It became a daily action for most of us: We are looking for a piece of software which could improve our tasks. Google provides us thousands of links, we select the most attractive, download it and install it (there is no restriction in the users not the operating systems). That’s the power of the Internet. But… this could have major consequences on your security and your users!
A recent story affected the well-known IRC server UnrealIRCd. Since November 2009, fake packages were released with a backdoor added in the original source code (the affected version is 22.214.171.124). This post is certainly not a complain against the UnrealIRCd crew. They did a good job: they communicated and tried to be transparent. Just a reminder: communication is a critical step in your incident management procedure. It seems that the only mistake done by the developers was to stop signing the archives “because they didn’t think if was worth the trouble given how few people were verifying the signatures” (comment from Fyodor on the Nmap Development mailing list). It has already been announced on the website: UnrealIRCd archives will be again signed by PGP/GPG!
Let’s hope this bad story will be a good lesson for everybody: Never trust the content of files downloaded from the Internet!
- Download software or source code only from the original web site or an official mirror (listed on the original site).
- Compute MD5 or SHA1 hashes of all files downloaded from the Internet and always compare them with the ones provided by the developers/maintainers.
- If you download software from a suspicious source, test it in a virtual machine or in a sandbox.