UnrealIRCd tarball enabled remote execution

Around November 10, 2009, UnrealIRCd 3.2.8.1 source mirrors were replaced with a tarball containing a backdoor. The substitution was not discovered until June 12, 2010, leaving a seven-month window in which users who built the IRC server from project mirrors could deploy attacker-modified source. The project forum notice said official Windows binaries, CVS, 3.2.8, and earlier releases were not affected.

The delivery was source distribution through project mirrors. The changed archive built a daemon that behaved normally until it received the trigger. That made detection depend on source comparison, signatures, or runtime knowledge of the magic input.

The source change was disguised as DEBUGMODE3 logic. When input began with AB, DEBUGMODE3_INFO matched and DEBUG3_LOG ultimately called system(), executing the rest of the client-supplied command as the user running the daemon. The project told users to grep include/struct.h for DEBUG3_DOLOG_SYSTEM; two matching lines meant the running tree was trojanized.

The response was a lesson in distribution hygiene. The project restored the good April 2009 archive, published MD5s for good and bad files, told affected administrators to re-download, verify, recompile, and restart, and said it would re-implement PGP/GPG signing. The Register captured the blunt public takeaway: source mirrors can become the attack if releases are not routinely checked and signed.

Motive

Unauthorized Access Control

Attribution

Person

Cause

Compromised Infrastructure

Transitive

No

Actor

Individual Hacker

• Some versions of Unreal3.2.8.1.tar.gz contain a backdoorforums.unrealircd.org
• UnrealIRCD 3.2.8.1 Backdoor Command Executionrapid7.com
• A backdoor in UnrealIRCdlwn.net
• Linux IRC server leaves backdoor opentheregister.com
• UnrealIRCd backdoored for monthsarstechnica.com
• DailyDave: Unreal IRC 0dayseclists.org