The author of Snort, an open-source Intrusion Detection System (IDS), Martin Roesch, has dismissed as untrue claims the software was 'trojaned' by attackers.
Roesch, who is also the chief technology officer of US-based IDS company Sourcefire, moved quickly to quell rumours in the security community that a hacking group had managed to insert back-door code into the Snort source-code repository.
"There is no back door in Snort nor has there ever been, everyone can relax," Roesch wrote in a posting to the full disclosure security mailing list.
Attackers had breached one of Roesch's systems, he admits, but that was a low-security shell server -- used by members of the Snort team and their associates to access services such as IRC without exposing their own machines to risk -- located in his basement, 37km away from the Snort code repository.
"If you're wondering 'how do you know the code isn't backdoored?', since we know that that server is an 'at risk' server, we're not in the habit of checking code into [the Snort code repository] from there. If that's not good enough for you, Snort has been through three code audits since March -- one Sourcefire internal, two third-party external -- and there are most definitively no back doors in the code, nor were there any," Roesch added.
Trojans have been found in several open-source projects over the last year, including those found in Sendmail and OpenSSH. Malicious code was also found in the libpcap and tcpdump libraries -- software which is required by the Snort IDS to operate.
Australian security consultant Daniel Lewkovitz says that the mere fact that a rumour like this could turn out to be true, even though it looks unlikely in this case, means the issue at least warrants discussion. "A lot of threats haven't changed that much, but what has changed is normal people's awareness and attitudes to it. I think anything that makes people more aware of relevant issues and relevant threats a good thing," he told ZDNet Australia.
There's nothing necessarily wrong with listening to a rumour so you can check it out for yourself, Lewkovitz says, as long as the source of the rumour is at least somewhat credible. "If there was a threat I'd want to know about it," he said. "If it came from a reliable source I'd be much more likely to give it credence than the paranoid rants of tin-foil-hat-wearing conspiracy theorists."
Talkback
The claim that the buffer overflow bug in OpenSHH was a "Trojan" inserted to allow control of remote machines seems a little far-fetched to me.
"Trojans have been found in several open-source projects over the last year, including those found in Sendmail and OpenSSH."
Get your facts straight, please- you're spreading incorrect information. *Vulnerabilities* were found in Sendmail, OpenSSH, and other open-source projects- *not* Trojans. The difference is huge, and the article portrays open-source projects in a bad light because of this misinformation. (Though, one would think that was its intention anyway- the author appears to go to some effort to 'accidentally' get the facts wrong more than once- I've never heard of Trojans in libpcap/tcpdump either.)
OpenSSH *WAS* trojaned in 2002.
The vulnerabilities are of more recent vintage, and have nothing to do with the trojan issue.
Here's a reference to the 'trojaning' of OpenSSH:
http://www.theregister.co.uk/2002/08/01/openssh_trojaned/