistant Attorney General for the Criminal Division, United States Department of Justice, announced that Mark Shumaker, 21, of Orlando, Florida, pleaded guilty today before the Honorable Gerald Bruce Lee, United States District Judge, to distributing music, software and gaming software in violation of the criminal copyright infringement laws.
Shumaker is a former leader of the Internet music piracy group known as Apocalypse Crew. He is scheduled to be sentenced by Judge Lee on November 7, 2003, at which time he faces a maximum sentence of five years incarceration and a fine of $250,000.
Apocalypse Crew is an Internet music piracy group specializing in the distribution of advance copies of digital music before its commercial release in the United States. Apocalypse Crew recruited music industry insiders, such as radio DJs and employees of music magazine publishers, in order to obtain pre-release copies of compact disks.
Once released to the Internet, these advance copies would filter down to public distribution channels, such as the peer-to-peer (P2P) file sharing networks of KaZaa and Morpheus. In 2001, as a leading member of Apocalypse Crew, Shumaker coordinated the supply and unauthorized distribution of the group’s music releases. He also operated the group’s private, invite-only Internet Relay Chat (IRC) channel where members secretly discussed their illegal activities. According to United States Attorney Paul McNulty, “This plea shows that those who steal copyrighted music from artists and believe they are doing so anonymously on the Internet are sadly mistaken. We can find you, we will find you, and we will prosecute you.” Shumaker is one of more than 22 defendants who have been convicted to date on charges of felony copyright infringement as a result of Operation Buccaneer, a worldwide investigation run by the Bureau of Immigration and Customs Enforcement and the Department of Justice’s Computer Crime and Intellectual Property Section (CCIPS).
Eighteen of those defendants have been prosecuted by the Eastern District of Virginia’s Cybercrime Unit, in partnership with CCIPS. Additionally, last March, a federal grand jury in the Eastern District of Virginia indicted Hew Raymond Griffiths of Bateau Bay, Australia, the self-proclaimed leader of various Internet software piracy groups, including Drink Or Die, ViCE, and RiSC.
A formal extradition request has been filed with Australian authorities. If Griffiths is extradited and convicted on all charges, he would face up to 10 years imprisonment and a $500,000 fine. “The conviction of Mark Shumaker is another example of the Department of Justice’s aggressive attack against high-level Internet piracy groups that initiate the illegal distribution of copyrighted works over the Internet,” said Deputy Assistant Attorney General John G. Malcolm. “Music piracy, no less than software or movie piracy, is a crime and its victims are real; musicians deserve to be paid for their creativity and work.”
“Intellectual Property Rights is a top priority for ICE. This extensive investigation was the direct result of the collaboration between the ICE’s Washington Field Office and Cyber Smuggling Center, DOJ Computer Crime and Intellectual Property Section, and Eastern District of Virginia’s Cybercrime Unit, said Kevin Delli-Colli, ICE Interim Special Agent In Charge. We will continue our joint efforts to locate, arrest and prosecute anyone in violation of these crimes.” Assistant United States Attorney Scott J. Stein and Senior Counsel Michael DuBose, CCIPS, are prosecuting the case for the United States.